Hello, as the title says, I am trying to access Bluetooth in a system daemon. I am running on MacOS Sonoma 14.5. When initializing Bluetooth, my daemon received Unauthorized state. I have tried to add my daemon in the system settings (System Preferences > Security & Privacy > Privacy > Bluetooth) "Allow applications to access Bluetooth" by adding the program executable path defined by the entry Program of my system daemon as suggested here: https://developer.apple.com/forums/thread/662459. But I am still having the issue. Writing a system daemon with Bluetooth is not my final goal. The bigger picture is the smartcard reader driver with Bluetooth access which as the same issue and the solution is probably related. I do not remember how but my smartcard reader driver use to work with Bluetooth but it does now with the same Unauthorized error. As far as I can see daemon and smartcard drivers does not have support for entitlement. Here are the logs for my sample system daemon: my_daemon [0x6000011b0000] activating connection: mach=true listener=false peer=false name=com.apple.server.bluetooth.le.att.xpc bluetoothd [0x7f804828e8a0] activating connection: mach=false listener=false peer=true name=com.apple.server.bluetooth.le.att.xpc.peer[76672].0x7f804828e8a0 bluetoothd Received XPC message "CBMsgIdCheckIn" from session "" bluetoothd Received XPC check-in from session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" fAccessLevel 0 fProgrammaticPairing 0 fLimitedForMediaAccess 0 bluetoothd Access level is less than kXPCAccessLevelSystem for session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67". Restricted state operation not allowed bluetoothd Sending 'session attached' event for session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" bluetoothd Attached session for "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" with session: 0x7f804802d1b0, session handle: 0xef8d0000 bluetoothd Registering peripheral session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" with backgrounding: off, persistence: off (CBSR) restoreID: (null) bluetoothd Error getting Application State for <private>: <private>, 3 bluetoothd Error getting Application State for <private>: <private>, 3 bluetoothd Session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" tccRequired : 1 bluetoothd ReadyForTCC. TCC required:1 fLimitedForMediaAccess:0 fDeviceAccessForMediaExtension:0 bluetoothd Session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" : needsRestrictedStateOperation = 0, overrideRestrictedState = 0 , denylistMode = 0, receivesControllerBTClockEvents=0 my_daemon Received CBMsgIdReadyForTCC my_daemon Running performTccCheck CBManager tccAvail 1, tccRequired 1 my_daemon TCC required my_daemon [0x6000011b8000] activating connection: mach=true listener=false peer=false name=com.apple.tccd my_daemon [0x6000011b8000] failed to do a bootstrap look-up: xpc_error=[3: No such process] my_daemon [0x6000011b8000] invalidated after a failed init my_daemon send_message_with_reply(): user tccd unavailable, sending 0x600000ab4000 to system tccd my_daemon [0x6000011b4000] activating connection: mach=true listener=false peer=false name=com.apple.tccd.system tccd [0x7fd4d1f7ed80] activating connection: mach=false listener=false peer=true name=com.apple.tccd.system.peer[76672].0x7fd4d1f7ed80 tccd REQUEST: tccd_uid=0, sender_pid=76672, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=76672.1 