General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

Hello, I’m developing a macOS application signed with a Developer ID (outside the App Store) that includes a Network Extension. The app has been successfully notarized, and the network filter is registered, but the Network Extension itself remains inactive — it does not install or run properly. It seems that the issue might be related to the entitlements configuration between the container app and the Network Extension target. Could you please provide a detailed checklist for: The required entitlements and configurations for the container app, and The required entitlements and configurations for the Network Extension target? Additionally, are there any specific Xcode settings that are mandatory for the Network Extension to be properly installed and activated on macOS when distributed via Developer ID? Thank you in advance for your help.

Hello, I’m developing a macOS application signed with a Developer ID (outside the App Store) that includes a Network Extension. The app has been successfully notarized, and the network filter is registered, but the Network Extension itself remains inactive — it does not install or run properly. It seems that the issue might be related to the entitlements configuration between the container app and the Network Extension target. Could you please provide a detailed checklist for: 1.The required entitlements and configurations for the container app, and 2.The required entitlements and configurations for the Network Extension target? Additionally, are there any specific Xcode settings that are mandatory for the Network Extension to be properly installed and activated on macOS when distributed via Developer ID? Thank you in advance for your help.

Hello, I’m running into an issue with the Family Controls (Distribution) entitlement not being included in my App Store Connect provisioning profiles. Here’s the situation: •Both my main app and its Screen Time extension have been approved for Family Controls (Distribution) In Certificates, Identifiers & Profiles → Identifiers, I can clearly see that the capability Family Controls (Distribution) is enabled for both App IDs. However, when I generate a new provisioning profile (either manually or via Xcode), the resulting .mobileprovision file’s Entitlements section does not include the Family Controls (Distribution) entitlement. As a result, building for distribution or archiving fails to recognize that entitlement, even though everything looks correct in the Developer Portal. But the missing entitlement persists. How can I successfully generate a distribution provisioning profile that includes Family Controls (Distribution)? Thanks in advance for any guidance — this seems like a subtle configuration issue, and I’d love to hear how to get over it. I can provide the Team ID and bundle ID upon request. STEPS TO REPRODUCE I’ve tried: •Regenerating both App IDs and provisioning profiles •Revoking and re-creating distribution certificates •Cleaning derived data and re-downloading profiles from Xcode Every time, creating a profile for App Store Connect will fail to include the capabilities the app has been approved for.

Hi, After enabling the new Enhanced Security capability in Xcode 26, I’m seeing install failures on devices running < iOS 26. Deployment target: iOS 15.0 Capability: Enhanced Security (added via Signing & Capabilities tab) Building to iOS 18 device error - Unable to Install ...Please ensure sure that your app is signed by a valid provisioning profile. It works fine on iOS 26 devices. I’d like to confirm Apple’s intent here: Is this capability formally supported only on iOS 26 and later, and therefore incompatible with earlier OS versions? Or should older systems ignore the entitlement, meaning this behavior might be a bug?

We are developing a messaging app which sends End-to-End encrypted data. The application supports multiple types of E2EE data, including text messages and voice over IP calls. Apple's article titled “Sending End-to-End Encrypted VoIP calls” (https://developer.apple.com/documentation/callkit/sending-end-to-end-encrypted-voip-calls) states that the following steps are required to support E2EE VoIP calls: Request permission to receive remote notifications through the User Notifications framework Register for VoIP calls using PuskKit Add a Notification Service Extension target to your app. Add the com.apple.developer.usernotifications.filtering entitlement to the NSE target’s entitlements file. We have completed steps one through three. We are still missing the filtering entitlement. As of right now the system does not allow us to use reportNewIncomingVoIPPushPayload(_:completion:) method because of the missing entitlement.
 Below is a short description of how our messaging app works: User sends a message to another user. The message is encrypted on device and sent to our server. The server receives the message and sends a notification request to APNs if needed. The server cannot decrypt the message. As an additional security feature we do not pass the encrypted message in the notification payload. The notification payload only contains a localizable generic placeholder message string and default sound in the ‘aps’ dictionary part. Upon receiving a notification from our server, the NSE makes a request to our server and fetches the latest messages (encryption keys have already been exchanged between the participants of the conversation) and determines what to do next (display a banner, or pass a call to CallKit). E2EE VoIP calls are a core feature of our app, so it is imperative that we receive the filtering entitlement. Our capability request has been rejected twice now. The latest request was rejected because: Support for VoIP calls should be provided by PushKit. For more information, please consult the documentation page "Responding to Notifications from PushKit". We cannot support VoIP calls by solely relying on PushKit. Our server cannot make a distinction when to use ‘voip’ (call) and ‘alert’ (text message) apns-push-types. Therefore, the application must be able to use reportNewIncomingVoIPPushPayload(_:completion:) function, where com.apple.developer.usernotifications.filtering entitlement is needed. We have sent the above text to support two weeks ago and made yet another request. Has anyone been able to get the capability as of late? What are the magic words that need to be included in the capability request? Can someone here help us? We made the first request on 3rd of September so this process has taken two months. Our planned release date is coming up and the absence of the capability is holding us back. We already have a released desktop and Android versions so changing the server implementation is really not an option.

