Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Posts under Entitlements tag

200 Posts

Post

Replies

Boosts

Views

Activity

Code Signing Resources
General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
0
39k
Jan ’26
New Capabilities Request Tab in Certificates, Identifiers & Profiles
You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.
0
0
2.3k
Jun ’25
Signing issue with Notification Filtering entitlement
Two months ago we got approval for using the Notification Filtering entitlement. We rushed out to implement it in our app, only to find out that the permission was set for the wrong bundle identifier. We expected to get the permission for the notification extension's bundle identifier, yet it is added for the main app's bundle identifier. Per the official docs, the entitlement permission should be in the notification service extension target: After you receive permission to use the entitlement, add com.apple.developer.usernotifications.filtering to the entitlements file in the Notification Service Extension target. However, this fails to get signed when compiling for non-simulator targets because of the bundle mismatch issue. Simulator perfectly filters notifications. Adding the entitlement to the main app does compile, but filtering does not work (as expected). We reached out to Apple twice (Case-ID: 14330583) but we have yet to receive any response. Could there be something else wrong instead of the identifier mismatch?
3
0
1.1k
2h
CMWaterSubmersionManager returns CMErrorDomain code 105
Dear All, I am developing a watchOS app for Apple Watch Ultra that needs to use the Apple depth / water submersion APIs with the entitlement. The app is configured with the shallow depth and pressure entitlement right now, and I have verified that the entitlement is present both in the signed Watch app and in the embedded provisioning profile. App configuration: Platform: watchOS Device: Apple Watch Ultra Entitlement used: com.apple.developer.submerged-shallow-depth-and-pressure = true Info.plist contains: WKSupportsAutomaticDepthLaunch = true WKBackgroundModes includes underwater-depth I verified the built Watch app with: codesign -d --entitlements :- /path/to/WatchApp.app The output contains: com.apple.developer.submerged-shallow-depth-and-pressure I also verified the embedded provisioning profile with: security cms -D -i /path/to/WatchApp.app/embedded.mobileprovision The embedded profile also contains: com.apple.developer.submerged-shallow-depth-and-pressure The built Watch app Info.plist also confirms: WKSupportsAutomaticDepthLaunch = true WKBackgroundModes includes underwater-depth At runtime, my diagnostics show: Requested source: Automatic or Apple Sensor Runtime source: Automatic / Apple Sensor Capability resolved by the app: Shallow Resolved provider: Apple Sensor — Shallow Sample source: Apple Shallow CMWaterSubmersionManager.waterSubmersionAvailable: true Depth automation: available Provider start is called First provider event is received Submersion state: unknown No submersion event is received No depth measurement is received No temperature sample is received Provider state: error Raw error: Domain: CMErrorDomain Code: 105 Description: The operation couldn’t be completed. The relevant runtime failure is: CMErrorDomain 105 The app also does not appear in: Apple Watch Settings → General → Auto-Launch → When Submerged This is the key point that I cannot clarify from the documentation. My questions are: Is the entitlement com.apple.developer.submerged-shallow-depth-and-pressure sufficient for a watchOS app to appear in: Apple Watch Settings → General → Auto-Launch → When Submerged? Is the shallow depth entitlement sufficient to receive runtime events from CMWaterSubmersionManager, including submersion and depth measurements? Or is the full submerged depth entitlement required for: appearing in the “When Submerged” auto-launch list; receiving CMWaterSubmersionManager submersion events; receiving CMWaterSubmersionManager depth measurements? What does CMErrorDomain code 105 mean in the context of CMWaterSubmersionManager? If the shallow entitlement is sufficient, what other conditions could cause CMWaterSubmersionManager to return CMErrorDomain 105 before delivering any submersion or depth samples? To summarize: The shallow entitlement is present in the source entitlements file. The shallow entitlement is present in the signed Watch app. The shallow entitlement is present in the embedded provisioning profile. The built Info.plist contains WKSupportsAutomaticDepthLaunch = true. The built Info.plist contains WKBackgroundModes = underwater-depth. CMWaterSubmersionManager.waterSubmersionAvailable returns true. The app does not appear in the Watch “When Submerged” list. CMWaterSubmersionManager fails with CMErrorDomain 105 before delivering submersion/depth samples. Any help will be strongly appreciated. Thank you.
0
0
23
22h
is com.apple.developer.usb.host-controller-interface managed?
I'm posting this here after reading Quinn's post here: https://developer.apple.com/forums/thread/799000 The above entitlement is mentioned in IOUSBHostControllerInterface.h. It isn't an entitlement one can add using the + button on the Capabilities panel in Xcode. If I try to add it by hand, Xcode complains that it isn't in my profile. Is this a managed entitlement? We'd like to create a local USB "device" to represent a real device reachable over a network.
9
1
1.2k
4d
Shallow Depth Entitlement and Underwater Auto-Launch: App Not Appearing in "When Submerged"
I've a question for you maybe you can help me. My watchOS app has: WKSupportsAutomaticDepthLaunch = true WKBackgroundModes = underwater-depth com.apple.developer.submerged-shallow-depth-and-pressure = true entitlement present in codesign and embedded provisioning profile The app uses the shallow depth entitlement, but it does not appear in: Settings → General → Auto-Launch → When Submerged. Is the shallow depth entitlement sufficient for appearing in the system underwater auto-launch app list, or is the full submerged depth entitlement required?
