We are currently using Live Activities in our app and supporting both of the following use cases: Starting a Live Activity directly from the app using ActivityKit APIs. Starting a Live Activity from the backend using the start token. In the first case (initiated from the app), the OS generates an update token, and we are able to continuously update the Live Activity via our backend—even if the user has not explicitly provided "Allow" or "Always Allow" consent from the lock screen. This works as expected. In the second case (initiated from the backend), if the user does provide consent ("Allow" or "Always Allow") from the lock screen, we receive the update token and can continue updating the Live Activity. However, if the user does not provide consent, the OS does not provide the update token, and we are unable to send further updates. Question: Is it possible to receive the update token from the OS when the Live Activity is started from the backend, without the user explicitly providing "Allow" or "Always Allow" consent from the lock screen? We would appreciate any clarification or official documentation related to this behavior. Thank you!

Hello Having trouble getting associated domain to work in our project. It was working when we used Branch, but our company wants to host the domain ourselves. This is a multi-scheme project, using .xcconfig files to define the correct entitlement per Build. The relevant entitlement file has: com.apple.developer.associated-domains applinks:bm.ddcas.ai in the ....{other irrelevant test associated domains....} The project Team and App ID are taken from the Identifiers screen where the Identifier capabilities has 'associated domains' ticked on. I've also checked elsewhere on AppleDeveloper/Connect to be sure. When we used Branch with domain key app links: bmstores.app.link this worked fine. With https://bm.ddcas.ai (our own host) which is publicly available and has an aasa file in both the main directory and /.well-known, typing this in safari or anything just doesn't attempt to link to the App. The iPhone is in developer mode, and using the developer menu associated domains diagnostic tool, typing https://bm.ddcas.ai results in the diagnostic saying 'The url is a Universal Link for the app with identifier **********.***etc (the app is installed on real iPhone 12, iOS 18.6.2 and my Xcode is 16.4) However, it just doesn't work if we type in https://bm.ddcas.ai and results in a Safari message of '400 not found' and the 'nginx' shows. We have read innumerable Apple Dev posts and StackOverflow posts, as well as several step by step 'how to's' online but this just isn't working. The aasa file is at https://bm.ddcas.ai/apple-app-site-association and is setup as follows: { "applinks": { "apps": [], "details": [ { "appID": "{my Team ID}.{my App ID}", "paths": [ "*" ], "components": [ { "/": "/verification", "?": { "verification_code": "[A-Za-z0-9]{6}" }, "comment": "Matches verification code path" } ] } ] } } Our Server guys say the website (bm.ddcas.ai) is public and hosted, it just doesn't have a /verification path as they say it should redirect before reaching that. Also, our Android redirect works using this site, so this appears to be something specific Apple code is looking for. What, please, are we likely to be missing as it does not seem obvious from the Apple documentation or any of the resources I have checked online. Normally we can figure anything out, but getting nowhere here so the help is appreciated.

I've alluded to this before in these posts and there are some posts from others about this, e.g. https://developer.apple.com/forums/thread/759845 and I've filed some bugs related to the behavior. FB20212935 FB19451832 FB19450508 FB19450162 FB19449747 Our company owns the USB vendor IDs X and Y . We've been granted a USB transport entitlement for both of those IDs. The crux of the problem is that I want to build a driver for USB vendor ID Y. Xcode's well-hidden auto-generated provisioning profile for my driver contains com.apple.developer.driverkit.transport.usb: { idVendor = X; } which is obviously not what I want. Xcode fails to provision the target. But I have another, much older project with an auto-generated provisioning profile containing com.apple.developer.driverkit.transport.usb: { idVendor = X; }, { idVendor = Y; } I can build a driver for idVendor Y without problems in this project. But that doesn't help me with my new project. What can I do to fix this? Do I need to request our entitlements again? I fear if I do so, something will get lost in the process. Is there a way to inspect what we have already been granted? - I can't see a "managed entitlements" section on the account portal. I can go through the motions of making a new App ID, then I can see that some Capability Request have been "Assigned", but I don't see what their values are. A second question I have is about the userclient-access entitlement. Are these tied to the bundle ID of the app which claims the access? In other words, if I have two drivers com.mycompany.app1.driver1 com.mycompany.app2.driver2 and I would like to have com.mycompany.app1 communicate with com.mycompany.app1.driver1, I would ask for the com.apple.developer.driverkit.userclient-access capability for com.mycompany.app1.driver1. But must I request that access for each specific app bundle ID that will talk to that driver, or once the entitlement is granted, can I use com.apple.developer.driverkit.userclient-access = { com.mycompany.app1.driver1 } in any of my apps?

