Dear Sir/Madam, Thank you for your support. I have reviewed the documentation for Local Push Connectivity (see URL below) and, following the instruction in the "Important" section to "Request this entitlement from the Entitlement Request Page," I completed the application process for this Entitlement on March 11, 2026. [Local push connectivity] https://developer.apple.com/documentation/networkextension/local-push-connectivity?language=objc#Supporting-APNs-and-local-push-connectivity-in-one-app Subsequently, on March 13, 2026, I received the following reply from Apple: Sub : Re: Requesting Network Extension App Push Entitlement From: Local Push Review Sent: Friday, March 13, 2026 4:09 AM Hi, Thank you for your interest in the Local Push Connectivity entitlement. Your entitlement request has been approved for: Team ID: NWKYYYYYYY Technical documentation on this API is available here: -(Omission) - Best Regards, Apple Developer Relations My understanding is that upon approval of this application, an "Entitlements" field should be added to the input fields for creating provisioning profiles. However, as of today(March 18, 2026), it has not yet been added. Will the Entitlements field be added if I simply wait? My account (Apple ID), which submitted the application, belongs to three Team IDs. For convenience, I will refer to them as Team ID SV3XXXXXXX, Team ID NWKYYYYYYY, and Team ID WEJZZZZZZZ. The application status for Entitlements for each Team ID is as follows: Team ID SV3XXXXXXX Entitlements: Present. Applied for Entitlements on February 6, 2021. (Received "Re: Requesting Network Extension App Push Entitlement" email on February 6, 2021) Team ID NWKYYYYYYY Entitlements: Not present. Applied for Entitlements on March 13, 2026. (Received "Re: Requesting Network Extension App Push Entitlement" email on March 13, 2026) Team ID WEJZZZZZZZ Entitlements: Present. No record (email) of applying for Entitlements. Because of this, I am concerned that the Entitlements applied for Team ID NWKYYYYYYY may have been mistakenly granted to Team ID WEJZZZZZZZ, and I am inquiring about this. Will the Entitlements field for Team ID NWKYYYYYYY be added if I simply wait? Thank you in advance.

I am attempting to configure appclips, but I am getting this error in App Store Connect. I created an app clips target in my project, I have checked the XCAsset files and it is included when archived and pushed to App Store Connect. In both my parent and my app clips target I've added the associated domains capabilities, with the following associated same domains for both targets: appclips:akin-server-side-staging.onrender.com appclips:akin-server-side.onrender.com applinks:akin-server-side-staging.onrender.com applinks:akin-server-side.onrender.com My server is configured to serve the following json at all permutations of the staging endpoints and prod endpoints for both well known and aasa without well known. Here is one of them: https://akin-server-side.onrender.com/.well-known/apple-app-site-association Here is the JSON it is returning: {"applinks":{"details":[{"appIDs":["8PJ28P9ZZ8.com.ElevatedUnderdogs.akin1"],"components":[{"\/":"\/appClips\/referral\/venueToUser\/*"}]}]},"appclips":{"apps":["8PJ28P9ZZ8.com.ElevatedUnderdogs.akin1.Clip"]}} And yet I'm still getting Invalid Entitlement: Unknown ID in the store.

My application will create a virtual touchpad. The problem I encountered is: click on the Product menu, select Archives, then select the Distribute App, then click on Drill Distribution, then click on Distribute, and then a prompt appears: Provisioning profile "Mac Team direct Provisioning Profile:"com.xxx.xxx"doesn't match the entitlements file's valuefor the com.apple.developer.driverkit.userclient-access entitlement. But My Identifiers Selected the:DriverKit Allow Any UserClient (development) Do I need toRequest a System Extension or DriverKit Entitlement Select "Virtual HID" in here? https://developer.apple.com/contact/request/system-extension/