0
0
88
4d
Requesting private watchOS Bluetooth entitlements for open-source CGM-connected AID app (FB22619409)
I'm a contributor to Trio, an open-source automated insulin delivery (AID) app for iOS/watchOS maintained by the Nightscout Foundation. I'm posting at the recommendation of the engineering team via Feedback Assistant FB22619409 (Developer Support case 102865854185). The goal We're prototyping direct BLE connectivity between the Trio watchOS extension and the Dexcom G7 CGM sensor — eliminating dependence on iPhone-to-Watch relay via WatchConnectivity. For an AID app, stale CGM data affects insulin dosing decisions; this is a patient safety concern. The entitlements needed To maintain a BLE connection to the G7 while backgrounded and with the display off/wrist lowered, the WatchKit extension requires: com.apple.developer.bluetooth-central-background com.apple.developer.bluetooth-central-screen-off-scanning What I've confirmed Both entitlements are present on Dexcom's shipping G7 WatchKit extension (com.dexcom.g7app.watchkitapp.watchkitextension), verifiable via: codesign -d --entitlements :- \ "Dexcom G7.app/Watch/G7Watch.app/PlugIns/G7Watch Extension.appex" Output includes: com.apple.developer.bluetooth-central-background = true com.apple.developer.bluetooth-central-screen-off-scanning = true These are not self-service capabilities exposed through Xcode or the developer portal for our account: Xcode → Trio Watch App target → Signing & Capabilities → + Capability → searching com.apple.developer.bluetooth-central-background returns No Matches Certificates, Identifiers & Profiles → WatchKit Extension App ID (org.nightscout.5QE6TMMEH2.trio.watchkitapp.watchkitextension) → the entitlement does not appear under Capability Requests A screen recording demonstrating both is attached to FB22619409. The May 16 Apple Feedback response noted that the entitlement was visible in an internal Xcode project — consistent with it being a restricted/managed entitlement not exposed through standard developer accounts. My questions What is the correct process to request com.apple.developer.bluetooth-central-background for a watchOS extension App ID where it does not appear in Capability Requests? Is com.apple.developer.bluetooth-central-screen-off-scanning available through a private/managed entitlement process, and how do we enter that process? Is there a formal Apple program (e.g., MFi, HealthKit entitlements, or similar) applicable to CGM-connected medical apps that covers these entitlements? Full account details, screen recording, and entitlement output are attached to FB22619409 / Developer Support case 102865854185. Happy to provide a test build, full entitlement output, or additional context if needed. Thank you
1
0
263
5d
Game Center Missing for iMessage Extensions
I have enabled Game Center in App Store Connect, as well as the entitlements in Xcode for both my parent (stub) target and extension target. I call the Game Center authentication function which returns a "Signed in as: [my username]" banner during testing. However, when it is tapped on by the user, it opens the Game Center view where "Now Playing _" shows a blank title and app icon. I have a full size app icon that App Store Connect and even GameKit recognizes (https://games.apple.com/us/game/6757935828) but not when I actually run my iMessage app. When I call the authentication function, it completes (hence the banner), but then says later on Game Center does not recognize my app and that my achievements cannot be reported to Game Center. Is Game Center fully disabled for iMessage apps? Or is there a solution I am missing? My goal is to have achievement banners show up for winning iMessage games and certain gameplay combos.
1
0
212
6d
CarPlay Entitlements for navigation
Bonjour, Je viens ici afin d'exposer mon problème en espérant trouver une solution. En Août 2025 j'ai publié une demande afin de pouvoir développer une application Carplay de type navigation. Ma demande n'a jamais été traitée, j'ai soumis une autre demande en février, puis en avril. Toujours sans réponse. Depuis environ 3 semaines, j'appelle Apple toutes les semaines afin de demander à ce que ma demande soit traitée. J'ai bien évidemment une réponse m'indiquant que la demande était remontée, mais sans retour par la suite. Je commence à sérieusement perdre patience, et ne trouve aucune solution. Quelles seraient vos propositions ? Merci par avance pour vos retours
1
0
310
1w
Entitlement for extension to have read-only access to host's task?
Hi all, I'm building an iOS app extension using ExtensionKit that works exclusively with its containing host app, presenting UI via EXHostViewController. I'd like the extension to have read-only access to the host's task for process introspection purposes. I'm aware this would almost certainly require a special entitlement. I know get-task-allow and the debugger entitlement exist, but those aren't shippable to the App Store. I'm looking for something that could realistically be distributed to end users. My questions: Does an entitlement exist (or is one planned) that would grant an extension limited, read-only access to its host's task—given the extension is already tightly coupled to the host? If not, is this something Apple would consider adding? The use case is an extension that needs to inspect host process state without the ability to modify it. Is there a path to request such an entitlement through the provisioning profile process, or is this fundamentally off the table for App Store distribution? It seems like a reasonable trust boundary given the extension already lives inside the host's app bundle, but I understand the security implications. Any insight appreciated. Thanks!
11
0
1.1k
1w
Driver Activation failure error code 9. Maybe Entitlements? Please help
This is my first driver and I have had the devil of a time trying to find any information to help me with this. I beg help with this, since I cannot find any tutorials that will get me over this problem. I am attempting to write a bridging driver for an older UPS that only communicates via RPC-over-USB rather than the HID Power Device class the OS requires. I have written the basic framework for the driver (details below) and am calling OSSystemExtensionRequest.submitRequest with a request object created by OSSystemExtensionRequest.activationRequest, but the didFailWithError callback is called with OSSystemExtensionErrorDomain of a value of 9, which appears to be a general failure to activate the driver. I can find no other information on how to address this issue, but I presume the issue is one of entitlements in either the entitlements file or Info.plist. I will have more code-based details below. For testing context, I am testing this on a 2021 iMac (M1) running Sequoia 15.7, and this iMac is on MDM, specifically Jamf. I have disabled SIP and set systemextensionsctl developer on, per the instructions here, and I have compiled and am attempting to debug the app using xcode 26.2. The driver itself targets DriverKit 25, as 26 does not appear to be available in xcode despite hints on google that it's out. For the software, I have a two-target structure in my xcode project, the main Manager app, which is a swift-ui app that both handles installation/activation of the driver and (if that finally manages to work) handles communication from the driver via its UserClient, and the driver which compiles as a dext. Both apps compile and use automated signing attached to our Apple Development team. I won't delve into the Manager app much, as it runs even though activation fails, except to include its entitlements file in case it proves relevant <dict> <key>com.apple.developer.driverkit.communicates-with-drivers</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> and the relevant activation code: func request(_ request: OSSystemExtensionRequest, didFailWithError error: any Error) { // handling the error, which is always code value 9 } func activateDriver() { let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.mycompany.driver.bundle.identifier", queue: .main) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) //... } And finally the Manager app has the following capabilities requested for its matching identifier in our Apple Developer Account: DriverKit Communicates with Drivers System Extension On the Driver side, I have two major pieces, the main driver class MyDriver, and UserClient class, StatusUserClient. MyDriver derives from IDriverKit/IOService.iig but (in case this is somehow important) does not have the same name as the project/target name MyBatteryDriver. StatusUserClient derives from DriverKit/IOUserClient.iig. I have os_log(OS_LOG_DEFAULT, "trace messages") code in every method of both classes, including the initializers and Start implementations, and the log entries never seem to show up in Console, so I presume that means the OS never tried to load the driver. Unless I'm looking in the wrong place? Because I don't think the driver code is the current issue, I won't go into it unless it becomes necessary. As I mentioned above, I think this is a code signing / entitlements issue, but I don't know how to resolve it. In our Apple Developer account, the Driver's matching identifier has the following capabilities requested: DriverKit (development) DriverKit Allow Any UserClient (development) DriverKit Family HID Device (development) -- NOTE: this is planned for future use, but not yet implemented by my driver code. Could that be part of the problem? DriverKit Transport HID (development) DriverKit USB Transport (development) DriverKit USB Transport - VendorID -- submitted, no response from Apple yet HID Virtual Device -- submitted, no response from Apple. yet. This is vestigial from an early plan to build the bridge via shared memory funneling to a virtual HID device. I think I've found a way to do it with one Service, but... not sure yet. Still, that's a problem for tomorrow. Apparently I've gone over the 7000 character maximum so I will add my entitlements and info.plist contents in a reply.