Hi Apple DTS & community folks, I’m reaching out regarding an issue we’ve encountered with the com.apple.developer.mail-client capability for our app (bundle identifier: so.notion.Mail). We were granted this entitlement last week to allow the app to be set as a default Mail client. While everything works as expected when archiving and distributing builds locally in Xcode, we’re running into a problem when using Xcode Cloud. Specifically, Xcode Cloud attempts to archive and distribute an Ad-Hoc build, but the Ad-Hoc provisioning profile does not include this special entitlement. Since we’re using Xcode-managed profiles, we don’t have the ability to create or adjust an explicit profile ourselves. This issue only arises in Xcode Cloud—local distribution works unless we explicitly attempt an Ad-Hoc build (which is not our intent). I’ve included a screenshot of the error for reference. We found this forum post describing the same issue, where the resolution was Apple enabling the entitlement for Ad-Hoc builds. We’d like to request that Apple enable this capability for Ad-Hoc builds for the Notion Mail application so that Xcode Cloud distribution functions correctly. Thank you for your help!

Hello, I am trying to utilize the Critical Messaging API to allow my user to message 1 or multiple pre registered contacts automatically. An issue I am having with this in testing is that when the application attempts to fire off texts to the phone numbers the success rate changes from trial to trial, with no variable changing. Sometimes I can send a Critical Message to multiple phone numbers in rapid succession, sometimes the message is only sent to 1 contact, and sometimes I get no successes. Each failure always returns the MSCriticalMessaging.notSupported error. The API documentation states, "The send(_:to:) method only works if the app is backgrounded, if it’s called from foreground the framework returns a MSCriticalMessagingError.notSupported error." If my app is always backgrounded in these tests, what other issues may cause this notSupported error return, and why does the outcomes success rate vary?

An open-source app that I bundle for macOS needs to use the disable-library-validation entitlement. In spite of TN3125: Inside Code Signing: Provisioning Profiles | Apple Developer Documentation#Entitlements-on-macOS claiming that hardened runtime entitlements don't need provisioning profiles and the app successfully notarizing, trying to run the app fails with the error "Disallowing because no eligible provisioning profiles found". So I created a provisioning profile, but when creating the App ID the only selection that seemed relevant was Hardened Runtime. That turns out not to include disable-library-validation so now launching fails with "Unsatisfied entitlements: >com.apple.security.cs.disable-library-validation" What's the right capability?

Hello! Trying to find any info about how to add In-App Purchase with application Entitlements.plist file manually (NOT with XCode). Is there any reference within keys and description? What need to be in this file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>key-for-in-app-purchase</key> <string>value</string> </dict> </plist>

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&amp;amp;userID=... https://www.strike-force.app/invite?type=invite&amp;amp;friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details &amp;amp; Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: &amp;lt;(null)&amp;gt; with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

Hi All! Ever since the new PLA I have issues with adding my entitlements to my profiles. Previously when adding an entitlement I used the format [entitlementName] [AppId] [type] e.g. Apple Pay Pass Suppression [AppId] Development However ever since the new PLA I get an warning in my terminal that the template name is not supported by the App Store Connect API. Anyone that can help me out with the new format? I cant seem to find any helpful documentation online. Thanks! PS: the link in the screenshot points to this website: https://docs.fastlane.tools/actions/match/#managed-capabilities The naming strategy the use on the website doesnt work either: Apple Pay Pass Suppression Development

I have an app with lots of networking calls that are currently done through URLSession. We would like to implement the new carried constrained entitlements and begin moving data through the ultra constrained network path for core features of our application. I have successfully implemented the NWPathMonitor to identify when the current network path is ultra constrained and I have been consistently on a physical device in a real world environment. I'm aware that we will not be able to use URLSession to do this from other posts in this forum like this one. Because of this problem with URLSession I am attempting to fallback to using NWConnection when the current path is ultra constrained. I have setup a NWConnection with the NWParameters.allowUltraConstrainedPaths set to true. The request works perfectly when connected to wifi or cellular. However, it does not work at all when the current path is ultra constrained. When attempting this request through my NWConnection I receive an error that says: The operation couldn’t be completed. (Network.NWError error 50 - Network is down) Is this expected? I have confirmed my physical device is connecting to carrier provided satellite and I have been able to load data in other ios apps from Apple like the music app while on this carrier constrained connection. If this is not the correct way to move data when the path is ultra constrained what is the correct way?

