Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Posts under Entitlements tag

200 Posts

Post

Replies

Boosts

Views

Activity

Unable to enable Apple Pay for App Clip – “relationship 'undefined'” error when adding capability
Hey everyone, hoping someone here has run into this before. I have a fully functional App Clip (com.didyoucatchit.app.Clip) linked to my main app (com.didyoucatchit.app). The Clip builds and runs perfectly, but I’m seeing issues trying to enable Apple Pay for it. When I try to link my Merchant ID under the “On Demand Install Capable” capability in the Apple Developer portal, I get this error: A relationship in the provided entity is not allowed for this request. The relationship 'undefined' can not be included in a 'bundleIdCapabilities' request. Here’s what I have already configured and confirmed: App Clip capabilities in Xcode include: Apple Pay Payment Processing Associated Domains (appclips:app.didyoucatchit.com) Provisioning profile includes: Apple Pay Payment Processing Associated Domains In-App Purchase On-Demand Install Capable Entitlements file for the Clip: <key>com.apple.developer.associated-domains</key> <array> <string>appclips:app.didyoucatchit.com</string> </array> <key>com.apple.developer.in-app-payments</key> <array> <string>merchant.com.didyoucatchit.app</string> </array> <key>com.apple.developer.parent-application-identifiers</key> <array> <string>$(AppIdentifierPrefix)com.didyoucatchit.app</string> </array> Merchant ID (merchant.com.didyoucatchit.app) is active and connected to Stripe Stripe Apple Pay configuration matches the same merchant ID and certificate Both provisioning profiles have been refreshed and downloaded However: The portal still throws the “relationship 'undefined'” error anytime I try to modify the Clip’s capabilities In testing, Apple Pay doesn’t show up as a payment option in the Clip (using Stripe’s Payment Element integration) Questions: Is this a known issue with the Developer portal when linking App Clips to merchant IDs? Is there a specific way to re-establish the parent–child relationship between the main app and the App Clip so the bundleIdCapabilities request includes the proper relationship JSON? Are there any additional configuration steps required when using Stripe for Apple Pay inside an App Clip? System Setup: Xcode: 16.2 (build 16C5032a) macOS: Sequoia 15.3.1 iOS: 18.5 (testing on physical device) Merchant ID: merchant.com.didyoucatchit.app Main App ID: com.didyoucatchit.app App Clip ID: com.didyoucatchit.app.Clip Any help or insight would be hugely appreciated Thanks in advance!
1
0
388
3w
"Failed to register bundle identifier" for teammates — caused by App Groups/HealthKit forcing an explicit App ID?
I'm trying to let a few teammates build and run my app on their own devices, and I'd like to understand the correct approach for our situation. Setup We are a small team. Each of us uses a free personal Apple Developer team (individual Apple IDs, no paid membership yet). The app (an iOS app with a Watch app and a WidgetKit extension) uses App Groups and HealthKit. Bundle IDs: com.example.MyApp, com.example.MyApp.watchkitapp, com.example.MyApp.Widget. App Group: group.example.MyApp. It builds fine for me. When a teammate opens the project and tries to run on device, they get: Failed Registering Bundle Identifier The app identifier "com.example.MyApp" cannot be registered to your development team because it is not available. Change your bundle dentifier to a unique string to try again. What I've observed My other apps that have no entitlements build fine for every teammate. Looking at their embedded profiles, those sign with a wildcard profile (TEAMID.*). This app signs with an explicit profile (TEAMID.com.example.MyApp). If a teammate removes HealthKit and App Groups from all targets, the app builds for them under their own team using the same bundle ID. My understanding (please correct me) App Groups and HealthKit require an explicit App ID, which can only be registered to one team. Since I registered com.example.MyApp first, no other personal team can register the same explicit App ID hence the error. My questions Is that understanding correct — that an entitled (explicit) App ID can only ever belong to a single team? Is there any supported way to keep the same bundle identifier and keep App Groups + HealthKit while teammates build under their own separate personal teams? Or is moving to an Organization account (everyone as members of one shared team) the only way to share an entitled bundle ID across multiple developers? For free personal-team development, is the recommended pattern to give each developer a unique bundle ID + App Group (e.g. via per-developer .xcconfig), keeping entitlements intact? Just want to confirm I'm choosing the right approach before committing to it. Thanks!
1
0
168
3w
"Client is not entitled" Error (Code=4) with PKAddShareablePassConfiguration.forPassMetaData Despite Correct Entitlements
Hello, I'm experiencing a critical issue with PassKit's shareable pass functionality. Despite having the necessary entitlements configured, I'm getting an entitlement error when calling PKAddShareablePassConfiguration.forPassMetaData. Failed to create PKAddShareablePassConfiguration: Error Domain=PKPassKitErrorDomain Code=4 "client is not entitled" UserInfo={NSDebugDescription=client is not entitled} private func createPassViewController(from response: PreparePushProvisioningResponse) { guard let passMetadata = PKShareablePassMetadata( provisioningCredentialIdentifier: response.provisioningCredentialIdentifier, cardConfigurationIdentifier: response.cardConfigurationIdentifier, sharingInstanceIdentifier: response.sharingInstanceIdentifier, passThumbnailImage: response.passThumbnailImage, ownerDisplayName: response.ownerDisplayName, localizedDescription: response.localizedDescription ) else { print("Failed to create PKShareablePassMetadata") return } print("PKShareablePassMetadata created successfully") // This is where the error occurs PKAddShareablePassConfiguration.forPassMetaData( [passMetadata], provisioningPolicyIdentifier: "", // Empty as per documentation action: .add ) { (configuration, error) in if let error = error { print("Failed to create PKAddShareablePassConfiguration: \(error)") // Error Domain=PKPassKitErrorDomain Code=4 "client is not entitled" return } guard let config = configuration else { print("PKAddShareablePassConfiguration is nil") return } // other code... } } The push provisioning preparation succeeds completely: Prepare push provisioning succeeded Credential ID: "XXXX-XXXX....." Owner: Teodora Description: Interflex NFC development PKShareablePassMetadata created successfully Then immediately fails at PKAddShareablePassConfiguration.forPassMetaData() with the entitlement error. Xcode Configuration Issues: When manually entering capabilities in Xcode's Signing & Capabilities tab, I receive this error: Provisioning profile "20250929 VIDC QA DEV" doesn't match the entitlements file's value for the com.apple.developer.contactless-payment-pass-provisioning entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. When I don't manually enter the capabilities in the Runner.entitlements file, the provisioning profile error disappears in Xcode, but the runtime entitlement error persists.