Hi everyone, I’m honestly trying to understand what’s going on with the Family Controls API review process. I submitted my entitlement request on March 5, and as of today (March 19), there has been zero response. I also opened a support ticket on March 16, and that hasn’t received any response either. What’s confusing is that updates to another app on the same developer account were approved within days — so clearly the account is in good standing and active. At this point, it feels like there’s no visibility into what’s happening: Is the request under review? Is it waiting for additional information? Or is it just sitting in a queue indefinitely? I understand that Family Controls is a sensitive API, but a two-week silence with no status or communication makes it very difficult to plan or ship features. For those who’ve gone through this: How long did your approval actually take? Did you receive any communication during the process? Is there any reliable way to get visibility or speed this up? Right now, this is blocking a feature we’ve invested significant time building, and the lack of feedback is the most frustrating part. This is really giving me pain. Would really appreciate any insights.

I have an existing app in App Store Connect. I added the SharedWithYou functionality to the app code and tested it on several devices. Everything is working as expected. One of the first steps was to add the com.apple.developer.shared-with-you entitlement to the Entitlements.plist file. This required a round of updates for app identifiers and provisioning profiles. When I upload the production build for testing in TestFlight I receive the following error: 90919: Invalid entitlement. The “” bundle has the com.apple.developer.shared-with-you entitlement, but it doesn’t use the Shared with You framework. Please remove the entitlement and upload a new build. I'm using SWHighlight, SWHighlightCenter, and SWAttributionView in several places throughout my app... I filed an issue in the Feedback Assistant but so far, have not received any response.

Hi, I'm developing a Tauri V2 app on MacOS, and am wanting to implement playback controls. It seems that Apple locks down playback, requiring a signed application. My app also has capabilities to "get currently playing track", and I confirmed this works; Apple produces a popup triggered by my await MusicAuthorization.request() call. It returns nil, of course, because I can't get anything to play via the ApplicationMusicPlayer; only through the system's Apple Music app. I understand SystemMusicPlayer is not available on MacOS, which is fine. I'm just a little confused as it seems pretty standard to need to test playback controls quickly without having to codesign and do some provisionprofile embedding acrobatics each time Rust re-compiles target/debug. This slows down development a lot. I do have these entries in my Entitlements.plist: <key>com.apple.security.personal-information.media-library</key> <true/> <key>com.apple.developer.music-kit</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> In my tauri.conf.json, I have: "macOS": { "entitlements": "./Entitlements.plist", "signingIdentity": "Apple Development: ()" } My application works like this: I have a temporary button click to fire off a tauriinvoke() command which goes to a #tauri::command, which bridges to Swift code. Again, I validated that my less-permissive "get currently playing track" works; i.e., does not get permission denied. exact error message: [swift] playMedia error: .permissionDenied (^specifically, ".permissionDenied") My code to trigger playback of a specific media item: Task { print("[swift] entered sema Task") let status: MusicAuthorization.Status = await MusicAuthorization.request() print("auth status: \(status)") guard status == .authorized else { sema.signal(); return } print("passed the status guard.") do { var request = MusicCatalogResourceRequest<Song>(matching: \.id, equalTo: MusicItemID(rawValue: songId)) request.limit = 1 let response = try await request.response() guard let song = response.items.first else { sema.signal(); return } let player = ApplicationMusicPlayer.shared player.queue = [song] try await player.play() success = true } catch { print("[swift] playMedia error: \(error)") } sema.signal()

I’m prototyping a personal-use system that lets an iPhone with a physically attached controller act as an input device for a Mac. End goal: Use the iPhone as the transport and sensor host Use the attached physical controller for buttons/sticks Map the iPhone gyroscope to the controller’s right stick to get gyro aim in Mac games / cloud-streamed games such as GeForce NOW that don't support the gyro. What I’m trying to understand is whether Apple supports any path for this on macOS that does NOT require restricted entitlements or paid-program-only capabilities. What I’ve already found: CoreHID virtual HID device creation appears to require com.apple.developer.hid.virtual.device HIDDriverKit / system extensions appear to require Apple-granted entitlements as well GCVirtualController does not seem to solve the problem because I need a controller-visible device that other apps can see, not just controls inside my own app So my concrete question is: Is there any supported, entitlement-free way for a personal macOS app to expose a game-controller-like input device that other apps can consume system-wide? If not, is the official answer that this class of solution necessarily requires one of: CoreHID with restricted entitlement HIDDriverKit/system extension entitlement some other Apple-approved framework or program I’m missing I’m not asking about App Store distribution. This is primarily for local/personal use during development. I’m trying to understand the supported platform boundary before investing further. Any guidance on the recommended architecture for this use case would be appreciated.