12
0
780
1w
Automatic Assessment Configuration - No response for the submitted request even after 75 days
We have B2B LMS app used my around 4K users in total including IOS and Android users. We applied for approval through "Automatic Assessment Configuration Entitlement Request" form from account holders apple ID. Even after 75 days we didn't receive any response. We couldn't conduct secure exams in apple devices. Not sure how to proceed further. https://apps.apple.com/us/app/methodder-lms/id6754560905
1
0
85
1w
Supported way to expose an iPhone+controller as a macOS gamepad without restricted entitlements?
I’m prototyping a personal-use system that lets an iPhone with a physically attached controller act as an input device for a Mac. End goal: Use the iPhone as the transport and sensor host Use the attached physical controller for buttons/sticks Map the iPhone gyroscope to the controller’s right stick to get gyro aim in Mac games / cloud-streamed games such as GeForce NOW that don't support the gyro. What I’m trying to understand is whether Apple supports any path for this on macOS that does NOT require restricted entitlements or paid-program-only capabilities. What I’ve already found: CoreHID virtual HID device creation appears to require com.apple.developer.hid.virtual.device HIDDriverKit / system extensions appear to require Apple-granted entitlements as well GCVirtualController does not seem to solve the problem because I need a controller-visible device that other apps can see, not just controls inside my own app So my concrete question is: Is there any supported, entitlement-free way for a personal macOS app to expose a game-controller-like input device that other apps can consume system-wide? If not, is the official answer that this class of solution necessarily requires one of: CoreHID with restricted entitlement HIDDriverKit/system extension entitlement some other Apple-approved framework or program I’m missing I’m not asking about App Store distribution. This is primarily for local/personal use during development. I’m trying to understand the supported platform boundary before investing further. Any guidance on the recommended architecture for this use case would be appreciated.
4
1
629
1w
NFC PassKit Certificate request form submits without confirmation
I’m trying to request an NFC PassKit Certificate through https://developer.apple.com/contact/passkit/. After clicking Send, the completed form is POSTed successfully and receives 200 OK, but the server returns the original form instead of a confirmation page. The page’s passkit.js then clears all fields, and Developer Support confirmed that my earlier submission was never received. Has anyone else encountered this behavior or found another way to submit the NFC PassKit Certificate request?
0
0
244
1w
Sandboxed Mac app denied mach-lookup com.apple.cloudd when signed with Mac Team Store Provisioning Profile on macOS 26
A sandboxed Mac app with correct CloudKit entitlements fails to connect to com.apple.cloudd (the CloudKit daemon) when distributed via TestFlight (Mac Team Store Provisioning Profile). The identical binary works correctly when launched from Xcode (Mac Team Provisioning Profile also present). All entitlements are correctly embedded and the App ID is properly configured in Apple Developer Portal. Environment macOS 26.5.1 (25F80) Xcode 26.5 (17F42) SwiftData with NSPersistentCloudKitContainer / ModelConfiguration(cloudKitDatabase: .private(...)) Steps to Reproduce Create a sandboxed Mac app using SwiftData with CloudKit sync Enable iCloud + CloudKit in Signing & Capabilities Archive and distribute to TestFlight (Mac Team Store Provisioning Profile) Install via TestFlight on macOS 26 and launch Check Console for kernel sandbox messages Expected Result CloudKit connects to com.apple.cloudd and syncs data, matching behavior of the iOS version using the same container. Actual Result Console shows repeated kernel sandbox denials followed by CloudKit setup failure: kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.cloudd kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.duetactivityscheduler CheatSheet Mac CoreData+CloudKit: Failed to set up CloudKit integration for store Error Domain=CKErrorDomain Code=6 "Error connecting to CloudKit daemon." Key Diagnostic Finding When launched from Xcode, taskgated-helper validates both the Mac Team Store Provisioning Profile AND the Mac Team Provisioning Profile, and CloudKit succeeds: cloudd: TCC approved access for container containerID=iCloud.com.michaelendres.CheatSheet:Production When launched from TestFlight, only the Mac Team Store Provisioning Profile is present, and the sandbox denies com.apple.cloudd despite identical entitlements in the binary: codesign -d --entitlements shows: com.apple.developer.icloud-services: [CloudKit] com.apple.developer.icloud-container-identifiers: [iCloud.com.michaelendres.CheatSheet] com.apple.developer.icloud-container-environment: Production com.apple.security.app-sandbox: true Conclusion The Mac Team Store Provisioning Profile on macOS 26 does not appear to grant the sandbox exception for mach-lookup com.apple.cloudd, while the Mac Team Provisioning Profile (development) does. This prevents any Mac App Store / TestFlight app using CloudKit from syncing on macOS 26.