1
1
810
4w
Entitlement Request: com.apple.developer.passkit.pass-presentation-suppression
Great Morning, We would like to request the entitlement: com.apple.developer.passkit.pass-presentation-suppression Use Case: Our application provides NFC-based mobile key access for hotel guests.  When the device is presented to an NFC reader (door lock), iOS automatically  launches Apple Wallet, interrupting the in-app unlock experience. We need to suppress Wallet presentation while the app is in the foreground to allow a seamless “tap-to-unlock” experience. Please let us know if additional information or agreements are required. Thank you.
0
0
299
Jun ’26
Health permissions problem with watchOS 10.6.2
In the last few weeks 5 users have reported my workout watch app being unable to read health data despite the permissions being enabled in the iPhone Settings app. This has been a common complaint over the years and is usually fixed by disabling the permissions; rebooting both devices; and then enabling them again. This usually nudges iOS into sending the permissions to watchOS. However that procedure doesn't work for these users, all of whom are using watchOS 10.6.2. They are using various versions of iOS 18 or 26 so it seems to be a problem with that version of watchOS, which users are usually limited to because their hardware won't support anything more up to date. It seems that unpairing and re-pairing the watch can fix the problem but not always. I looked around and it seems that other apps are having the same problem: https://www.reddit.com/r/runna/comments/1rhhs2n/runna_wont_start_an_outdoor_run_on_apple_watch/ Does anyone know a way to fix this? My current advice is to repeatedly unpair / re-pair until it works, which isn't really practical! Thanks in advance.
3
0
580
Jun ’26
WeatherKit JWT generation fails with WDSJWTAuthenticator Code=2 despite App ID capability, App Service, and provisioning profile all enabled
am seeing a persistent WeatherKit JWT generation failure with: WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 I already reviewed the related forum discussion where DTS noted that the WeatherKit App Service must be enabled separately from the WeatherKit capability on the App ID. I have confirmed that both are enabled. Confirmed configuration Team ID: FYGW4LHN42 Diagnostic app bundle ID: com.elilindenDinematch.AppleServiceDiagnostics Device: physical iPhone iOS version: 26.5 App version: 1.0 (1) I created a fresh diagnostic app specifically to isolate this from my main app. The issue reproduces in the clean diagnostic app. I have confirmed: WeatherKit is checked under the App ID capabilities. WeatherKit is enabled under Certificates, Identifiers & Profiles → Services. The Services page shows WeatherKit with “Manage your WeatherKit usage,” a “View” button, and “100% of calls available.” A fresh provisioning profile was generated. The embedded provisioning profile is present in the app. The embedded provisioning profile includes WeatherKit. The app is running on a physical iPhone, not only the simulator. Location services are enabled and authorized. The diagnostic app logs show the provisioning profile is found and includes WeatherKit: profile=FOUND appID=FYGW4LHN42.com.elilindenDinematch.AppleServiceDiagnostics team=FYGW4LHN42 WeatherKit=YES Location authorization also looks valid: servicesEnabled=true authorization=authorizedWhenInUse accuracy=fullAccuracy Failure When the app calls WeatherKit, JWT generation fails: Failed to generate jwt token for: com.apple.weatherkit.authservice with error: Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)" Then WeatherKit fails with: WeatherKit error[0] domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors code=2 description=The operation couldn’t be completed. (WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 2.) Relevant excerpt: AppleDiag 2026-06-08T20:20:17.448Z App bundle=com.elilindenDinematch.AppleServiceDiagnostics version=1.0(1) AppleDiag 2026-06-08T20:20:17.448Z Device iOS=26.5 model=iPhone name=iPhone AppleDiag 2026-06-08T20:20:17.455Z PROFILE profile=FOUND name=iOS Team Provisioning Profile: com.elilindenDinematch.AppleServiceDiagnostics uuid=f42899e3-029a-4e85-b6ac-0aa515fc0028 appID=FYGW4LHN42.com.elilindenDinematch.AppleServiceDiagnostics team=FYGW4LHN42 WeatherKit=YES AppleDiag 2026-06-08T20:20:31.882Z BEGIN WeatherKit AppleDiag 2026-06-08T20:20:31.884Z WEATHERKIT start lat=40.7128 lon=-74.006 Failed to generate jwt token for: com.apple.weatherkit.authservice with error: Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)" AppleDiag 2026-06-08T20:20:34.652Z WEATHERKIT failed elapsedMs=2764 AppleDiag 2026-06-08T20:20:34.655Z WeatherKit error[0] domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors code=2 description=The operation couldn’t be completed. (WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 2.) AppleDiag 2026-06-08T20:20:34.655Z WeatherKit error[0] userInfo=empty Because this happens in a clean diagnostic app, with WeatherKit enabled both on the App ID and under Services, and with the embedded provisioning profile confirming WeatherKit=YES, this does not appear to be an app-specific code issue or a missing App ID capability issue. Has anyone else seen WDSJWTAuthenticatorServiceListener.Errors Code=2 after confirming both the WeatherKit App ID capability and the separate WeatherKit App Service are enabled? Could someone from Apple/DTS check whether WeatherKit JWT minting is correctly enabled on the backend for Team ID FYGW4LHN42 and bundle ID com.elilindenDinematch.AppleServiceDiagnostics?