Hi, I’m building a macOS tool that analyzes process behavior to detect autonomous / AI-like activity locally (process trees, file access patterns, and network usage). The system is fully user-space and runs locally in real time. I’m planning to use the Endpoint Security Framework for process and file event monitoring. This is an open-source project (non-enterprise), developed by a solo developer. My question: What are the realistic chances of getting Endpoint Security entitlements approved for this type of project? Are there specific requirements or common reasons for rejection I should be aware of? Thanks, sivan-rnd

Hello, I submitted a request for the Family Controls (Distribution) entitlement, but haven't received status update regarding approval/rejection etc. I submitted a previous contact support ticket as well. I'm wondering the timeline and also if my request went through - currently it says 'submitted' but it's remained this way for a while... I've had other developers in communities saying they were approved earlier, so curious if it's an app issue. Thank you

Hi, I submitted a Family Controls (Distribution) entitlement request for my app Faith Lock (com.faithlock.ios) - a prayer-focused iOS app that uses the Screen Time API to help users block distracting apps. I received an approval email, but the portal still shows the request as "Submitted" and the Distribution option does not appear under Additional Capabilities for my identifier. This is blocking me from submitting to App Store Connect. Details: Bundle ID: com.faithlock.ios Team ID: F86P575UNP Request IDs: 3PWTDR8KL3 / 885ZK276KK Status in portal: Submitted (unchanged since approval email) Has anyone experienced this? Is there a way to get the portal manually updated to reflect the approval? Any help or escalation from a DTS engineer would be greatly appreciated. Thank you.

I am working on a large-scale e-commerce application and we are trying to solve a specific issue regarding push notifications and user experience. We have a use case where we need to send a standard push notification to the user, but under certain local conditions on the device, we want to intercept that notification via a Notification Service Extension and suppress/drop it so it does not alert the user. We understand that the com.apple.developer.usernotifications.filtering entitlement allows a Notification Service Extension to drop notifications. However, looking at the entitlement request form, the categories seem strictly limited to: End-to-end encrypted messaging Earthquake warnings Education/learning platforms Enterprise healthcare apps My questions for the community and Apple staff: Is it possible for an e-commerce or retail app to be approved for this entitlement if we have a highly specific, valid use case that improves user experience. If this entitlement is strictly off-limits for our domain, what is the Apple-recommended architecture to achieve this? Thank you in advance for any insights or guidance!

We have an app with the default email entitlement that was granted several years ago. During our latest deployment, we received an error from our pipeline. When testing a manual submission in Xcode, we saw this error: Entitlement com.apple.developer.mail-client not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. We checked the provisioning profile, and the default email entitlement is still present. It is visible on the certificate portal and also in the embedded.mobileprovision file. Can you suggest what we can do to release a new version of our app?

Hi, I’m hoping someone can help clarify the correct entitlement format for the Enhanced Security capability in a macOS App Store build. Context Our app is a sandboxed macOS app built with Xcode 26.4. We enabled the Enhanced Security capability in Signing & Capabilities, and we configured the entitlements based on the current documentation. What’s confusing me The Xcode 26.4 release notes say apps that already adopted Enhanced Security should remove: com.apple.security.hardened-process.enhanced-security-version com.apple.security.hardened-process.platform-restrictions and replace them with: com.apple.security.hardened-process.enhanced-security-version-string with value 1 com.apple.security.hardened-process.platform-restrictions-string with value 2 Reference: https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes The entitlement reference pages also seem consistent with that: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.hardened-process.enhanced-security-version-string https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.hardened-process.platform-restrictions-string So our app currently uses the new -string entitlements with values "1" and "2". Our App Review rejection said: The app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Entitlement "com.apple.security.hardened-process.enhanced-security-version-string" value must be boolean and true. Entitlement "com.apple.security.hardened-process.platform-restrictions-string" value must be boolean and true. That’s the part I can’t reconcile with the documentation. Questions For a Mac App Store submission built with Xcode 26.4, should these two entitlements use the new string-based form, or Boolean true? If the expected format has changed, is there any updated guidance beyond the Xcode 26.4 release notes and current entitlement reference? If Apple staff or anyone familiar with this can clarify what format is currently expected, I’d really appreciate it. Thanks.