General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

We are implementing a feature that uses PKPassLibrary.requestAutomaticPassPresentationSuppression to prevent the Wallet from appearing when unlocking a lock. We have already completed the approval process for the entitlement to enable Pass Presentation Suppression. In most cases, our code snippet works as expected, and the result is .success. However, we are also encountering other results, such as .denied, .alreadyPresenting, and .cancelled or .notSupported, which cause the Wallet to appear for users. Here's the code snippet we're using: PKPassLibrary.requestAutomaticPassPresentationSuppression { result in logger.log( .info, "PKPassLibrary suppression result: \(result.description)", LogContext.homeFeature ) } I would appreciate clarification on the following points: What's the meaning of each result type (.denied, .alreadyPresenting, .cancelled, .notSupported) beyond what is mentioned in the documentation? The documentation here does not provide additional details. What is the recommended handling for these specific result states? Should we be taking different actions or retries based on each case? Thank you very much for your help. Best, Ramiro.

I’m creating my first DriverKit extension and I ran into an entitlement issue when trying to load my driver. Error 0x0 8397 7 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] App.Dext: Unsatisfied entitlements: com.apple.developer.driverkit.transport.usb I have already registered the entitlement com.apple.developer.driverkit.transport.usb with my vendor ID in the Apple Developer portal. However, when I download the provisioning profile, it doesn’t include the idVendor value. Screenshot from the developer portal (provisioning profile without idVendor) ? <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <integer>1356</integer> </dict> </array> -Is this error caused by me registering the vendor ID incorrectly? -Or is there an issue with how the entitlement is reflected in the provisioning profile? Any guidance would be appreciated.

Hello Apple support, A few days ago, I received an e-mail granting the entitlement for Critical Alerts to my app VIAWEB Mobile, bundle ID br.com.viawebsystem.VIAWEBservice . This was my second attempt: in the first time I requested the entitlement for all our apps, but it was denied. This time I requested for just our main app, and now it was approved. I have just followed several tutorials and instructions available on the Internet, but I couldn't enable this capability in my app. What I tried and where I stopped: In my Xcode 16.4, target "VIAWEB Mobile", Signing & Capabilities, All: unchecked the Automatic manage signing and checked again, selected the correct Team. In the iOS section, Xcode Managed Profile, click in the little "i" and there is no Critical Alerts in the Capabilities list, nor com.apple.developer.usernotifications.critical-alerts in the Entitlements list. And so, there is no Critical Alerts in the "+ Capability" window. If I go to Certificates, Identifiers & Profiles, Identifiers, and click to edit my App ID Configuration, there is no Critical Alerts to enable in the Capabilities list. In Capability Requests, I just see the plus sign next to Critical Alerts (to make an additional request), and the status Approved when I click on View Requests (2). Can you provide me with updated instructions on how I can enable this entitlement for my app? Thank you! Best regards, The VIAWEB Developer Team.

Hi everyone and Apple Team, please help me to solve the problem with transferring a macOS app built by Electron. I didn't change any options related to sandbox or app groups at all; I'm just using default settings. My app doesn't have any data with other apps. It seems like a huge challenge, and I still haven't solved it after three months. Thanks for your advice.

I've been trying to understand what kind of UX is available if my app is using the default-dialer capability. I have found https://developer.apple.com/documentation/livecommunicationkit/preparing-your-app-to-be-the-default-dialer-app and I am in the EU. On android I built the UX I want and it's quite neat, so now I'm trying to work. out what I can get on iOS. Because the product is kind of worthless with just android. I have built a simple dialer ux with a numberpad, contact lookup etc. Then when the user presses the Call button does it have to pop up the system prompt "Call number"? Does it have to swap over to the system ui for the actual call? So there's no way to show information about the call, during the call? Or am I using the frameworks incorrectly? I am very new to iOS development. TrueCaller and others show validation, but as I understand it they pre-fetch all the data, I can't do that.