0
0
177
Jun ’26
NSE Filtering Entitlement — No Response After 4+ Weeks (Request ID: 7NPNCB7Q9P)
NSE Filtering Entitlement — No Response After 4+ Weeks (Request ID: 7NPNCB7Q9P) We submitted a request for the Notification Service Extension Filtering Entitlement (com.apple.developer.usernotifications.filtering) over two weeks ago and have received no response. App: NoLink Bundle ID: io.nolink.ios NSE Bundle ID: io.nolink.ios.nse Team ID: V2E3A94DC9 Request ID: 7NPNCB7Q9P Support Case ID: 102886799629 NoLink is an end-to-end encrypted messaging app built on the Matrix protocol with voice and video calling. All push notifications arrive encrypted — the NSE decrypts them to determine if the event is a message or an incoming call. Without this entitlement, incoming VoIP calls cannot ring properly. Users receive a silent text notification instead of the native CallKit incoming call screen. The duplicate APNS notification for call events cannot be suppressed. Element X iOS (io.element.elementx) has been granted this exact entitlement for the identical use case — same Matrix protocol, same Matrix Rust SDK, same NSE architecture. NoLink is built on the same codebase. We also opened Support Case 102886799629 but received only a generic response directing us to the Developer Forums. Could someone from the Entitlements team please review our request? We are happy to provide any additional technical details or a demo. Thank you.
1
0
364
Jun ’26
Family Controls entitlement missing from Distribution Provisioning Profile — Archive fails for App Store
Hi, I’m building an iOS app that uses FamilyControls to let users block distracting apps during study sessions. Everything works fine in Debug on a real device: the authorization request succeeds and app blocking works correctly. The problem is when I try to create an Archive for App Store Connect. Xcode gives me this error: “Provisioning profile ‘iOS Team Store Provisioning Profile: com.(ID)’ doesn’t include the com.apple.developer.family-controls entitlement.” I also get a warning saying that my bundle identifier is using the development-only version of the Family Controls capability and that I should request access to the distribution version. I’ve already added the Family Controls capability, enabled the required entitlements, and I’m using automatic signing. I also tried enabling the capability for my App ID in the Apple Developer portal, but it either doesn’t save or the distribution profile still doesn’t include the entitlement. Does the Family Controls distribution entitlement require approval from Apple before it can be used in an App Store build? If so, where do I request it? Has anyone successfully published an app using FamilyControls and run into this issue? Thanks.
1
0
286
Jun ’26
FamilyControls entitlement pending since June 2, 2026 — Team ID 5499VUQ6PC
Hello, I am the developer of Kiddowall, a B2C parental control app for iOS. I submitted a request for the com.apple.developer.family-controls entitlement on June 2, 2026 (support case #102905280650), and also followed up via an existing case #102905007339. Apple support indicated a 48-hour (2 business days) response time when the case was created. We are now past that window with no update on entitlement status. Request details: Team ID: 5499VUQ6PC Bundle ID: com.kiddowall.child App Bundle ID (parent): com.kiddowall.parent — Kiddowall — Parental Control (BDC, France) Entitlement requested: com.apple.developer.family-controls Support case: #102905280650 Current status: Submitted (no update in 4 days) Context: Kiddowall is a B2C parental control application for French families. Without the FamilyControls entitlement, we cannot implement proper on-device content filtering or screen time management without requiring MDM supervision — which is not viable for a consumer app (it requires factory reset via Apple Configurator 2 or ABM/DEP enrollment). FamilyControls is the only Apple-approved path to build a real parental control app for B2C without supervision. We are committed to full compliance with Screen Time API guidelines. Can anyone from Apple staff confirm the status of case #102905280650, or advise on next steps to expedite this request? Thank you. — Franck MAUDET (Kiddowall)
0
0
270
Jun ’26
Requesting com.apple.developer.web-browser.public-key-credential entitlement for macOS WKWebView app
We have a macOS app (io.formhealth.SideCore) that acts as a browser-style wrapper, embedding multiple web applications in WKWebView panes. We need the com.apple.developer.web-browser.public-key-credential entitlement so that WebAuthn/passkey flows (e.g. Google OAuth) work within the embedded webviews. The capability doesn't appear on macOS App IDs in the developer portal, and the entitlement request form at developer.apple.com/contact/request/system-extension returns "Your account can't access this page." What's the correct process to request this entitlement for a non-App-Store macOS app?
1
0
218
Jun ’26
Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility
Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility Platform: iOS | Distribution: MDM (Microsoft Intune) | Not App Store We are developing an internal enterprise iOS app (EMS Assist, com.company.supportcompanion) for Company deployed exclusively to Intune-managed devices. Our requirement: Read S/MIME certificates pushed to the device via Intune SCEP profiles to: Confirm cert presence in the MDM-managed keychain Read expiry date (kSecAttrNotValidAfter) to warn users before expiry Distinguish between missing, expired, and valid cert states What we have tried: Standard SecItemCopyMatching query — returns only app-installed certs, not MDM-pushed certs Graph API (deviceConfigurationStates) — confirms profile compliance but does not expose actual cert expiry or keychain presence Our understanding: com.apple.managed-keychain is required for an app to access MDM-managed keychain items on supervised devices, combined with a matching keychain-access-groups entitlement and the cert profile configured as "always available" in MDM. Questions: Is com.apple.managed-keychain the correct entitlement for this use case? Does it apply to SCEP/PKCS-issued certificates specifically, or only other MDM keychain items? Has anyone successfully accessed Intune-pushed S/MIME certs from an iOS app using this entitlement? Any guidance from the community or Apple engineers would be appreciated.
5
0
1.5k
Jun ’26
Determining if an entitlement is real
This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. These app services are tied to your App ID on the server side, meaning that they have no presence in your code signature. com.apple.developer.shazamkit — There is no ShazamKit capability. Like MusicKit, this is an app service. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. com.apple.security.device.audio-input-monitoring — The com.apple.security.device.microphone entitlement is what restricts microphone access on macOS. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2026-05-28 Added com.apple.security.device.audio-input-monitoring to the common hallucinations list (Kevin) 2026-04-23 Added com.apple.developer.shazamkit to the common hallucinations list. Added a little more info about app services. 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.