1
0
240
2w
Installing MS PowerPoint extensions on macOS 15
Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content. PowerPoint extensions Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/ The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location: ~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg These locations can be access by non-sandboxed app on macOS 14 and earlier. Slido integration Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database. This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text: "Slido" would like to access data from other apps. This will allow Slido to integrate with Microsoft PowerPoint app. [Don't Allow] [Allow] We understand this is a security feature, yet we would like to make the experience for customers much better. As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context. Slido installs its files to this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/ Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID? Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts? By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint. We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform. I am thankfully for any guidance and constructive feedback. Jozef, Tech Leader at Slido integrations team
6
1
1.3k
2w
com.apple.vm.networking entitlement
Hi, I wanted to develop a small tool to launch Home Assistant OS in a Virtualization.framework VM. Something lean (no UI, no daemons), zero-config, and Apple Silicon only. I got that running, but I wanted to also use bridge networking and USB device pass-through which require the com.apple.vm.networking and com.apple.developer.accessory-access.usb entitlements, respectively. I was unable to use those for local development using ad-hoc signing, so I guess it requires a paid Apple Developer account and official approval so that they can be enabled in provisioning profiles. I'm open to reactivating my developer subscription which I let expire years ago, but wanted to first assess the chances of getting approval (no point in renewing the subscription if I won't get the permission in the end). I could make this an open source project, if it helps.
3
0
317
2w
SensorKit - more flexibility
It would be good if SensorKit was more available for non research related apps. For example I want to create an app that tracks light sensor values to create a mapping of bikelanes with poor lighting. This doesn’t fall under a research app, but seems like a reasonable use of this data. creating a way to opt the user into this (via clear warnings that the data Is being collected, and maybe a 24 or 1 hour time limit) might be a way to make this sensor data available. also clear warnings on the app store privacy page, or maybe even rules about running in the background or at app startup and an icon in the toolbar (similar to the mic) could make this more safe for users.
1
0
113
2w
how to remove hotspot-provider
I previously attempted to apply for the hotspot-provider entitlement but was rejected. I no longer require this entitlement. I need to remove the hotspot-provider permission although the Network Extensions capability is checked. However, the generated provisioning profile still includes the hotspot-provider permission, which causes error 409 when I upload the IPA file. I only need the Network Extensions entitlement. Could you please advise how to remove hotspot-provider from the provisioning profile?
1
0
243
2w
iPhone app memory limit seems capped to 6GB
Hi all :) I tried to raise this in the group lab and was pointed here. I’m seeing a flat per-app memory ceiling of about 6 GB on iPhone, even on devices with more physical RAM and with com.apple.developer.kernel.increased-memory-limit. Measured with os_proc_available_memory() plus task_vm_info.phys_footprint, the total process budget stays around 6144 MB on both: iPhone 16 Pro Max, 8 GB RAM iPhone 17 Pro Max, 12 GB RAM This came up while running Gemma 4 multimodal support in mlx-swift-lm (PR #343). The model loads at about 4.4 GB resident, leaving roughly 1.7 GB for inference/prefill. Reducing a GPU buffer cache from 512 MB to 64 MB recovered enough headroom to avoid jetsam and allowed a full image + video + audio multimodal test to complete, so the measurement seems to reflect a real per-process limit rather than free system memory. I re-measured the ceiling on the 12 GB phone with these capabilities: increased-memory-limit only: ~6144 MB increased-memory-limit + extended-virtual-addressing: ~6144 MB, no change increased-memory-limit + increased-debugging-memory-limit: ~6656 MB I have also observed that 12 GB iPad devices expose more memory to an app than 12 GB iPhone devices but I didn't measure specifically and no longer have the device to hand. Is the ~6 GB per-process tier on Pro iPhones expected, even with increased-memory-limit? Is there any supported way for a shipping app to access more of the available RAM on 12 GB iPhone models? FB23183521
0
0
253
2w
Unable to enable Apple Pay for App Clip – “relationship 'undefined'” error when adding capability
Hey everyone, hoping someone here has run into this before. I have a fully functional App Clip (com.didyoucatchit.app.Clip) linked to my main app (com.didyoucatchit.app). The Clip builds and runs perfectly, but I’m seeing issues trying to enable Apple Pay for it. When I try to link my Merchant ID under the “On Demand Install Capable” capability in the Apple Developer portal, I get this error: A relationship in the provided entity is not allowed for this request. The relationship 'undefined' can not be included in a 'bundleIdCapabilities' request. Here’s what I have already configured and confirmed: App Clip capabilities in Xcode include: Apple Pay Payment Processing Associated Domains (appclips:app.didyoucatchit.com) Provisioning profile includes: Apple Pay Payment Processing Associated Domains In-App Purchase On-Demand Install Capable Entitlements file for the Clip: <key>com.apple.developer.associated-domains</key> <array> <string>appclips:app.didyoucatchit.com</string> </array> <key>com.apple.developer.in-app-payments</key> <array> <string>merchant.com.didyoucatchit.app</string> </array> <key>com.apple.developer.parent-application-identifiers</key> <array> <string>$(AppIdentifierPrefix)com.didyoucatchit.app</string> </array> Merchant ID (merchant.com.didyoucatchit.app) is active and connected to Stripe Stripe Apple Pay configuration matches the same merchant ID and certificate Both provisioning profiles have been refreshed and downloaded However: The portal still throws the “relationship 'undefined'” error anytime I try to modify the Clip’s capabilities In testing, Apple Pay doesn’t show up as a payment option in the Clip (using Stripe’s Payment Element integration) Questions: Is this a known issue with the Developer portal when linking App Clips to merchant IDs? Is there a specific way to re-establish the parent–child relationship between the main app and the App Clip so the bundleIdCapabilities request includes the proper relationship JSON? Are there any additional configuration steps required when using Stripe for Apple Pay inside an App Clip? System Setup: Xcode: 16.2 (build 16C5032a) macOS: Sequoia 15.3.1 iOS: 18.5 (testing on physical device) Merchant ID: merchant.com.didyoucatchit.app Main App ID: com.didyoucatchit.app App Clip ID: com.didyoucatchit.app.Clip Any help or insight would be hugely appreciated Thanks in advance!
1
0
362
2w
Code Signing Resources
General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
Replies
0
Boosts
0
Views
39k
Activity
Jan ’26
New Capabilities Request Tab in Certificates, Identifiers & Profiles
You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.