We have received some information that with the release of iOS 18, there have been notable changes in how this API behaves, can apple team shed some light on this? on ios 17 this worked without much issues, what has changed on ios 18?

Hi guys, Is there any good up-to-date tutorial about publishing a Python based app on Apple Store? Now, I have developed a standalone Python app from PyCharm, and it's using Pyside6 for UI and some major Python libraries. It's a productivity app with a little A.I. features. I used PyInstaller to prepare the app. Currently, I am stuck at the stage of codesign and Apple Review process, because I am manually doing codesign and building the package from command-line. Without using Xcode, things can get messy or miss easily. It would be nice to follow a up-to-date tutorial about how to complete the codesign and Apple Review process for a Python based app. For example, what to do, how to do, what to be careful during the Apple Review process, etc. Thanks!

Hi, I have a .NET MAUI app which I've added subscriptions to using the Plugin.InAppBilling nuget package. When I tested on TestFlight I got an almost immediate crash. After doing some research I followed advice to add an Entitlements.plist file to Platforms &gt; iOS with the following entry: com.apple.developer.in-app-purchase The distribution provisioning profile I'm using to sign my app has the App ID set to an Identifier which has "In-App Purchase" ticked, but greyed out in it's "Capabilities" section on https://developer.apple.com/. I'm not sure why it's ticked and greyed out, but I assume that means that "In-App Purchase" is enabled. The app runs file locally but when I create an IPA file and add it to Transporter for upload to App Store Connect I get the following error: "Validation failed (409) Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, key 'com.apple.developer.in-app-purchase' in 'Payload/[Removed].app/[Removed]' is not supported. (ID: [Removed])". Here is the structure of my csproj code for creating a IPA file for iOS: The command I use: dotnet publish [Removed]/app.csproj -f:net9.0-ios -c:Release ^ /p:PlatformTarget=Arm64 ^ /p:RuntimeIdentifier=ios-arm64 ^ /p:ServerAddress=[Removed] ^ /p:ServerUser=[Removed] ^ /p:ServerPassword=[Removed] ^ /p:ArchiveOnBuild=true ^ /p:BuildIpa=true I'm stuck trying to figure this out. If you could please point out any issues with what I'm doing or if you have any suggestions to resolve the problem I would very much appreciate it. Thanks, Ben

Hi Apple Developer Community, I'm experiencing an issue with Family Controls entitlements for my iOS app that I'd like to discuss and see if others have encountered similar problems. Background: My app (BrightStart) uses Family Controls to help users build healthy morning routines by temporarily blocking distracting apps until they complete a sunlight exposure session. The core functionality relies on automatic time-based blocking (e.g., block social media apps from 6-8am daily). The Problem: I have Family Controls working perfectly in development builds, but I'm blocked from distributing via TestFlight due to entitlement issues with my Device Activity Monitor extension. Technical Details: Main app bundle ID: app.brightstart.app ✅ Has both "Family Controls (Development)" and "Family Controls (Distribution)" options available Extension bundle ID: app.brightstart.app.BrightStartMonitorExtension ❌ Only shows "Family Controls (Development)" - no Distribution option Error when archiving for TestFlight: ❌ Provisioning profile failed qualification Profile doesn't support Family Controls (Development). Family Controls (Development) feature is for development only. Please use Family Controls (Distribution) for distribution. Impact: Cannot upload to TestFlight for beta testing Native FamilyActivityPicker falls back to mock UI in distributed builds Automatic scheduled app blocking (via DeviceActivityMonitor) doesn't function in production Questions for the community: Has anyone successfully gotten "Family Controls (Distribution)" enabled for a Device Activity Monitor extension? Is this a known limitation, or should I expect this option to be available? Are there alternative approaches for time-based automatic app blocking that work in distribution builds? Should I contact Apple Support directly about enabling this entitlement for the extension? Btw, Cursor wrote this summary above, so it could be just hallucinating the issue? Would really appreciate anyone's thoughts here.