0
0
4.8k
May ’26
Family Controls entitlement stuck after app transfer
Hi Apple DTS, FivePrayer is a live App Store app and we are blocked by Family Controls (Distribution) after an app transfer. Bundle ID: com.fiveprayer.app Current team: FivePrayer LLC Previous team: Gansoft Inc. App Store: https://apps.apple.com/us/app/fiveprayer/id6755536905 This same app previously had Family Controls (Distribution) approved under Gansoft Inc. After the transfer to FivePrayer LLC, the capability did not carry over, so we had to request it again. It has now been pending for almost one month, and we cannot ship critical updates because Family Controls is a core dependency of the app. Is there a way to re-associate the previously approved entitlement with the transferred App ID, or route this to the correct Managed Capabilities / Entitlements team? Thank you.
1
2
527
May ’26
Live Caller ID Lookup entitlement - typical onboarding timeline after PIR migration?
Hi everyone, I'm hoping to hear from developers who have submitted Live Caller ID Lookup entitlement requests, especially anyone successfully onboarded after the PIR architecture became required. My own request (ID 2C4HJDWYJ6, submitted March 23, 2026) has been under review for 85 days. Apple Developer Support confirmed on May 8 that it's "in the pipeline to be onboarded" but I haven't received a concrete timeline. Infrastructure is fully deployed and verified per Apple's PIR documentation: OHTTP Gateway: https://gateway.zinfo.ge PIR Service: https://service.zinfo.ge (Apple's Swift PIR Service) Token Issuer: https://issuer.zinfo.ge DNS TXT record correctly configured HTTP/2, TLS, Protocol Buffers wire format Production database loaded Questions for the community: For developers already onboarded, how long did your review take from final submission to approval? Did the Live Caller ID Lookup capability appear automatically in Certificates, Identifiers & Profiles after approval, or was there an additional step? Is there an Apple engineering contact who handles PIR onboarding questions directly, separate from Developer Support? Any guidance from those who have been through this process, or from Apple DevRel, would be appreciated. Thanks, Levan
1
0
299
May ’26
Live Caller ID Lookup entitlement request no response for 3+ weeks — Case #102823550184
Hello, I am hoping someone from Apple or the community can help escalate or advise on my situation. I submitted a Live Caller ID Lookup entitlement request for my app Zinfo (com.parastashvili.Mobile), Team ID: CNH4KYRW44. A support case was opened on February 17, 2026 (Case ID: 102823550184). Apple's documentation states entitlement review takes up to 2 weeks. It has now been over 3 weeks with no substantive response despite multiple follow-ups. Timeline: Feb 17: Case opened Feb 26: I provided all requested technical details in full — OHTTP endpoints, Privacy Pass token system, DNS TXT record, Apple test number (+1 408 555 1212 returning "Johnny Appleseed"), all fully deployed and ready for validation Feb 27: Apple replied with a generic "appropriate team will be in contact" message Feb 28, Mar 6, Mar 10: Follow-up emails sent — no meaningful response All technical requirements are fully implemented and operational. We are ready for Apple's validation at any time. Has anyone else experienced long delays with Live Caller ID Lookup entitlement reviews? Is there a better escalation path? I have also submitted a new escalation ticket (Case ID: 102840874265) under Development and Technical > Entitlements today. Any advice or visibility from Apple staff would be greatly appreciated. App: Zinfo (com.parastashvili.Mobile) Extension Bundle ID: com.parastashvili.Mobile.LiveCallerID Team ID: CNH4KYRW44
3
0
368
May ’26
Family Controls (Distribution)
Hello, I submitted a request for Family Controls (Distribution) approval, and it has now been over 12 days without any update on the status. I understand that review times can vary, but I wanted to check if this delay is expected or if there’s anything I might need to do on my end to help move the process forward. Could anyone from the Apple team or the community provide insight into: Typical processing times for Family Controls distribution requests Whether delays beyond a few days are common Any steps I should take to follow up or expedite the review For reference: Status: Submitted Submission time: April 29, 2026 Any guidance would be greatly appreciated. Thank you!
1
0
285
May ’26
Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file
Hi guys, I am building a custom virtualization utility for macOS using the native Virtualization Framework. My goal is to allow local guest virtual machines to run in Bridged Mode (VZBridgedNetworkDeviceAttachment) so they can acquire their own distinct local IP address from my router and expose service ports directly to the local network. When attempting to compile and run my app with the com.apple.vm.networking entitlement, Xcode throws the following error:"Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file" I understand that this is a restricted capability that is hidden from the standard Apple Developer Portal by default. I have already reached out via email to Apple Developer Support to request it, but I have not received a definitive answer on the process or exact entitlement string name. For those who have successfully shipped or tested a virtualization app with bridged networking, Is com.apple.vm.networking the correct string name for modern macOS versions, or is there a newer, specific identifier required? What is the actual entitlement that i should see in my developer account? I can't seem to find it in the docs as well. Would it be called "VM Networking" Thanks,
1
0
275
May ’26
Family Controls entitlement request — 4 weeks, no status update
I submitted my Family Controls entitlement request on April 21 for my iOS app and still haven't heard anything back. We have had no approval or status update. It's been close to a month now. This is blocking me from testing and moving forward with the app since it relies on the Screen Time / Family Controls APIs. Has anyone run into delays this long recently? Thanks
0
0
321
May ’26
Unable to enable Apple Pay for App Clip – “relationship 'undefined'” error when adding capability
Hey everyone, hoping someone here has run into this before. I have a fully functional App Clip (com.didyoucatchit.app.Clip) linked to my main app (com.didyoucatchit.app). The Clip builds and runs perfectly, but I’m seeing issues trying to enable Apple Pay for it. When I try to link my Merchant ID under the “On Demand Install Capable” capability in the Apple Developer portal, I get this error: A relationship in the provided entity is not allowed for this request. The relationship 'undefined' can not be included in a 'bundleIdCapabilities' request. Here’s what I have already configured and confirmed: App Clip capabilities in Xcode include: Apple Pay Payment Processing Associated Domains (appclips:app.didyoucatchit.com) Provisioning profile includes: Apple Pay Payment Processing Associated Domains In-App Purchase On-Demand Install Capable Entitlements file for the Clip: <key>com.apple.developer.associated-domains</key> <array> <string>appclips:app.didyoucatchit.com</string> </array> <key>com.apple.developer.in-app-payments</key> <array> <string>merchant.com.didyoucatchit.app</string> </array> <key>com.apple.developer.parent-application-identifiers</key> <array> <string>$(AppIdentifierPrefix)com.didyoucatchit.app</string> </array> Merchant ID (merchant.com.didyoucatchit.app) is active and connected to Stripe Stripe Apple Pay configuration matches the same merchant ID and certificate Both provisioning profiles have been refreshed and downloaded However: The portal still throws the “relationship 'undefined'” error anytime I try to modify the Clip’s capabilities In testing, Apple Pay doesn’t show up as a payment option in the Clip (using Stripe’s Payment Element integration) Questions: Is this a known issue with the Developer portal when linking App Clips to merchant IDs? Is there a specific way to re-establish the parent–child relationship between the main app and the App Clip so the bundleIdCapabilities request includes the proper relationship JSON? Are there any additional configuration steps required when using Stripe for Apple Pay inside an App Clip? System Setup: Xcode: 16.2 (build 16C5032a) macOS: Sequoia 15.3.1 iOS: 18.5 (testing on physical device) Merchant ID: merchant.com.didyoucatchit.app Main App ID: com.didyoucatchit.app App Clip ID: com.didyoucatchit.app.Clip Any help or insight would be hugely appreciated Thanks in advance!