Our developer account was granted the com.apple.developer.mail-client by Apple ages ago, which we use for one of our apps. At the time, this entitlement was granted through a special "entitlements" drop-down on the profile creation page. In fact, the entitlement is still available to us in this manner: Unfortunately, applying the entitlement directly to the profile no longer works through the App Store Connect API. Which is a bummer because we periodically use the API to update our development and ad hoc profiles with new UDIDs. I was eventually able to get Apple to migrate the entitlement to a capability that we can instead apply to the app IDs in our account. Great! However, for some reason the "Default Mail App" capability (on the "Edit your App ID Configuration" screen) shows does NOT apply to Ad hoc profiles: Note that "Ad hoc" is missing. This means we still need to update the Ad hoc profile for the app in question manually through the Apple developer portal. This has to be a bug. It makes no sense that this specific capability doesn't apply to Ad hoc profiles. Other capabilities don't have this issue. e.g.: Another strange thing is that on the profile page for the ad hoc profile under "Enabled Capabilities" it shows "Default Mail App" (see screenshot above) but the capability/entitlement is missing from the downloaded profile unless I add it via the drop down menu on the profile page. How do I get Apple to fix this? Multiple support tickets submitted via our developer account have gone unanswered. (It took months just to get the entitlement partially migrated in the first place.)

Hello Apple Developer Team / Community, I’m developing an iOS app that needs to read a VPN configuration profile that’s pushed via Intune MDM using the NEVPNManager / NETunnelProviderManager APIs — specifically the loadAllFromPreferences() method. I understand that certain entitlements and capabilities are required when working with the Network Extension / VPN frameworks. I came across the entitlement key com.apple.developer.vpn.managed (also referred to as the “Managed VPN” entitlement) and would like some clarification: Is this entitlement mandatory for my use case — that is, reading a VPN profile that has been pushed via MDM? Or are there alternative entitlements or capabilities that would suffice? If it is required, what is the exact process to request and enable this entitlement for my app? Could you please outline the necessary steps (e.g., updates in the Apple Developer portal → App ID → Capabilities → Provisioning Profiles, etc.)? Context: The app targets iOS and iPadOS. Currently, the app creates and saves the VPN profile itself using NETunnelProviderManager and saveToPreferences(), which works perfectly. However, we now want to deliver the same VPN configuration via MDM, so that users don’t have to manually install the profile or enter their device passcode during installation. The goal is for the app to be able to read (not necessarily modify) the MDM-pushed VPN profile through NETunnelProviderManager.loadAllFromPreferences(). Thank you in advance for any guidance — especially a clear “yes, you need it” or “no, you can do without it” answer, along with any step-by-step instructions to request the entitlement (if it’s required).

Hello, I am developing a macOS application that uses the Network Extension framework and I'm planning to distribute it outside the Mac App Store using a Developer ID certificate. I am running into a persistent provisioning error when I try to manually assign my profile in Xcode: "Provisioning profile "NetFilterCmd" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement." Here is the process I followed: 1.I added the "Network Extensions" capability in Xcode's "Signing & Capabilities" tab. This automatically created a new App ID in my Apple Developer account. 2.I went to the developer portal, confirmed the App ID had "Network Extensions" enabled, and then generated a "Developer ID" Provisioning Profile associated with this App ID. 3.I downloaded and installed this new profile ("NetFilterCmd.provisionprofile"). 4.Back in Xcode, I unchecked "Automatically manage signing" for my app target. 5.When I select the downloaded "NetFilterCmd" profile from the dropdown, the error message immediately appears. I suspect my issue might be related to the "System Extension" requirement for macOS Network Extensions, or perhaps a mismatch between the specific NE values (e.g., content-filter-provider) in the entitlements file and the App ID configuration. What is the correct, step-by-step sequence to configure a macOS app (main app + network system extension) for Developer ID distribution?