Summary I'm implementing NEURLFilter with the com.apple.developer.networking.networkextension.url-filter-provider entitlement for a system-wide URL filtering feature. The feature works perfectly in development-signed builds (connecting successfully to my PIR server over extended testing) but every production-signed build fails before any network call is made. NEURLFilterManager reports .serverSetupIncomplete (code 9). After installing the NetworkExtension debug profile, the unredacted com.apple.CipherML logs reveal the cause: no privacy proxy is provisioned for this bundle identifier, and the connection is configured proxy fail closed. Environment iOS 26 Entitlement: com.apple.developer.networking.networkextension.url-filter-provider Extension point: com.apple.networkextension.url-filter-control PIR server configured via NEURLFilterManager.setConfiguration(...) Privacy Pass issuer configured Dev-signed builds: working correctly, connecting to the PIR server Production-signed builds (both TestFlight and distribution): failing identically The Error Chain Surfaced to the app via NEURLFilterManager.lastDisconnectError: NEURLFilterManager.Error.serverSetupIncomplete (code 9) ← NEAgentURLFilterErrorDomain Code 3 ← com.apple.CipherML Code 1100 "Unable to query status" ← com.apple.CipherML Code 1800 (error details were logged and redacted) After installing the VPN (NetworkExtension) debug profile, the unredacted com.apple.CipherML subsystem shows: queryStatus(for:options:) threw an error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={ _NSURLErrorNWPathKey = satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey = https://<my-pir-server>/config, NSUnderlyingError = { Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" }, _NSURLErrorPrivacyProxyFailureKey = true, NSLocalizedDescription = "The Internet connection appears to be offline." } The critical diagnostic line in the com.apple.network subsystem is: nw_endpoint_proxy_handler_should_use_proxy Proxies not present, but required to fail closed And the connection setup shows the proxy fail closed flag is mandatory for the connection: [C... ... Hostname#...:443 quic, bundle id: <my-bundle-id>, attribution: developer, using ephemeral configuration, context: NWURLSession (sensitive), proxy fail closed] start The network path itself is healthy (Wi-Fi good, DNS resolves correctly), but the connection is explicitly configured to fail closed if no proxy is present, and no proxy is provisioned for this bundle identifier. The entire failure happens in approximately 18 ms, far too fast for any network round-trip, confirming no traffic ever leaves the device. What I've Verified The entitlement is present in the distribution build The NEURLFilterControlProvider extension loads and returns a valid Bloom filter prefilter (with a tag that round-trips correctly between extension and framework) NEURLFilterManager.setConfiguration(pirServerURL:pirPrivacyPassIssuerURL:pirAuthenticationToken:controlProviderBundleIdentifier:) accepts all four parameters without error Development-signed builds of the same bundle identifier connect successfully to the same PIR server On production-signed builds, zero requests reach the PIR server — failure is purely client-side, before any network activity The Question How does the OHTTP privacy proxy get provisioned for a bundle identifier so that production builds can successfully use NEURLFilter? Specifically: Is there a Capability Request form I need to submit for url-filter-provider? I cannot find one in the Capability Requests section of my developer portal. Should I be running my own OHTTP gateway (for example using swift-nio-oblivious-http), and if so, does Apple then need to provision routing from their OHTTP relay to my gateway URL? Is the OHTTP relay path meant to be automatic once the entitlement is active, and if so, is there a specific activation step I'm missing? Is there any way to verify the current provisioning state for a specific bundle identifier from the developer portal? I can provide the full sysdiagnose and unredacted bundle/server details privately to an Apple engineer if that would help diagnose. I'd prefer to keep them out of a public post. Thanks!