Replies
1
Boosts
0
Views
388
Activity
3w
"Failed to register bundle identifier" for teammates — caused by App Groups/HealthKit forcing an explicit App ID?
I'm trying to let a few teammates build and run my app on their own devices, and I'd like to understand the correct approach for our situation. Setup We are a small team. Each of us uses a free personal Apple Developer team (individual Apple IDs, no paid membership yet). The app (an iOS app with a Watch app and a WidgetKit extension) uses App Groups and HealthKit. Bundle IDs: com.example.MyApp, com.example.MyApp.watchkitapp, com.example.MyApp.Widget. App Group: group.example.MyApp. It builds fine for me. When a teammate opens the project and tries to run on device, they get: Failed Registering Bundle Identifier The app identifier "com.example.MyApp" cannot be registered to your development team because it is not available. Change your bundle dentifier to a unique string to try again. What I've observed My other apps that have no entitlements build fine for every teammate. Looking at their embedded profiles, those sign with a wildcard profile (TEAMID.*). This app signs with an explicit profile (TEAMID.com.example.MyApp). If a teammate removes HealthKit and App Groups from all targets, the app builds for them under their own team using the same bundle ID. My understanding (please correct me) App Groups and HealthKit require an explicit App ID, which can only be registered to one team. Since I registered com.example.MyApp first, no other personal team can register the same explicit App ID hence the error. My questions Is that understanding correct — that an entitled (explicit) App ID can only ever belong to a single team? Is there any supported way to keep the same bundle identifier and keep App Groups + HealthKit while teammates build under their own separate personal teams? Or is moving to an Organization account (everyone as members of one shared team) the only way to share an entitled bundle ID across multiple developers? For free personal-team development, is the recommended pattern to give each developer a unique bundle ID + App Group (e.g. via per-developer .xcconfig), keeping entitlements intact? Just want to confirm I'm choosing the right approach before committing to it. Thanks!
Replies
1
Boosts
0
Views
168
Activity
3w
"Client is not entitled" Error (Code=4) with PKAddShareablePassConfiguration.forPassMetaData Despite Correct Entitlements
Hello, I'm experiencing a critical issue with PassKit's shareable pass functionality. Despite having the necessary entitlements configured, I'm getting an entitlement error when calling PKAddShareablePassConfiguration.forPassMetaData. Failed to create PKAddShareablePassConfiguration: Error Domain=PKPassKitErrorDomain Code=4 "client is not entitled" UserInfo={NSDebugDescription=client is not entitled} private func createPassViewController(from response: PreparePushProvisioningResponse) { guard let passMetadata = PKShareablePassMetadata( provisioningCredentialIdentifier: response.provisioningCredentialIdentifier, cardConfigurationIdentifier: response.cardConfigurationIdentifier, sharingInstanceIdentifier: response.sharingInstanceIdentifier, passThumbnailImage: response.passThumbnailImage, ownerDisplayName: response.ownerDisplayName, localizedDescription: response.localizedDescription ) else { print("Failed to create PKShareablePassMetadata") return } print("PKShareablePassMetadata created successfully") // This is where the error occurs PKAddShareablePassConfiguration.forPassMetaData( [passMetadata], provisioningPolicyIdentifier: "", // Empty as per documentation action: .add ) { (configuration, error) in if let error = error { print("Failed to create PKAddShareablePassConfiguration: \(error)") // Error Domain=PKPassKitErrorDomain Code=4 "client is not entitled" return } guard let config = configuration else { print("PKAddShareablePassConfiguration is nil") return } // other code... } } The push provisioning preparation succeeds completely: Prepare push provisioning succeeded Credential ID: "XXXX-XXXX....." Owner: Teodora Description: Interflex NFC development PKShareablePassMetadata created successfully Then immediately fails at PKAddShareablePassConfiguration.forPassMetaData() with the entitlement error. Xcode Configuration Issues: When manually entering capabilities in Xcode's Signing & Capabilities tab, I receive this error: Provisioning profile "20250929 VIDC QA DEV" doesn't match the entitlements file's value for the com.apple.developer.contactless-payment-pass-provisioning entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. When I don't manually enter the capabilities in the Runner.entitlements file, the provisioning profile error disappears in Xcode, but the runtime entitlement error persists.