Replies
0
Boosts
0
Views
2.3k
Activity
Jun ’25
Signing issue with Notification Filtering entitlement
Two months ago we got approval for using the Notification Filtering entitlement. We rushed out to implement it in our app, only to find out that the permission was set for the wrong bundle identifier. We expected to get the permission for the notification extension's bundle identifier, yet it is added for the main app's bundle identifier. Per the official docs, the entitlement permission should be in the notification service extension target: After you receive permission to use the entitlement, add com.apple.developer.usernotifications.filtering to the entitlements file in the Notification Service Extension target. However, this fails to get signed when compiling for non-simulator targets because of the bundle mismatch issue. Simulator perfectly filters notifications. Adding the entitlement to the main app does compile, but filtering does not work (as expected). We reached out to Apple twice (Case-ID: 14330583) but we have yet to receive any response. Could there be something else wrong instead of the identifier mismatch?
Replies
3
Boosts
0
Views
1.1k
Activity
2h
CMWaterSubmersionManager returns CMErrorDomain code 105
Dear All, I am developing a watchOS app for Apple Watch Ultra that needs to use the Apple depth / water submersion APIs with the entitlement. The app is configured with the shallow depth and pressure entitlement right now, and I have verified that the entitlement is present both in the signed Watch app and in the embedded provisioning profile. App configuration: Platform: watchOS Device: Apple Watch Ultra Entitlement used: com.apple.developer.submerged-shallow-depth-and-pressure = true Info.plist contains: WKSupportsAutomaticDepthLaunch = true WKBackgroundModes includes underwater-depth I verified the built Watch app with: codesign -d --entitlements :- /path/to/WatchApp.app The output contains: com.apple.developer.submerged-shallow-depth-and-pressure I also verified the embedded provisioning profile with: security cms -D -i /path/to/WatchApp.app/embedded.mobileprovision The embedded profile also contains: com.apple.developer.submerged-shallow-depth-and-pressure The built Watch app Info.plist also confirms: WKSupportsAutomaticDepthLaunch = true WKBackgroundModes includes underwater-depth At runtime, my diagnostics show: Requested source: Automatic or Apple Sensor Runtime source: Automatic / Apple Sensor Capability resolved by the app: Shallow Resolved provider: Apple Sensor — Shallow Sample source: Apple Shallow CMWaterSubmersionManager.waterSubmersionAvailable: true Depth automation: available Provider start is called First provider event is received Submersion state: unknown No submersion event is received No depth measurement is received No temperature sample is received Provider state: error Raw error: Domain: CMErrorDomain Code: 105 Description: The operation couldn’t be completed. The relevant runtime failure is: CMErrorDomain 105 The app also does not appear in: Apple Watch Settings → General → Auto-Launch → When Submerged This is the key point that I cannot clarify from the documentation. My questions are: Is the entitlement com.apple.developer.submerged-shallow-depth-and-pressure sufficient for a watchOS app to appear in: Apple Watch Settings → General → Auto-Launch → When Submerged? Is the shallow depth entitlement sufficient to receive runtime events from CMWaterSubmersionManager, including submersion and depth measurements? Or is the full submerged depth entitlement required for: appearing in the “When Submerged” auto-launch list; receiving CMWaterSubmersionManager submersion events; receiving CMWaterSubmersionManager depth measurements? What does CMErrorDomain code 105 mean in the context of CMWaterSubmersionManager? If the shallow entitlement is sufficient, what other conditions could cause CMWaterSubmersionManager to return CMErrorDomain 105 before delivering any submersion or depth samples? To summarize: The shallow entitlement is present in the source entitlements file. The shallow entitlement is present in the signed Watch app. The shallow entitlement is present in the embedded provisioning profile. The built Info.plist contains WKSupportsAutomaticDepthLaunch = true. The built Info.plist contains WKBackgroundModes = underwater-depth. CMWaterSubmersionManager.waterSubmersionAvailable returns true. The app does not appear in the Watch “When Submerged” list. CMWaterSubmersionManager fails with CMErrorDomain 105 before delivering submersion/depth samples. Any help will be strongly appreciated. Thank you.
Replies
0
Boosts
0
Views
23
Activity
22h
is com.apple.developer.usb.host-controller-interface managed?
I'm posting this here after reading Quinn's post here: https://developer.apple.com/forums/thread/799000 The above entitlement is mentioned in IOUSBHostControllerInterface.h. It isn't an entitlement one can add using the + button on the Capabilities panel in Xcode. If I try to add it by hand, Xcode complains that it isn't in my profile. Is this a managed entitlement? We'd like to create a local USB "device" to represent a real device reachable over a network.
Replies
9
Boosts
1
Views
1.2k
Activity
4d
Shallow Depth Entitlement and Underwater Auto-Launch: App Not Appearing in "When Submerged"
I've a question for you maybe you can help me. My watchOS app has: WKSupportsAutomaticDepthLaunch = true WKBackgroundModes = underwater-depth com.apple.developer.submerged-shallow-depth-and-pressure = true entitlement present in codesign and embedded provisioning profile The app uses the shallow depth entitlement, but it does not appear in: Settings → General → Auto-Launch → When Submerged. Is the shallow depth entitlement sufficient for appearing in the system underwater auto-launch app list, or is the full submerged depth entitlement required?