Hi all, I submitted a FamilyControls entitlement request on March 27, 2026. It has been 9 days with no confirmation or response of any kind. I also submitted a TSI today (Case ID: 102861687343). My app is live on the App Store and is built to use Screen Time APIs to block specific apps during user defined hours. I need FamilyControls, DeviceActivity, ManagedSettings, and ManagedSettingsUI approved for the main app and its extensions. Has anyone experienced similar wait times recently? Is there a way to check on the status of an entitlement request? Thank you, Max

We are seeing what looks like a signing / managed-capability mismatch for Contactless Pass Provisioning. Environment Team ID: S7AUTD2C2B Bundle IDs: com.swiftpass.ios com.swiftpass.ios.dev Xcode: 26.4 macOS: 26.4 Problem Our app has had Contactless Pass Provisioning approved by Apple for a long time, and builds were working until a few days ago. Without any intentional signing/capability changes on our side, Xcode started failing with the following error: Provisioning profile "Swiftpass prod Appstore" doesn't include the Contactless Pass Provisioning capability. Contactless Pass Provisioning capability needs to be assigned to your team and bundle identifier by Apple in order to be included in a profile. Observed behavior Xcode marks the relevant provisioning profiles as "Ineligible" in the profile selector. This affects both development/debug and release/App Store builds. If we remove Contactless Pass Provisioning from the app entitlements/capabilities, the exact same profiles immediately become eligible and the signing error disappears. Important detail The downloaded provisioning profiles already contain the entitlement that Xcode claims is missing. We verified the downloaded profile with: security cms -D -i /Users/sergej/Downloads/Swiftpass_prod_Appstore\(1\).mobileprovision and it contains: <key>com.apple.developer.contactless-payment-pass-provisioning</key> <array> <string>shareablecredential</string> </array> So the issue appears to be that the profile contents look correct the capability is still present in the developer portal but Xcode's eligibility check still says the profile does not include the capability What we verified Contactless Pass Provisioning is still enabled for the App ID in the Apple Developer portal Newly recreated / redownloaded profiles still contain the entitlement Both dev and distribution profiles are affected The behavior is reproducible across profile refreshes and local cleanup What we already tried Reinstalled Xcode Updated Xcode and macOS Updated command line tools Cleaned DerivedData Deleted local provisioning profile cache Refreshed/redownloaded profiles from Xcode Recreated provisioning profiles in the developer portal Removed and re-added the capability in Xcode Expected behavior If the downloaded provisioning profile contains com.apple.developer.contactless-payment-pass-provisioning, Xcode should treat that profile as eligible. Actual behavior Xcode reports that the capability is missing and marks the profile as ineligible, even though the entitlement is present in the downloaded profile. Question Has anyone seen this specific mismatch with Contactless Pass Provisioning or other managed capabilities? This currently looks like either: an Apple backend/App ID capability-assignment sync problem, or an Xcode eligibility-validation bug for managed capabilities Feedback Assistant ID: FB22439399. It contains screenshots that showcase the issue as well.