Hi, a short question really, which boils down to... How do I make sure I have removed all usage of app groups in my Mac app store app, such that the Mac app store agrees I have! Fundamentally, what I'm trying to do is transfer my app to another developer. In previous releases of this app on the App Store, I used a shared app group container to communicate between the main app and it's (embedded) XPC service, but this blocks App Store transfer of the app to another developer. So I came up with another approach for the App and XPC service to communicate (using a URL bookmark for security scoped files to be passed to the XPC service). And then tried various things to get the app store to accept that I'm no longer using app groups. So far with no luck... removed the app groups entitlements by hand from the entitlements files used to sign the main app and the XPC service, respectively. when that didn't work, go into the Developer Portal, find the app ids for the main app and the XPC service, make sure those app ids had the app groups entitlement removed too, created a new provisioning profile for the app, based on this updated app id, downloaded it, rebuilt an app archive using this updated provisioning profile and used it to create another new release on the app store when that didn't work, found and deleted all app app groups in my developer account in the developer portal itself None of the above worked. When I try to transfer the app in App Store Connect, I still see the same message, "You can't transfer this app because of the following reasons: Sandboxed Group Container You can only transfer sandboxed apps that are not sharing a group container." I'm now pretty far from using a shared group container, so I'm puzzled why it still thinks I am? There is one last thing I can try... I noticed over the weekend that even though the entitlement is gone, there's one place in code that may or may not be run on rare occasions (hard to tell) that attempts to open the app group shared container with the code... let container = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: ...which I think is just returning nil and doing nothing. Potentially the App Store sees that attempted API access for shared group containers and assumes I'm still using app groups (even though there's no entitlement so that call will always be failing)? I can do yet another App Store update and just remove that code. But I want to get to the bottom of why it has been failing all this time. What is App Store Connect / the Mac App Store looking at that makes it think I'm still using app groups? I've tried so many things and don't want to mess users around with another App Store update unless this code above is the actual cause! Cheers p.s. It's a teamID based app group of the form... MY_TEAM_ID.s4a e.g. SWDC5K54B7.s4a

TCC Permission Inheritance for Python Process Launched by Swift App in Enterprise Deployment We are developing an enterprise monitoring application that requires a hybrid Swift + Python architecture due to strict JAMF deployment restrictions. We must deploy a macOS application via ABM/App Store Connect, but our core monitoring logic is in a Python daemon. We need to understand the feasibility and best practices for TCC permission inheritance in this specific setup. Architecture Component Bundle ID Role Deployment Swift Launcher com.athena.AthenaSentry Requests TCC permissions, launches Python child process. Deployed via ABM/ASC. Python Daemon com.athena.AthenaSentry.Helper Core monitoring logic using sensitive APIs. Nested in Contents/Helpers/. Both bundles are signed with the same Developer ID and share the same Team ID. Required Permissions The Python daemon needs to access the following sensitive TCC-controlled services: Screen Recording (kTCCServiceScreenCapture) - for capturing screenshots. Input Monitoring (kTCCServiceListenEvent) - for keystroke/mouse monitoring. Accessibility (kTCCServiceAccessibility) - a prerequisite for Input Monitoring. Attempts & Workarounds We have attempted to resolve this using: Entitlement Inheritance: Added com.apple.security.inherit to the Helper's entitlements. Permission Proxy: Swift app maintains active event taps to try and "hold" the permissions for the child. Foreground Flow: Keeping the Swift app in the foreground during permission requests. Questions Is this architecture supported? Can a Swift parent app successfully request TCC permissions that a child process can then use? TCC Inheritance: What are the specific rules for TCC permission inheritance between parent/child processes in enterprise environment? What's the correct approach for this enterprise use case? Should we: Switch to a Single Swift App? (i.e., abandon the Python daemon and rewrite the core logic natively in Swift). Use XPC Services? (instead of launching the child process directly).