Replies
0
Boosts
0
Views
88
Activity
4d
Requesting private watchOS Bluetooth entitlements for open-source CGM-connected AID app (FB22619409)
I'm a contributor to Trio, an open-source automated insulin delivery (AID) app for iOS/watchOS maintained by the Nightscout Foundation. I'm posting at the recommendation of the engineering team via Feedback Assistant FB22619409 (Developer Support case 102865854185). The goal We're prototyping direct BLE connectivity between the Trio watchOS extension and the Dexcom G7 CGM sensor — eliminating dependence on iPhone-to-Watch relay via WatchConnectivity. For an AID app, stale CGM data affects insulin dosing decisions; this is a patient safety concern. The entitlements needed To maintain a BLE connection to the G7 while backgrounded and with the display off/wrist lowered, the WatchKit extension requires: com.apple.developer.bluetooth-central-background com.apple.developer.bluetooth-central-screen-off-scanning What I've confirmed Both entitlements are present on Dexcom's shipping G7 WatchKit extension (com.dexcom.g7app.watchkitapp.watchkitextension), verifiable via: codesign -d --entitlements :- \ "Dexcom G7.app/Watch/G7Watch.app/PlugIns/G7Watch Extension.appex" Output includes: com.apple.developer.bluetooth-central-background = true com.apple.developer.bluetooth-central-screen-off-scanning = true These are not self-service capabilities exposed through Xcode or the developer portal for our account: Xcode → Trio Watch App target → Signing & Capabilities → + Capability → searching com.apple.developer.bluetooth-central-background returns No Matches Certificates, Identifiers & Profiles → WatchKit Extension App ID (org.nightscout.5QE6TMMEH2.trio.watchkitapp.watchkitextension) → the entitlement does not appear under Capability Requests A screen recording demonstrating both is attached to FB22619409. The May 16 Apple Feedback response noted that the entitlement was visible in an internal Xcode project — consistent with it being a restricted/managed entitlement not exposed through standard developer accounts. My questions What is the correct process to request com.apple.developer.bluetooth-central-background for a watchOS extension App ID where it does not appear in Capability Requests? Is com.apple.developer.bluetooth-central-screen-off-scanning available through a private/managed entitlement process, and how do we enter that process? Is there a formal Apple program (e.g., MFi, HealthKit entitlements, or similar) applicable to CGM-connected medical apps that covers these entitlements? Full account details, screen recording, and entitlement output are attached to FB22619409 / Developer Support case 102865854185. Happy to provide a test build, full entitlement output, or additional context if needed. Thank you
Replies
1
Boosts
0
Views
263
Activity
5d
Game Center Missing for iMessage Extensions
I have enabled Game Center in App Store Connect, as well as the entitlements in Xcode for both my parent (stub) target and extension target. I call the Game Center authentication function which returns a "Signed in as: [my username]" banner during testing. However, when it is tapped on by the user, it opens the Game Center view where "Now Playing _" shows a blank title and app icon. I have a full size app icon that App Store Connect and even GameKit recognizes (https://games.apple.com/us/game/6757935828) but not when I actually run my iMessage app. When I call the authentication function, it completes (hence the banner), but then says later on Game Center does not recognize my app and that my achievements cannot be reported to Game Center. Is Game Center fully disabled for iMessage apps? Or is there a solution I am missing? My goal is to have achievement banners show up for winning iMessage games and certain gameplay combos.
Replies
1
Boosts
0
Views
212
Activity
6d
CarPlay Entitlements for navigation
Bonjour, Je viens ici afin d'exposer mon problème en espérant trouver une solution. En Août 2025 j'ai publié une demande afin de pouvoir développer une application Carplay de type navigation. Ma demande n'a jamais été traitée, j'ai soumis une autre demande en février, puis en avril. Toujours sans réponse. Depuis environ 3 semaines, j'appelle Apple toutes les semaines afin de demander à ce que ma demande soit traitée. J'ai bien évidemment une réponse m'indiquant que la demande était remontée, mais sans retour par la suite. Je commence à sérieusement perdre patience, et ne trouve aucune solution. Quelles seraient vos propositions ? Merci par avance pour vos retours
Replies
1
Boosts
0
Views
310
Activity
1w
Entitlement for extension to have read-only access to host's task?
Hi all, I'm building an iOS app extension using ExtensionKit that works exclusively with its containing host app, presenting UI via EXHostViewController. I'd like the extension to have read-only access to the host's task for process introspection purposes. I'm aware this would almost certainly require a special entitlement. I know get-task-allow and the debugger entitlement exist, but those aren't shippable to the App Store. I'm looking for something that could realistically be distributed to end users. My questions: Does an entitlement exist (or is one planned) that would grant an extension limited, read-only access to its host's task—given the extension is already tightly coupled to the host? If not, is this something Apple would consider adding? The use case is an extension that needs to inspect host process state without the ability to modify it. Is there a path to request such an entitlement through the provisioning profile process, or is this fundamentally off the table for App Store distribution? It seems like a reasonable trust boundary given the extension already lives inside the host's app bundle, but I understand the security implications. Any insight appreciated. Thanks!
Replies
11
Boosts
0
Views
1.1k
Activity
1w
Driver Activation failure error code 9. Maybe Entitlements? Please help
This is my first driver and I have had the devil of a time trying to find any information to help me with this. I beg help with this, since I cannot find any tutorials that will get me over this problem. I am attempting to write a bridging driver for an older UPS that only communicates via RPC-over-USB rather than the HID Power Device class the OS requires. I have written the basic framework for the driver (details below) and am calling OSSystemExtensionRequest.submitRequest with a request object created by OSSystemExtensionRequest.activationRequest, but the didFailWithError callback is called with OSSystemExtensionErrorDomain of a value of 9, which appears to be a general failure to activate the driver. I can find no other information on how to address this issue, but I presume the issue is one of entitlements in either the entitlements file or Info.plist. I will have more code-based details below. For testing context, I am testing this on a 2021 iMac (M1) running Sequoia 15.7, and this iMac is on MDM, specifically Jamf. I have disabled SIP and set systemextensionsctl developer on, per the instructions here, and I have compiled and am attempting to debug the app using xcode 26.2. The driver itself targets DriverKit 25, as 26 does not appear to be available in xcode despite hints on google that it's out. For the software, I have a two-target structure in my xcode project, the main Manager app, which is a swift-ui app that both handles installation/activation of the driver and (if that finally manages to work) handles communication from the driver via its UserClient, and the driver which compiles as a dext. Both apps compile and use automated signing attached to our Apple Development team. I won't delve into the Manager app much, as it runs even though activation fails, except to include its entitlements file in case it proves relevant <dict> <key>com.apple.developer.driverkit.communicates-with-drivers</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> and the relevant activation code: func request(_ request: OSSystemExtensionRequest, didFailWithError error: any Error) { // handling the error, which is always code value 9 } func activateDriver() { let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.mycompany.driver.bundle.identifier", queue: .main) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) //... } And finally the Manager app has the following capabilities requested for its matching identifier in our Apple Developer Account: DriverKit Communicates with Drivers System Extension On the Driver side, I have two major pieces, the main driver class MyDriver, and UserClient class, StatusUserClient. MyDriver derives from IDriverKit/IOService.iig but (in case this is somehow important) does not have the same name as the project/target name MyBatteryDriver. StatusUserClient derives from DriverKit/IOUserClient.iig. I have os_log(OS_LOG_DEFAULT, "trace messages") code in every method of both classes, including the initializers and Start implementations, and the log entries never seem to show up in Console, so I presume that means the OS never tried to load the driver. Unless I'm looking in the wrong place? Because I don't think the driver code is the current issue, I won't go into it unless it becomes necessary. As I mentioned above, I think this is a code signing / entitlements issue, but I don't know how to resolve it. In our Apple Developer account, the Driver's matching identifier has the following capabilities requested: DriverKit (development) DriverKit Allow Any UserClient (development) DriverKit Family HID Device (development) -- NOTE: this is planned for future use, but not yet implemented by my driver code. Could that be part of the problem? DriverKit Transport HID (development) DriverKit USB Transport (development) DriverKit USB Transport - VendorID -- submitted, no response from Apple yet HID Virtual Device -- submitted, no response from Apple. yet. This is vestigial from an early plan to build the bridge via shared memory funneling to a virtual HID device. I think I've found a way to do it with one Service, but... not sure yet. Still, that's a problem for tomorrow. Apparently I've gone over the 7000 character maximum so I will add my entitlements and info.plist contents in a reply.