tccd AUTHREQ_CTX: msgID=76672.1, function=<private>, service=kTCCServiceBluetoothAlways, preflight=no, query=1, client_dict=(null), daemon_dict=<private> tccd AUTHREQ_ATTRIBUTION: msgID=76672.1, attribution={requesting={TCCDProcess: identifier=my_daemon-5555494498236e3b5e2e395b93c13af176769937, pid=76672, auid=0, euid=0, binary_path=/Users/olivier/daemon/my_daemon}, }, tccd AUTHREQ_SUBJECT: msgID=76672.1, subject=/Users/olivier/daemon/my_daemon, tccd Refusing TCCAccessRequest for service kTCCServiceBluetoothAlways from client Sub:{/Users/olivier/daemon/my_daemon}Resp:{TCCDProcess: identifier=my_daemon-5555494498236e3b5e2e395b93c13af176769937, pid=76672, auid=0, euid=0, binary_path=/Users/olivier/daemon/my_daemon} in background session tccd AUTHREQ_RESULT: msgID=76672.1, authValue=0, authReason=5, authVersion=1, error=(null), tccd REPLY: (0) function=TCCAccessRequest, msgID=76672.1 my_daemon [0x6000011b4000] invalidated after the last release of the connection object bluetoothd Received XPC message "CBMsgIdTCCDone" from session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" tccd [0x7fd4d1f7ed80] invalidated after getting a no-senders notification - client is gone bluetoothd [0x7f80482820f0] activating connection: mach=true listener=false peer=false name=com.apple.tccd.system tccd [0x7fd4d32585f0] activating connection: mach=false listener=false peer=true name=com.apple.tccd.system.peer[169].0x7fd4d32585f0 tccd REQUEST: tccd_uid=0, sender_pid=169, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=169.48 tccd [0x7fd4d313d880] activating connection: mach=true listener=false peer=false name=com.apple.tccd tccd [0x7fd4d313d880] failed to do a bootstrap look-up: xpc_error=[3: No such process] bluetoothd [0x7f80482820f0] invalidated after the last release of the connection object bluetoothd Bluetooth user permission alwaysAuth: denied tccd [0x7fd4d313d880] invalidated after a failed init tccd FORWARD: to=com.apple.tccd/0, request: { require_purpose=<xpc_null> service="kTCCServiceBluetoothAlways" function="TCCAccessRequest" preflight=true target_token={pid:76672, auid:-1, euid:0} TCCD_MSG_ID="169.48" background_session=false } tccd REPLY: from=com.apple.tccd, reply: { XPCErrorDescription="Connection invalid" } tccd forwardMessage error: Connection invalid. tccd [0x7fd4d3152bf0] activating connection: mach=false listener=false peer=true name=com.apple.tccd.system.peer[169].0x7fd4d3152bf0 bluetoothd [0x7f80482820f0] activating connection: mach=true listener=false peer=false name=com.apple.tccd.system tccd REQUEST: tccd_uid=0, sender_pid=169, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=169.49 tccd [0x7fd4d32585f0] invalidated after getting a no-senders notification - client is gone tccd [0x7fd4d1f4c810] activating connection: mach=true listener=false peer=false name=com.apple.tccd tccd [0x7fd4d1f4c810] failed to do a bootstrap look-up: xpc_error=[3: No such process] tccd [0x7fd4d1f4c810] invalidated after a failed init tccd FORWARD: to=com.apple.tccd/0, request: { require_purpose=<xpc_null> service="kTCCServiceBluetoothAlways" function="TCCAccessRequest" preflight=true target_token={pid:76672, auid:-1, euid:0} TCCD_MSG_ID="169.49" background_session=false } tccd REPLY: from=com.apple.tccd, reply: { XPCErrorDescription="Connection invalid" } tccd forwardMessage error: Connection invalid.