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] It’d be nice if the Xcode errors were more clear in this case (r. 155327166). Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.

Hello, my iOS apps are exiting right after launch on a few of our iOS devices. I tried a couple of my apps that are deployed to our fleet and they do the same thing. If I run the app(s) in the Simulator it works fine and if I run the app(s) on the offending devices it works fine as well. Once I stop the run in Xcode the app on the device will not launch. I'm thinking something is missing like a certificate etc. Just not sure. Any ideas on how to troubleshoot this? I would really like to get this fixed.

Hello, I have developed an iOS application called DinecTag (be.dinec.DinecTag) with a developer account named Dinec International which is registered in Belgium, I received the NFC entitlement valid for Europe and my App is on the App store since some months (the App is used to open doors by presenting the iPhone in front of a special reader) The App is published only on countries inside Europe (it don’t work outside anyway) I would like my App can be used outside Europe, so I need another entitlement called NFC & SE Platform entitlementn to ask for that, I need an account registered in a country covered by that entitlement Dinec is a company that is member of the Lisam group Lisam has an apple developer account registered to USA, called Lisam Systems So I have asked to the owner of that account to add me as a developer in the USA team So when I connect to my developer account, I can switch between Dinec International SA and Lisam Systems on top right of the screen, I am member of the two teams. I would like to avoid if possible to create a second application, can you confirm it is possible in my case ? What are the next steps ? Best regards Jean-Paul Deryck

Hello, I am experiencing an issue with the Apple Pay capability on my App ID. I have created a Merchant ID. I enabled Apple Pay in the App ID configuration and linked it to the merchant. However, sometimes when I revisit the App ID in the Apple Developer portal, the Apple Pay capability appears disabled, even though I saved it. This happens intermittently; at some times the capability is correctly shown as enabled, and other times it disappears. Context: I am using Expo Managed Workflow with EAS Build for iOS. The issue prevents the provisioning profile from including Apple Pay, which causes Stripe isPlatformPaySupported function to return false on ios devices. Attached: Screenshots of the App ID page showing Apple Pay enabled and disabled. Could you please advise why the capability is not being consistently saved, and how to ensure it stays enabled? Thank you,

If your developer team has been approved to implement Tap to Pay on iPhone, you were granted a managed entitlement configured only for the Development distribution type. When compiling your project for any other distribution type, such as App Store, Ad hoc, or In-house (for Enterprise apps), the build with fail with errors. You can resolve these errors by contacting the initial provisioning team and asking for production distribution review/validation. For more information on requesting the Tap to Pay on iPhone entitlement, see the documentation below: Setting up Tap to Pay on iPhone https://developer.apple.com/documentation/proximityreader/setting-up-the-entitlement-for-tap-to-pay-on-iphone To request for permission for the App Store, Ad hoc, or In-house distribution types, please respond to the confirmation email received after your initial entitlement request. The provisioning team will provide the next steps to begin the public distribution review process and eventually approve your app for distribution via TestFlight, the App Store, or to Enterprise managed devices. Note: The only team that manages this entitlement is the same provisioning team that granted you access, so you'll need to follow-up with the same team that approved your initial request to resolve this compilation and archival issue. Once you're approved for App Store distribution, the same steps used to distribute your app via TestFlight or In-house will be successful. If you continue to have errors after confirming you've been granted the expected distribution type for your app configuration, please see the post below, then create a new post for your issue and mention your Feedback ID after following the steps: Gathering Required Information for Troubleshooting Tap to Pay on iPhone https://developer.apple.com/forums/thread/775784 Cheers, Paris X Pinkney |  WWDR | DTS Engineer

Hello! My question is about 1) if we can use any and or all accessibility features within a sandboxed app and 2) what steps we need to take to do so. Using accessibility permissions, my app was working fine in Xcode. It used NSEvent.addGlobalMonitorForEvents and localMoniter, along with CGEvent.tapCreate. However, after downloading the same app from the App Store, the code was not working. I believe this was due to differences in how permissions for accessibility are managed in Xcode compared to production. Is it possible for my app to get access to all accessibility features, while being distributed on the App Store though? Do I need to add / request any special entitlements like com.apple.security.accessibility? Thanks so much for the help. I have done a lot of research on this online but found some conflicting information, so wanted to post here for a clear answer.