Replies
1
Boosts
1
Views
810
Activity
4w
Entitlement Request: com.apple.developer.passkit.pass-presentation-suppression
Great Morning, We would like to request the entitlement: com.apple.developer.passkit.pass-presentation-suppression Use Case: Our application provides NFC-based mobile key access for hotel guests.  When the device is presented to an NFC reader (door lock), iOS automatically  launches Apple Wallet, interrupting the in-app unlock experience. We need to suppress Wallet presentation while the app is in the foreground to allow a seamless “tap-to-unlock” experience. Please let us know if additional information or agreements are required. Thank you.
Replies
0
Boosts
0
Views
299
Activity
Jun ’26
Health permissions problem with watchOS 10.6.2
In the last few weeks 5 users have reported my workout watch app being unable to read health data despite the permissions being enabled in the iPhone Settings app. This has been a common complaint over the years and is usually fixed by disabling the permissions; rebooting both devices; and then enabling them again. This usually nudges iOS into sending the permissions to watchOS. However that procedure doesn't work for these users, all of whom are using watchOS 10.6.2. They are using various versions of iOS 18 or 26 so it seems to be a problem with that version of watchOS, which users are usually limited to because their hardware won't support anything more up to date. It seems that unpairing and re-pairing the watch can fix the problem but not always. I looked around and it seems that other apps are having the same problem: https://www.reddit.com/r/runna/comments/1rhhs2n/runna_wont_start_an_outdoor_run_on_apple_watch/ Does anyone know a way to fix this? My current advice is to repeatedly unpair / re-pair until it works, which isn't really practical! Thanks in advance.
Replies
3
Boosts
0
Views
580
Activity
Jun ’26
WeatherKit JWT generation fails with WDSJWTAuthenticator Code=2 despite App ID capability, App Service, and provisioning profile all enabled
am seeing a persistent WeatherKit JWT generation failure with: WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 I already reviewed the related forum discussion where DTS noted that the WeatherKit App Service must be enabled separately from the WeatherKit capability on the App ID. I have confirmed that both are enabled. Confirmed configuration Team ID: FYGW4LHN42 Diagnostic app bundle ID: com.elilindenDinematch.AppleServiceDiagnostics Device: physical iPhone iOS version: 26.5 App version: 1.0 (1) I created a fresh diagnostic app specifically to isolate this from my main app. The issue reproduces in the clean diagnostic app. I have confirmed: WeatherKit is checked under the App ID capabilities. WeatherKit is enabled under Certificates, Identifiers & Profiles → Services. The Services page shows WeatherKit with “Manage your WeatherKit usage,” a “View” button, and “100% of calls available.” A fresh provisioning profile was generated. The embedded provisioning profile is present in the app. The embedded provisioning profile includes WeatherKit. The app is running on a physical iPhone, not only the simulator. Location services are enabled and authorized. The diagnostic app logs show the provisioning profile is found and includes WeatherKit: profile=FOUND appID=FYGW4LHN42.com.elilindenDinematch.AppleServiceDiagnostics team=FYGW4LHN42 WeatherKit=YES Location authorization also looks valid: servicesEnabled=true authorization=authorizedWhenInUse accuracy=fullAccuracy Failure When the app calls WeatherKit, JWT generation fails: Failed to generate jwt token for: com.apple.weatherkit.authservice with error: Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)" Then WeatherKit fails with: WeatherKit error[0] domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors code=2 description=The operation couldn’t be completed. (WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 2.) Relevant excerpt: AppleDiag 2026-06-08T20:20:17.448Z App bundle=com.elilindenDinematch.AppleServiceDiagnostics version=1.0(1) AppleDiag 2026-06-08T20:20:17.448Z Device iOS=26.5 model=iPhone name=iPhone AppleDiag 2026-06-08T20:20:17.455Z PROFILE profile=FOUND name=iOS Team Provisioning Profile: com.elilindenDinematch.AppleServiceDiagnostics uuid=f42899e3-029a-4e85-b6ac-0aa515fc0028 appID=FYGW4LHN42.com.elilindenDinematch.AppleServiceDiagnostics team=FYGW4LHN42 WeatherKit=YES AppleDiag 2026-06-08T20:20:31.882Z BEGIN WeatherKit AppleDiag 2026-06-08T20:20:31.884Z WEATHERKIT start lat=40.7128 lon=-74.006 Failed to generate jwt token for: com.apple.weatherkit.authservice with error: Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)" AppleDiag 2026-06-08T20:20:34.652Z WEATHERKIT failed elapsedMs=2764 AppleDiag 2026-06-08T20:20:34.655Z WeatherKit error[0] domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors code=2 description=The operation couldn’t be completed. (WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 2.) AppleDiag 2026-06-08T20:20:34.655Z WeatherKit error[0] userInfo=empty Because this happens in a clean diagnostic app, with WeatherKit enabled both on the App ID and under Services, and with the embedded provisioning profile confirming WeatherKit=YES, this does not appear to be an app-specific code issue or a missing App ID capability issue. Has anyone else seen WDSJWTAuthenticatorServiceListener.Errors Code=2 after confirming both the WeatherKit App ID capability and the separate WeatherKit App Service are enabled? Could someone from Apple/DTS check whether WeatherKit JWT minting is correctly enabled on the backend for Team ID FYGW4LHN42 and bundle ID com.elilindenDinematch.AppleServiceDiagnostics?