Hi there, I am using Core NFC and I established the connection with the card, (it means that the info.plist is correct and the entitlement should be correct as well). The app detects the card, but after sending the command 'tag.sendCommand()' I receive this message: [CoreNFC] -[NFCTagReaderSession transceive:tagUpdate:error:]:879 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} So, what is missing or what am I doing wrong? Here is the code: func tagReaderSession(_ session: NFCTagReaderSession, didDetect tags: [NFCTag]) { guard !tags.isEmpty else { return } let hexString = //... if case let .iso7816(tag) = tags[0] { session.connect(to: tags[0]) { error in if let error = error { print("Error: \(error.localizedDescription)") return } let apdu = hexString.convertToAPDU() tag.sendCommand(apdu: apdu) { (response: Data, sw1: UInt8, sw2: UInt8, error: Error?) in // -> here is when the error appears, in the completion print([UInt8](response)) // print -> [] } } } }

$ tccutil reset All This command resets the other permissions (i.e. camera, microphone) but doesn't reset the Local Network permission. OS: macOS 15.0

Hi, We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development. We can build and debug Tap to Pay on development, but unable to build release. We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.

How to add Additional capabilities in Certificates, Identifiers & Profiles on app store account to Enable the Tap to Pay on iPhone capability.

I already have an iOS app accepted on the App Store, and now I want to add a macOS platform version. I created a new Xcode project and used the same bundle ID as my iOS app. When I tried to upload the macOS bundle, I encountered the following error: Invalid Provisioning Profile. The provisioning profile included in the bundle ABC.123456 [ABC.123456.pkg/Payload/ABC.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx) I found that this problem occurs when the "Team ID" and "App ID Prefix" are different. How can I make them match?

I am implementing passkeys for my Project. We hosted apple-app-site-association file in 2 different sites for my project maintenance. One is with ww.sitename.com and another is www3.sitename.com. In Xcode adding each of them and testing individually. It's working good at first site and throwing error for second one like below Application with identifier <> is not associated with domain <>

Hi, I'm having headaches with the debugging of my Unwanted Communication Reporting extension. iPhone log says: com.apple.IdentityLookup.MessageFilter[1774] <Error>: Extension's containing app (appID <private>) unauthorized to defer requests to host <private> So I guess I have something wrong with my apple-app-site-association. The AASA file I get with swcutil dl -d services.mydomain.com { classificationreport = { apps = ( "<MYTEAMID>.com.mydomain.myapp", "<MYTEAMID>.com.mydomain.myapp.unwanted" ); }; } where .com.mydomain.myapp is my containing app (bundle id). and .com.mydomain.myapp.unwanted is my extension The AASA file on the server is obviously in JSON format and correctly served from the server : services.mydomain.com In the extension Info.plist I've set the following : <key>NSExtension</key> <dict> <key>NSExtensionAttributes</key> <dict> <key>ILClassificationExtensionNetworkReportDestination</key> <string>https://services.mydomain.com/path/unwanted/report</string> </dict> <key>NSExtensionMainStoryboard</key> <string>MainInterface</string> <key>NSExtensionPointIdentifier</key> <string>com.apple.identitylookup.classification-ui</string> </dict> I suppose the reply from classificationResponse method is correct since MessageFilter "tries" to send the request. Where am I mistakening ? Difficult to debug... MessageFilter's log keeps interesting data as private (so there is no way to check what it's actually doing). And I've found no way to go deeper in the debug process. Many thanks Emmanuel

I have published an application that makes use of AppGroup containers to share an sqlite database between the main application and a notification service extension. I have taken into account special file access coordination requirements for an sqlite database shared between processes (WAL, https://github.com/andpor/react-native-sqlite-storage/issues/308#issuecomment-522250831). The application is part of an educational study involving several hundred students of young age. As such, many devices are enrolled in FamilySharing where parents control access of their children. In production, records are added to the database by the main application. The notification service extension reads the database and syncs metadata with a server. Unfortunately, I'm seeing issues with database access from the extension on devices where FamilySharing is enabled. I cannot see detailed information about the issue, because Crash reporting is disabled as per guidelines of the participating institutions. Moreover, I have implemented logging in the extension such that any conventional error (do, catch) thrown by database access code would be visible to me in server logs. I cannot see errors in my log, which leads me to believe something is crashing the extension process when it tries to access the database in the AppGroup container. I cannot find any information in Apple documentation or the pertinent online forums about a special case for AppGroups in FamilySharing context. However, since I've only ever seen the issue on devices where FamilySharing is enabled, I have to assume the error lies there. Is there any undocumented special consideration for AppGroup access in FamilySharing contexts? Is an AppGroup that was created while the app was running under the child's account no longer accessible by the same application when it's running under the parent's account?