I'm writing this post out of genuine desperation after exhausting every official support channel available to me. The situation: I've built a screen time / focus app for students called SınavKilidi, specifically designed for Turkish high school students preparing for the YKS university entrance exam — one of the most high-stakes exams in Turkey, taken by hundreds of thousands of students every year. The exam window is approximately 2 months away. This app is inherently seasonal: if it doesn't reach users before the exam season, an entire year of development becomes irrelevant. The main app binary was approved and is live. Everything on the App Store Connect side is fully ready — metadata, screenshots, pricing, in-app purchases, the works. The blocker: My app uses App Extensions that require the com.apple.developer.family-controls entitlement. The main app target received distribution entitlement approval. However, the extensions — which are architecturally inseparable from the core functionality — have not received the same entitlement. Without this, I cannot submit a working build. The app is literally unshippable in its current state despite the main entitlement being granted. This is not a configuration issue on my end. The entitlement is correctly set up in my provisioning profiles. The gap is purely on Apple's approval side for the extension targets. The support experience: I opened Case #102855522321 on March 29, 2026. Since then: I had a call with Apple Developer Support on April 1 I sent follow-up emails on April 1, April 2, April 3, and April 7 Not a single substantive response. Only automated acknowledgements. That is 10+ days, 4 follow-up emails, 1 phone call, and complete silence on an issue that is actively costing me my launch window. What I'm asking: I'm not asking for special treatment. I understand Apple receives thousands of requests. But this entitlement request is for a legitimate, already-partially-approved app, with a documented real-world deadline, in an educational category that Apple actively promotes. Can anyone from the App Review or Developer Relations team look into Case #102855522321 and provide an actual update? Or can anyone here share whether there's a known delay affecting FamilyControls entitlement approvals for extensions specifically? Any guidance would be deeply appreciated. Every day that passes without a resolution is a day closer to this app missing its entire reason for existing.

Can a macOS Platform SSO extension reliably identify the original app behind a Safari or ASWebAuthenticationSession-mediated request, or does ASAuthorizationProviderExtensionAuthorizationRequest only expose the immediate caller such as Safari ? We are seeing: callerBundleIdentifier = com.apple.Safari callerTeamIdentifier = Apple audit-token-based validation also resolves to Safari So the question is whether this is the expected trust model, and if so, what Apple-recommended mechanism should be used to restrict SSO participation to approved apps when the flow is browser-mediated.

Hi, I’m looking for clarification from folks familiar with CoreHID rather than App Review, as the guys there have not responded to my post (https://developer.apple.com/forums/thread/820676) We have a sandboxed macOS app that creates a virtual HID device (HIDVirtualDevice) as described in Creating virtual devices https://developer.apple.com/documentation/corehid/creatingvirtualdevices To work at all, the app requires the entitlement: com.apple.developer.hid.virtual.device With this entitlement present, macOS shows the system prompt requesting Accessibility permission App would like to control this computer using accessibility features. Grant access to this application in Security and Privacy preferences located in System Preferences. when HIDVirtualDevice(properties:) is called. There is no mention of Accessibility in the HIDVirtualDevice documentation, but the behavior is reproducible and seems unavoidable. My question is therefore: Is creating a virtual HID device from userspace via HIDVirtualDevice considered inherently incompatible with Mac App Store distribution? In other words: Is the Accessibility prompt an expected side‑effect of this API? And if so, does that mean using HIDVirtualDevice is only practical for direct (non–App Store) distribution unless the app is explicitly an accessibility tool? I’m not asking about review policy details—just whether, from a technical/system point of view, HIDVirtualDevice is actually intended to be usable by App Store apps. For context, there seem to be public, non‑accessibility uses of Apple’s virtual HID infrastructure, like this recent post: https://developer.apple.com/forums/thread/820708 and corresponding Github repo this project. I don't know if these intend to use the App Store, but they might end up in the same situation. Any insights from people who’ve worked with CoreHID would be greatly appreciated. Thanks, Magnus

I requested "DirverKit UserClient Access" Entitlement, But I Distribute App failed. I don't know the reason. I think when I request "DirverKit UserClient Access" I make a mistake. I fill in two Bundle ids in the "Request a System Extension or DriverKit Entitlement" form's "UserClient Bundle IDs" item. The reason is when I Add "DirverKit UserClient Access" Capability in the project of Xcode. The .entitlements file is like this: <string>com.turing.TuringTouch com.turing.TuringTouch.TouchDriver</string> But in "Signing" of Xcode's "Bundle Identifier" can fill in only on "Identifier" therefore they do not match. So I can't Distribute App. I reapply "DirverKit UserClient Access" Entitlement. But decline. The result is "decline". Please help me. Please tell me, how should can I do now? Thank you very much.