Replies
12
Boosts
0
Views
780
Activity
1w
Automatic Assessment Configuration - No response for the submitted request even after 75 days
We have B2B LMS app used my around 4K users in total including IOS and Android users. We applied for approval through "Automatic Assessment Configuration Entitlement Request" form from account holders apple ID. Even after 75 days we didn't receive any response. We couldn't conduct secure exams in apple devices. Not sure how to proceed further. https://apps.apple.com/us/app/methodder-lms/id6754560905
Replies
1
Boosts
0
Views
85
Activity
1w
Supported way to expose an iPhone+controller as a macOS gamepad without restricted entitlements?
I’m prototyping a personal-use system that lets an iPhone with a physically attached controller act as an input device for a Mac. End goal: Use the iPhone as the transport and sensor host Use the attached physical controller for buttons/sticks Map the iPhone gyroscope to the controller’s right stick to get gyro aim in Mac games / cloud-streamed games such as GeForce NOW that don't support the gyro. What I’m trying to understand is whether Apple supports any path for this on macOS that does NOT require restricted entitlements or paid-program-only capabilities. What I’ve already found: CoreHID virtual HID device creation appears to require com.apple.developer.hid.virtual.device HIDDriverKit / system extensions appear to require Apple-granted entitlements as well GCVirtualController does not seem to solve the problem because I need a controller-visible device that other apps can see, not just controls inside my own app So my concrete question is: Is there any supported, entitlement-free way for a personal macOS app to expose a game-controller-like input device that other apps can consume system-wide? If not, is the official answer that this class of solution necessarily requires one of: CoreHID with restricted entitlement HIDDriverKit/system extension entitlement some other Apple-approved framework or program I’m missing I’m not asking about App Store distribution. This is primarily for local/personal use during development. I’m trying to understand the supported platform boundary before investing further. Any guidance on the recommended architecture for this use case would be appreciated.
Replies
4
Boosts
1
Views
629
Activity
1w
NFC PassKit Certificate request form submits without confirmation
I’m trying to request an NFC PassKit Certificate through https://developer.apple.com/contact/passkit/. After clicking Send, the completed form is POSTed successfully and receives 200 OK, but the server returns the original form instead of a confirmation page. The page’s passkit.js then clears all fields, and Developer Support confirmed that my earlier submission was never received. Has anyone else encountered this behavior or found another way to submit the NFC PassKit Certificate request?
Replies
0
Boosts
0
Views
244
Activity
1w
Sandboxed Mac app denied mach-lookup com.apple.cloudd when signed with Mac Team Store Provisioning Profile on macOS 26
A sandboxed Mac app with correct CloudKit entitlements fails to connect to com.apple.cloudd (the CloudKit daemon) when distributed via TestFlight (Mac Team Store Provisioning Profile). The identical binary works correctly when launched from Xcode (Mac Team Provisioning Profile also present). All entitlements are correctly embedded and the App ID is properly configured in Apple Developer Portal. Environment macOS 26.5.1 (25F80) Xcode 26.5 (17F42) SwiftData with NSPersistentCloudKitContainer / ModelConfiguration(cloudKitDatabase: .private(...)) Steps to Reproduce Create a sandboxed Mac app using SwiftData with CloudKit sync Enable iCloud + CloudKit in Signing & Capabilities Archive and distribute to TestFlight (Mac Team Store Provisioning Profile) Install via TestFlight on macOS 26 and launch Check Console for kernel sandbox messages Expected Result CloudKit connects to com.apple.cloudd and syncs data, matching behavior of the iOS version using the same container. Actual Result Console shows repeated kernel sandbox denials followed by CloudKit setup failure: kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.cloudd kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.duetactivityscheduler CheatSheet Mac CoreData+CloudKit: Failed to set up CloudKit integration for store Error Domain=CKErrorDomain Code=6 "Error connecting to CloudKit daemon." Key Diagnostic Finding When launched from Xcode, taskgated-helper validates both the Mac Team Store Provisioning Profile AND the Mac Team Provisioning Profile, and CloudKit succeeds: cloudd: TCC approved access for container containerID=iCloud.com.michaelendres.CheatSheet:Production When launched from TestFlight, only the Mac Team Store Provisioning Profile is present, and the sandbox denies com.apple.cloudd despite identical entitlements in the binary: codesign -d --entitlements shows: com.apple.developer.icloud-services: [CloudKit] com.apple.developer.icloud-container-identifiers: [iCloud.com.michaelendres.CheatSheet] com.apple.developer.icloud-container-environment: Production com.apple.security.app-sandbox: true Conclusion The Mac Team Store Provisioning Profile on macOS 26 does not appear to grant the sandbox exception for mach-lookup com.apple.cloudd, while the Mac Team Provisioning Profile (development) does. This prevents any Mac App Store / TestFlight app using CloudKit from syncing on macOS 26.
Replies
1
Boosts
0
Views
240
Activity
2w
In-App Provisioning Completely Ghosted Waiting on Review
Waiting on in-app provisioning approval. First time submitting the app. The process changed after we submitted initially but its been three months now. Every time I reach out I either get a generic response or nothing at all. What is going on? This has been a horrible experience.