I've been developing an MacOS app for a while and everything was going smoothly until one of the testers reported that the app was crashing on launch. After investigation, we discovered that he had System Integrity Protection disabled. I could reproduce the error by disabling SIP: Library not loaded: @rpath/myframework.framework/myframework Referenced from: <4C129258-1BF8-3D30-9AFE-BF4206D0A767> /Applications/MyApp.app/Contents/MacOS/MyApp Reason: , (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) The app launches normally if I reenable SIP. I can't find information about "security policy does not allow @ path expansion". I'll appreciate if someone can point me in the right direction.

I'm looking for a solution to install a binary on a macOS system where System Integrity Protection (SIP) is enabled, and the target installation location is protected by SIP. I need to achieve this without booting into recovery mode to disable SIP. Is there any method to achieve this, such as by creating separate packages that can handle SIP-protected locations, developing or using installer applications capable of navigating SIP constraints, leveraging specific entitlements or permissions to facilitate the installation, or utilising Mobile Device Management (MDM) solutions for deployment? If anyone has experience or insights on any reliable ways to accomplish this, please share any detailed steps, tools, or best practices that could be useful.

A few months ago I requested access to the com.apple.developer.contacts.notes entitlement, which I now have access to. While running on 'Debug' build configuration, everything works as expected. When creating a 'Release' build, however, the entitlement does not appear to be included with the app, as the console reports that fetching the note for each contact fails. When I try to add the "Contact Notes" capability in Xcode, under the 'Release' tab in the project settings, the capability appears for a few seconds, then disappears when I move to a different tab and return. This does not happen for the 'Debug' configuration. Attempted Resolutions: Changing the signing configuraiton from 'Automatic' to 'Manual', using a manually generated provisioning profile. I manually inspected the provisioning profile using the terminal to ensure it included the entitlement. Creating a separate entitlement file with com.apple.developer.contacts.notes, adding it to the root of the project. Ensuring that the path to this file is correct on the 'Release' configuration. Ensuring 'Contacts Notes Field Access' is enabled under 'Additional Capabilities' in the Developer portal. Adding the capability on Xcode. Below is the inspector displaying the provisioning profile for the 'Debug' Configuration: And the following image below shows the inspector details for the 'Release' Configuration provisioning profile: When I use a manual provisioning profile and an entitlements file at the root of the project, Xcode displays this strange error:

My App has several resources that I'd like to spring open through App Intents. For example a series of Dictionaries. These resources however in the app are behind a log in (for security) and are entitlements that are purchased. They may own 4 of 7 dictionaries. If I want to have an intent that says, "Open Dictionary: (Dict Name)" how do I best handle situations where the user may no longer be logged in or have the entitlement for that specific dictionary? Thanks

Hi, we are a Carrier company (Utility provider) and working on a feature to display real-time Wifi Signal strength of customer devices (connected to Router Gateway) to help customers identify low and high signal areas, and possibly install extenders to improve signal strength at weak points. This feature requires NEHotspotHelper entitlement approval to access signalStrength property. We went through this Apple documentation too and we're open to other recommendations from Apple https://developer.apple.com/forums/thread/721067 . Since we currently don't have direct point of contact with Apple to discuss this requirement, hence wanted to check it here. Kindly advise. Thanks !

Hi there, My app detects connected BlackMagic devices on a user's machine and this is done using the DeckLink SDK which first tries to load /Library/Frameworks/DeckLinkAPI.framework using CFBundleCreate. I have not been able to create a notarized app which successfully detects the devices. Either the DeckLinkAPI works or the app starts up without showing "the developer cannot be verified" on my test computer but never both. This is what I've tried so far: signed app: DeckLinkAPI available hardened runtime: DeckLinkAPI not available hardened runtime + com.apple.security.cs.disable-library-validation: DeckLinkAPI available, notarization succeeds yet the "the developer cannot be verified" I've also tried to use weak linking to DeckLinkAPI.framework instead of including the SDK's CFBundleCreate code but that made no difference: I still needed the com.apple.security.cs.disable-library-validation entitlement for that to work which caused "the developer cannot be verified". DeckLinkAPI.framework is notarized: > codesign --test-requirement="=notarized" --verify --verbose /Library/Frameworks/DeckLinkAPI.framework /Library/Frameworks/DeckLinkAPI.framework: valid on disk /Library/Frameworks/DeckLinkAPI.framework: satisfies its Designated Requirement /Library/Frameworks/DeckLinkAPI.framework: explicit requirement satisfied Is there any way to successfully notarize an app to use the DeckLink SDK or any other thirdparty notarized framework which is distributed seperately?