Hi Apple Engineers and fellow developers, I'm a student developer working on an educational focus management app that helps users hide distracting apps during study sessions. The app consists of: macOS app: Simple "Hide apps" button that triggers app hidding sessions iOS app: Uses Screen Time API to temporarily hide selected apps from home screen Communication: Bonjour networking between Mac and iPhone for session coordination The Challenge My app requires two entitlements that aren't available with Personal Developer Teams: com.apple.developer.family-controls (for Screen Time API) com.apple.developer.networking.multicast (for Bonjour device discovery) Current Error Messages text Cannot create a iOS App Development provisioning profile for "focuser.focuser-app". Personal development teams, including "My Name", do not support the Family Controls (Development) capability. Provisioning profile doesn't include the com.apple.developer.family-controls and com.apple.developer.networking.multicast entitlements. My Question for Apple Engineers Is there any legitimate way to test these privacy-sensitive APIs on my own devices for educational/learning purposes without purchasing the $99/year Apple Developer Program membership? I understand the security reasons behind these restrictions, but as a student just learning iOS development, it creates a significant barrier to experimenting with these technologies.

I have added an in-app purchase function into my app, and have enabled in-app purchase profile in developer portal(it's on by default and is marked gray in developer portal, I don't know if that's how it supposed to look like). I have issued the agreements and tried signing the app both manually and automatically, but neither of that worked. App can be built successfully in simulator but does not show the simulation window, but cannot build on real device or archive. Errors: Missing com.apple.developer.in-app-purchase, com.apple.developer.in-app-purchase.non-consumable, and com.apple.developer.in-app-purchase.subscription entitlements. Automatic signing failed Xcode failed to provision this target.

Hello everyone, I'm facing a critical, blocking issue where my developer account (Team ID: K655PX7A46) is unable to generate a valid provisioning profile with the App Attest entitlement. I have confirmed this is a server-side issue and am hoping to get visibility from an Apple engineer who can investigate. The Problem: When I generate a provisioning profile for an App ID with the "App Attest" capability enabled, the resulting profile is defective. It is missing the required com.apple.developer.app-attest.environment key in its entitlements dictionary, causing Xcode to fail the build. What I Have Proven: The issue is not a misconfiguration. The App Attest capability is correctly enabled and saved on the App ID configuration page. The issue is not isolated to one App ID. I created a brand new App ID from scratch, enabled the capability during creation, and the server still generates a defective profile with the same missing entitlement. I have definitive proof by inspecting the downloaded .mobileprovision file. The contents confirm the required key is missing. Steps to Reproduce on My Account: Create a new App ID on the Developer Portal. Enable the "App Attest" capability and save. Generate a new "iOS App Development" provisioning profile for this App ID. Download the profile and inspect its contents via security cms -D -i [profile]. Observe that the com.apple.developer.app-attest.environment key is missing. The Evidence (Contents of the Defective Profile): Here is the output from inspecting the profile for a brand new App ID (com.technology519.linksi.app2). As you can see, the correct entitlement is missing, and an incorrect devicecheck entitlement is present instead. This is a critical bug in the provisioning profile generation service for my account that is blocking all development. I have already filed a support ticket (Case #102721408444) but have so far only received generic, unhelpful responses. Can an Apple engineer please investigate this server-side issue with my account? Thank you.

I have tried everything and still I am getting this. Just for a test I created a new app (Master-Detail template Xcode 11.5) I have created an entry in the iTunes Connect to receive the app upon archiving and uploading. I regenerated all new certificates for iOS Development and Distribution. I created all new Provisioning profiles. The Dev profile builds deploys and runs on my device The Dist profile builds but when I select the distribution profile I get the "Profile doesn't include the com.apple.application-identifier entitlement." error. When I download the profile within Xcode all looks good for the distribution profile: App ID: matches correctly Certificated: 1 Included includes the new signing certificate "iPhone Distribution...." Capabilities: 3 Included Includes Game Center, In-App Purchase, and Keychain Sharing Entitlements: 5 Included Includes application-identifier, keychain-access-groups, beta-reports-active, get-task-allow, and com.apple.developer.team-identifier. Im not sure what is going on. This is a standard process I have performed for quite a while. As a matter of fact I just submitted 3 applications last Sunday. Thank you for any suggestions.