Replies
0
Boosts
0
Views
256
Activity
2w
Installing MS PowerPoint extensions on macOS 15
Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content. PowerPoint extensions Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/ The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location: ~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg These locations can be access by non-sandboxed app on macOS 14 and earlier. Slido integration Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database. This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text: "Slido" would like to access data from other apps. This will allow Slido to integrate with Microsoft PowerPoint app. [Don't Allow] [Allow] We understand this is a security feature, yet we would like to make the experience for customers much better. As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context. Slido installs its files to this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/ Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID? Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts? By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint. We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform. I am thankfully for any guidance and constructive feedback. Jozef, Tech Leader at Slido integrations team
Replies
6
Boosts
1
Views
1.3k
Activity
2w
com.apple.vm.networking entitlement
Hi, I wanted to develop a small tool to launch Home Assistant OS in a Virtualization.framework VM. Something lean (no UI, no daemons), zero-config, and Apple Silicon only. I got that running, but I wanted to also use bridge networking and USB device pass-through which require the com.apple.vm.networking and com.apple.developer.accessory-access.usb entitlements, respectively. I was unable to use those for local development using ad-hoc signing, so I guess it requires a paid Apple Developer account and official approval so that they can be enabled in provisioning profiles. I'm open to reactivating my developer subscription which I let expire years ago, but wanted to first assess the chances of getting approval (no point in renewing the subscription if I won't get the permission in the end). I could make this an open source project, if it helps.
Replies
3
Boosts
0
Views
317
Activity
2w
SensorKit - more flexibility
It would be good if SensorKit was more available for non research related apps. For example I want to create an app that tracks light sensor values to create a mapping of bikelanes with poor lighting. This doesn’t fall under a research app, but seems like a reasonable use of this data. creating a way to opt the user into this (via clear warnings that the data Is being collected, and maybe a 24 or 1 hour time limit) might be a way to make this sensor data available. also clear warnings on the app store privacy page, or maybe even rules about running in the background or at app startup and an icon in the toolbar (similar to the mic) could make this more safe for users.
Replies
1
Boosts
0
Views
113
Activity
2w
how to remove hotspot-provider
I previously attempted to apply for the hotspot-provider entitlement but was rejected. I no longer require this entitlement. I need to remove the hotspot-provider permission although the Network Extensions capability is checked. However, the generated provisioning profile still includes the hotspot-provider permission, which causes error 409 when I upload the IPA file. I only need the Network Extensions entitlement. Could you please advise how to remove hotspot-provider from the provisioning profile?
Replies
1
Boosts
0
Views
243
Activity
2w
iPhone app memory limit seems capped to 6GB
Hi all :) I tried to raise this in the group lab and was pointed here. I’m seeing a flat per-app memory ceiling of about 6 GB on iPhone, even on devices with more physical RAM and with com.apple.developer.kernel.increased-memory-limit. Measured with os_proc_available_memory() plus task_vm_info.phys_footprint, the total process budget stays around 6144 MB on both: iPhone 16 Pro Max, 8 GB RAM iPhone 17 Pro Max, 12 GB RAM This came up while running Gemma 4 multimodal support in mlx-swift-lm (PR #343). The model loads at about 4.4 GB resident, leaving roughly 1.7 GB for inference/prefill. Reducing a GPU buffer cache from 512 MB to 64 MB recovered enough headroom to avoid jetsam and allowed a full image + video + audio multimodal test to complete, so the measurement seems to reflect a real per-process limit rather than free system memory. I re-measured the ceiling on the 12 GB phone with these capabilities: increased-memory-limit only: ~6144 MB increased-memory-limit + extended-virtual-addressing: ~6144 MB, no change increased-memory-limit + increased-debugging-memory-limit: ~6656 MB I have also observed that 12 GB iPad devices expose more memory to an app than 12 GB iPhone devices but I didn't measure specifically and no longer have the device to hand. Is the ~6 GB per-process tier on Pro iPhones expected, even with increased-memory-limit? Is there any supported way for a shipping app to access more of the available RAM on 12 GB iPhone models? FB23183521
Replies
0
Boosts
0
Views
253
Activity
2w
Unable to enable Apple Pay for App Clip – “relationship 'undefined'” error when adding capability
Hey everyone, hoping someone here has run into this before. I have a fully functional App Clip (com.didyoucatchit.app.Clip) linked to my main app (com.didyoucatchit.app). The Clip builds and runs perfectly, but I’m seeing issues trying to enable Apple Pay for it. When I try to link my Merchant ID under the “On Demand Install Capable” capability in the Apple Developer portal, I get this error: A relationship in the provided entity is not allowed for this request. The relationship 'undefined' can not be included in a 'bundleIdCapabilities' request. Here’s what I have already configured and confirmed: App Clip capabilities in Xcode include: Apple Pay Payment Processing Associated Domains (appclips:app.didyoucatchit.com) Provisioning profile includes: Apple Pay Payment Processing Associated Domains In-App Purchase On-Demand Install Capable Entitlements file for the Clip: <key>com.apple.developer.associated-domains</key> <array> <string>appclips:app.didyoucatchit.com</string> </array> <key>com.apple.developer.in-app-payments</key> <array> <string>merchant.com.didyoucatchit.app</string> </array> <key>com.apple.developer.parent-application-identifiers</key> <array> <string>$(AppIdentifierPrefix)com.didyoucatchit.app</string> </array> Merchant ID (merchant.com.didyoucatchit.app) is active and connected to Stripe Stripe Apple Pay configuration matches the same merchant ID and certificate Both provisioning profiles have been refreshed and downloaded However: The portal still throws the “relationship 'undefined'” error anytime I try to modify the Clip’s capabilities In testing, Apple Pay doesn’t show up as a payment option in the Clip (using Stripe’s Payment Element integration) Questions: Is this a known issue with the Developer portal when linking App Clips to merchant IDs? Is there a specific way to re-establish the parent–child relationship between the main app and the App Clip so the bundleIdCapabilities request includes the proper relationship JSON? Are there any additional configuration steps required when using Stripe for Apple Pay inside an App Clip? System Setup: Xcode: 16.2 (build 16C5032a) macOS: Sequoia 15.3.1 iOS: 18.5 (testing on physical device) Merchant ID: merchant.com.didyoucatchit.app Main App ID: com.didyoucatchit.app App Clip ID: com.didyoucatchit.app.Clip Any help or insight would be hugely appreciated Thanks in advance!
Replies
1
Boosts
0
Views
362
Activity
2w