Hello, For educational purpose, I try to use a POSIX semaphore sem_t instead of a dispatch_semaphore_t in a sandbox macOS Obj-C app. When using sandbox, the semaphore code creation : sem_t * _unixSemaphore; char nameSemaphore[64] = {0}; snprintf(nameSemaphore, 22, "/UnixSemaphore_sample"); _unixSemaphore = sem_open(nameSemaphore, O_CREAT, 0644, 0); fails, receiving SEM_FAILED and the errno is 78 (not implemented) However, the sem_t _unixSemaphore is created and works fine when I disable sandbox I my entitlements. Is there a way to fix this? Thank you in advance Jean Marie

Hi, Can a single domain serve a /.well-known/apple-app-site-association file for multiple apps from different developers? We currently have our own domain, let's say example.com, which serves https://example.com/.well-known/apple-app-site-association which lists our app, let's say "ABCDEFG.com.example.AppA" for path "/app/a". We're talking with another developer who has another app on the store. Can we add their app, "MNOPQR.com.different.AppB" on our site, https://example.com/.well-known/apple-app-site-association, add their app ID for path "/app/b", ask them to add our example.com domain in their associated-domains entitlement, and would it work? I mean would https://example.com/app/a open our app "ABCDEFG.com.example.AppA" and https://example.com/app/b open their app "MNOPQR.com.different.AppB" ? We want to open https://example.com/redirect/app redirect to either /app/a or /app/b depending on the query parameters and launch our or their app. Thanks in advance!

Is there a simple way to get the value of the APS Environment setting in the Entitlements file from within a SwiftUI app? As others have noted, when the app is run from Xcode, this value is set to "development" but when run from Archive'd TestFlight version, it is set to something else (presumably "production"). I need to know which environment the app should use for registering its device token for notifications.

HI! I am developing an application that should utilize ScriptingBridge.framework to interact with another process. Firstly, I created a separate test application for which I have added Apple Events entitlements via "Signing & Capabilities" section in Xcode and updated its Info.plist to have "Privacy - AppleEvents Sending Usage Description". While the test app works fine (I see an automation request popup and the process executes as expected) the main application where I want to integrate this functionality gets closed immediately after reaching the code interacting with Scripting Bridge. On its launch, I see the following error message from tccd in Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<app bundleID>, ..., binary_path=<path to the app's binary>} I had no such issues with the test app. Moreover, I should mention that the bundle I want to have with such functionality is stored in another bundle, both main and inner bundles aren't sandboxed, and the target app has Application is agent (UIElement) key set in Info.plist. Can you suggest any ideas as to why processes behave so differently despite having pretty much the same build configurations?

I have tried everything and still I am getting this. Just for a test I created a new app (Master-Detail template Xcode 11.5) I have created an entry in the iTunes Connect to receive the app upon archiving and uploading. I regenerated all new certificates for iOS Development and Distribution. I created all new Provisioning profiles. The Dev profile builds deploys and runs on my device The Dist profile builds but when I select the distribution profile I get the "Profile doesn't include the com.apple.application-identifier entitlement." error. When I download the profile within Xcode all looks good for the distribution profile: App ID: matches correctly Certificated: 1 Included includes the new signing certificate "iPhone Distribution...." Capabilities: 3 Included Includes Game Center, In-App Purchase, and Keychain Sharing Entitlements: 5 Included Includes application-identifier, keychain-access-groups, beta-reports-active, get-task-allow, and com.apple.developer.team-identifier. Im not sure what is going on. This is a standard process I have performed for quite a while. As a matter of fact I just submitted 3 applications last Sunday. Thank you for any suggestions.