Replies
0
Boosts
0
Views
177
Activity
Jun ’26
NSE Filtering Entitlement — No Response After 4+ Weeks (Request ID: 7NPNCB7Q9P)
NSE Filtering Entitlement — No Response After 4+ Weeks (Request ID: 7NPNCB7Q9P) We submitted a request for the Notification Service Extension Filtering Entitlement (com.apple.developer.usernotifications.filtering) over two weeks ago and have received no response. App: NoLink Bundle ID: io.nolink.ios NSE Bundle ID: io.nolink.ios.nse Team ID: V2E3A94DC9 Request ID: 7NPNCB7Q9P Support Case ID: 102886799629 NoLink is an end-to-end encrypted messaging app built on the Matrix protocol with voice and video calling. All push notifications arrive encrypted — the NSE decrypts them to determine if the event is a message or an incoming call. Without this entitlement, incoming VoIP calls cannot ring properly. Users receive a silent text notification instead of the native CallKit incoming call screen. The duplicate APNS notification for call events cannot be suppressed. Element X iOS (io.element.elementx) has been granted this exact entitlement for the identical use case — same Matrix protocol, same Matrix Rust SDK, same NSE architecture. NoLink is built on the same codebase. We also opened Support Case 102886799629 but received only a generic response directing us to the Developer Forums. Could someone from the Entitlements team please review our request? We are happy to provide any additional technical details or a demo. Thank you.
Replies
1
Boosts
0
Views
364
Activity
Jun ’26
Family Controls entitlement missing from Distribution Provisioning Profile — Archive fails for App Store
Hi, I’m building an iOS app that uses FamilyControls to let users block distracting apps during study sessions. Everything works fine in Debug on a real device: the authorization request succeeds and app blocking works correctly. The problem is when I try to create an Archive for App Store Connect. Xcode gives me this error: “Provisioning profile ‘iOS Team Store Provisioning Profile: com.(ID)’ doesn’t include the com.apple.developer.family-controls entitlement.” I also get a warning saying that my bundle identifier is using the development-only version of the Family Controls capability and that I should request access to the distribution version. I’ve already added the Family Controls capability, enabled the required entitlements, and I’m using automatic signing. I also tried enabling the capability for my App ID in the Apple Developer portal, but it either doesn’t save or the distribution profile still doesn’t include the entitlement. Does the Family Controls distribution entitlement require approval from Apple before it can be used in an App Store build? If so, where do I request it? Has anyone successfully published an app using FamilyControls and run into this issue? Thanks.
Replies
1
Boosts
0
Views
286
Activity
Jun ’26
FamilyControls entitlement pending since June 2, 2026 — Team ID 5499VUQ6PC
Hello, I am the developer of Kiddowall, a B2C parental control app for iOS. I submitted a request for the com.apple.developer.family-controls entitlement on June 2, 2026 (support case #102905280650), and also followed up via an existing case #102905007339. Apple support indicated a 48-hour (2 business days) response time when the case was created. We are now past that window with no update on entitlement status. Request details: Team ID: 5499VUQ6PC Bundle ID: com.kiddowall.child App Bundle ID (parent): com.kiddowall.parent — Kiddowall — Parental Control (BDC, France) Entitlement requested: com.apple.developer.family-controls Support case: #102905280650 Current status: Submitted (no update in 4 days) Context: Kiddowall is a B2C parental control application for French families. Without the FamilyControls entitlement, we cannot implement proper on-device content filtering or screen time management without requiring MDM supervision — which is not viable for a consumer app (it requires factory reset via Apple Configurator 2 or ABM/DEP enrollment). FamilyControls is the only Apple-approved path to build a real parental control app for B2C without supervision. We are committed to full compliance with Screen Time API guidelines. Can anyone from Apple staff confirm the status of case #102905280650, or advise on next steps to expedite this request? Thank you. — Franck MAUDET (Kiddowall)
Replies
0
Boosts
0
Views
270
Activity
Jun ’26
Requesting com.apple.developer.web-browser.public-key-credential entitlement for macOS WKWebView app
We have a macOS app (io.formhealth.SideCore) that acts as a browser-style wrapper, embedding multiple web applications in WKWebView panes. We need the com.apple.developer.web-browser.public-key-credential entitlement so that WebAuthn/passkey flows (e.g. Google OAuth) work within the embedded webviews. The capability doesn't appear on macOS App IDs in the developer portal, and the entitlement request form at developer.apple.com/contact/request/system-extension returns "Your account can't access this page." What's the correct process to request this entitlement for a non-App-Store macOS app?
Replies
1
Boosts
0
Views
218
Activity
Jun ’26
Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility
Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility Platform: iOS | Distribution: MDM (Microsoft Intune) | Not App Store We are developing an internal enterprise iOS app (EMS Assist, com.company.supportcompanion) for Company deployed exclusively to Intune-managed devices. Our requirement: Read S/MIME certificates pushed to the device via Intune SCEP profiles to: Confirm cert presence in the MDM-managed keychain Read expiry date (kSecAttrNotValidAfter) to warn users before expiry Distinguish between missing, expired, and valid cert states What we have tried: Standard SecItemCopyMatching query — returns only app-installed certs, not MDM-pushed certs Graph API (deviceConfigurationStates) — confirms profile compliance but does not expose actual cert expiry or keychain presence Our understanding: com.apple.managed-keychain is required for an app to access MDM-managed keychain items on supervised devices, combined with a matching keychain-access-groups entitlement and the cert profile configured as "always available" in MDM. Questions: Is com.apple.managed-keychain the correct entitlement for this use case? Does it apply to SCEP/PKCS-issued certificates specifically, or only other MDM keychain items? Has anyone successfully accessed Intune-pushed S/MIME certs from an iOS app using this entitlement? Any guidance from the community or Apple engineers would be appreciated.
Replies
5
Boosts
0
Views
1.5k
Activity
Jun ’26
Determining if an entitlement is real
This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. These app services are tied to your App ID on the server side, meaning that they have no presence in your code signature. com.apple.developer.shazamkit — There is no ShazamKit capability. Like MusicKit, this is an app service. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. com.apple.security.device.audio-input-monitoring — The com.apple.security.device.microphone entitlement is what restricts microphone access on macOS. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2026-05-28 Added com.apple.security.device.audio-input-monitoring to the common hallucinations list (Kevin) 2026-04-23 Added com.apple.developer.shazamkit to the common hallucinations list. Added a little more info about app services. 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.
Replies
0
Boosts
0
Views
4.8k
Activity
May ’26
Family Controls distribution entitlement - 1 month waiting
Hi, I am experience bad customer service from Apple not answering, or updating anything about my request for family controls. Is there a way we can speed up things?
Replies
0
Boosts
0
Views
220
Activity
May ’26
FamilyControls entitlement request submitted
Just curious if there is anyway to expedite the FamilyControl entitlement. I have seen few people stuck in this step for few days. I submit mine on the 4/18, and my Case ID: 102874096254 Just want to see if I can see any estimate time for my request. Thanks, Jing
Replies
3
Boosts
0
Views
415
Activity
May ’26
Family Controls entitlement stuck after app transfer
Hi Apple DTS, FivePrayer is a live App Store app and we are blocked by Family Controls (Distribution) after an app transfer. Bundle ID: com.fiveprayer.app Current team: FivePrayer LLC Previous team: Gansoft Inc. App Store: https://apps.apple.com/us/app/fiveprayer/id6755536905 This same app previously had Family Controls (Distribution) approved under Gansoft Inc. After the transfer to FivePrayer LLC, the capability did not carry over, so we had to request it again. It has now been pending for almost one month, and we cannot ship critical updates because Family Controls is a core dependency of the app. Is there a way to re-associate the previously approved entitlement with the transferred App ID, or route this to the correct Managed Capabilities / Entitlements team? Thank you.
Replies
1
Boosts
2
Views
527
Activity
May ’26
Live Caller ID Lookup entitlement - typical onboarding timeline after PIR migration?
Hi everyone, I'm hoping to hear from developers who have submitted Live Caller ID Lookup entitlement requests, especially anyone successfully onboarded after the PIR architecture became required. My own request (ID 2C4HJDWYJ6, submitted March 23, 2026) has been under review for 85 days. Apple Developer Support confirmed on May 8 that it's "in the pipeline to be onboarded" but I haven't received a concrete timeline. Infrastructure is fully deployed and verified per Apple's PIR documentation: OHTTP Gateway: https://gateway.zinfo.ge PIR Service: https://service.zinfo.ge (Apple's Swift PIR Service) Token Issuer: https://issuer.zinfo.ge DNS TXT record correctly configured HTTP/2, TLS, Protocol Buffers wire format Production database loaded Questions for the community: For developers already onboarded, how long did your review take from final submission to approval? Did the Live Caller ID Lookup capability appear automatically in Certificates, Identifiers & Profiles after approval, or was there an additional step? Is there an Apple engineering contact who handles PIR onboarding questions directly, separate from Developer Support? Any guidance from those who have been through this process, or from Apple DevRel, would be appreciated. Thanks, Levan
Replies
1
Boosts
0
Views
299
Activity
May ’26
Live Caller ID Lookup entitlement request no response for 3+ weeks — Case #102823550184
Hello, I am hoping someone from Apple or the community can help escalate or advise on my situation. I submitted a Live Caller ID Lookup entitlement request for my app Zinfo (com.parastashvili.Mobile), Team ID: CNH4KYRW44. A support case was opened on February 17, 2026 (Case ID: 102823550184). Apple's documentation states entitlement review takes up to 2 weeks. It has now been over 3 weeks with no substantive response despite multiple follow-ups. Timeline: Feb 17: Case opened Feb 26: I provided all requested technical details in full — OHTTP endpoints, Privacy Pass token system, DNS TXT record, Apple test number (+1 408 555 1212 returning "Johnny Appleseed"), all fully deployed and ready for validation Feb 27: Apple replied with a generic "appropriate team will be in contact" message Feb 28, Mar 6, Mar 10: Follow-up emails sent — no meaningful response All technical requirements are fully implemented and operational. We are ready for Apple's validation at any time. Has anyone else experienced long delays with Live Caller ID Lookup entitlement reviews? Is there a better escalation path? I have also submitted a new escalation ticket (Case ID: 102840874265) under Development and Technical > Entitlements today. Any advice or visibility from Apple staff would be greatly appreciated. App: Zinfo (com.parastashvili.Mobile) Extension Bundle ID: com.parastashvili.Mobile.LiveCallerID Team ID: CNH4KYRW44
Replies
3
Boosts
0
Views
368
Activity
May ’26
Family Controls (Distribution)
Hello, I submitted a request for Family Controls (Distribution) approval, and it has now been over 12 days without any update on the status. I understand that review times can vary, but I wanted to check if this delay is expected or if there’s anything I might need to do on my end to help move the process forward. Could anyone from the Apple team or the community provide insight into: Typical processing times for Family Controls distribution requests Whether delays beyond a few days are common Any steps I should take to follow up or expedite the review For reference: Status: Submitted Submission time: April 29, 2026 Any guidance would be greatly appreciated. Thank you!
Replies
1
Boosts
0
Views
285
Activity
May ’26
Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file
Hi guys, I am building a custom virtualization utility for macOS using the native Virtualization Framework. My goal is to allow local guest virtual machines to run in Bridged Mode (VZBridgedNetworkDeviceAttachment) so they can acquire their own distinct local IP address from my router and expose service ports directly to the local network. When attempting to compile and run my app with the com.apple.vm.networking entitlement, Xcode throws the following error:"Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file" I understand that this is a restricted capability that is hidden from the standard Apple Developer Portal by default. I have already reached out via email to Apple Developer Support to request it, but I have not received a definitive answer on the process or exact entitlement string name. For those who have successfully shipped or tested a virtualization app with bridged networking, Is com.apple.vm.networking the correct string name for modern macOS versions, or is there a newer, specific identifier required? What is the actual entitlement that i should see in my developer account? I can't seem to find it in the docs as well. Would it be called "VM Networking" Thanks,
Replies
1
Boosts
0
Views
275
Activity
May ’26
Family Controls entitlement request — 4 weeks, no status update
I submitted my Family Controls entitlement request on April 21 for my iOS app and still haven't heard anything back. We have had no approval or status update. It's been close to a month now. This is blocking me from testing and moving forward with the app since it relies on the Screen Time / Family Controls APIs. Has anyone run into delays this long recently? Thanks
Replies
0
Boosts
0
Views
321
Activity
May ’26