When using Team “57AWJ345M2” and setting the project’s Bundle ID to “com.marsgame.fg2”, enabling the iCloud capability and checking Key-Value Storage results in the following error:"Provisioning profile "iOS Team Provisioning Profile: com.marsgame.fg2" doesn't match the entitlements file's value for the com.apple.developer.ubiquity-kvstore-identifier entitlement." This issue does not occur if we use a different Team or a different Bundle ID. The project was transferred from another Team to this new Team, and everything worked fine before the transfer. Additionally, we have tried creating a brand new project, but as long as we use this same Team and this same Bundle ID, the error still occurs when enabling Key-Value Storage.

I’m working on an iOS VPN app and looking into using NETunnelProvider (Packet Tunnel) for the VPN implementation. From the documentation it seems that Packet Tunnel is required for VPN protocols like OpenVPN, but the Packet Tunnel capability doesn’t appear to be available by default. Does using NETunnelProvider / Packet Tunnel require a special entitlement to be enabled by Apple for App Store apps? If so, what is the general process for requesting or enabling that entitlement?

**The issue - ** I can't add "In-App Purchase" as a capability in xCode to my iMessage extension target. **What I have tried - ** I have a valid provisioning profile with In-App Purchases enabled. I have agreed to all agreements in the apple developer console. I have an apple developer membership. I have added an active bank account to my apple developer account. **How the issue came to be - ** I am trying to develop a "stand-alone" iMessage app (no underlying app) which as I understand it is different from a "iMessage extension app"(this has an underlying app that it syncs/interacts with). To do this, I updated my mac to latest OS (Tahoe 26.2) and xCode as well. I then began by using the "iMessage App" template in xCode. And BAM right off the bat, I could not get the "In-App Purchases" capability to show up when I select my iMessage extension target. To be clear, when you make the template, you get 2 targets, one is just a regular "app" target and the other is the iMessage extension target. Now I am not sure if I even need the "app" target if I'm trying for a standalone iMessage app, but I figured it wouldn't be causing this issue as I have tried deleting that target and nothing changed. **Replicating the issue - ** I have tried creating other "iMessage App"'s off of the template to see if maybe I just got it wrong or misconfigured something in my development, but it seems like when you start one of those templates, you immediately are not able to see the "In-App Purchase" capability. **Help! - ** I know this to be possible as there is another (very popular) iMessage extension out on the app store right now called "Game Pigeon" which is also provided by an individual just like I am trying to do, and he uses In App Purchases in his iMessage app. Any help on this would be GREATLY appreciated. Please reach out to me if you need/want additional info or could/want to schedule a meeting.

We are using a java program as an installer for a software suite. This program is bundled inside a signed and notarized Mac app, but it uses the system installed Java (from env). For installing software, it requires the App Management permission (currently under System Settings › Privacy & Security › App Management). Since the program runs via the system provided Java executable, that one is the executable, that needs said permission. In the past, it was possible to add java to said permissions list. With macOS 26.2 it is no longer possible. I think, this change happened with 26.2. It was definitely still working with macOS 15 (I can reproduce it there), and I am confident, that it also still worked under 26.1. In Console.app I can see errors like this one /AppleInternal/Library/BuildRoots/4~CCKzugBjdyGA3WHu9ip90KmiFMk4I5oJfOTbSBk/Library/Caches/com.apple.xbs/Sources/SecurityPref/Extension/Privacy/TCC+PrivacyServicesProvider.swift:227 add(record:to:) No bundle or no bundle ID found for record TCCRecord(identifier: "/opt/homebrew/Cellar/sdkman-cli/5.19.0/libexec/candidates/java/11.0.29-tem/bin/rmic", identifierType: SecurityPrivacyExtension.TCCIdentifierType.path, access: SecurityPrivacyExtension.TCCAccess.full, managed: false, allowStandardUserToSetSystemService: false, subjectIdentityBundleIdentifier: nil, indirectObjectIdentityBundleIdentifier: nil, indirectObjectIdentityFileProviderIdentifier: nil, tccAuthorization: <OS_tcc_authorization_record: 0xa97d0ba80>) This is reproducible for various different Java installations. I can also not add Java to the other permissions that I tried. Since Java is not installed in a bundled app but instead as a UNIX executable in a bin-folder, the error No bundle or no bundle ID found for record makes sense. I expect this to also affect other use cases where programs are provided as UNIX executables such as Python or C-Compilers like g++. While it is possible to bundle an entire JRE inside each app, we intentionally chose not to as this massively increases app size. If this issue is not resolved or a workaround can be found, this is the only option that remains for us. I am however worried that there are other use cases where this is not an option.

There is an inconsistent issue when views are rendered from the Device Activity Report Extension. This issue is noticeable only on release versions and it works fine in debug mode. Around 80% of the times, the Report Views return blank screen and this is only the case when a weekly/monthly filter is used. Although, it works as expected for daily report views. My questions are: How are all the Report Activity Views working fine in debug mode but not in release mode? How the daily activity filter works fine in the release mode but the weekly/monthly filters don't work? Is this because of a memory limit issue in the extension? As of now, I have the family-controls(distribution) entitlement only for the app and for the extensions I only have family-controls(development) entitlement. Do I need to request for family-controls(Distribution) entitlement even for the extensions? I have seen threads on the forum mentioning the blank screen issue associated with the DeviceActivityReport but haven't found a solution to it. Any suggestions/feedback would be of great help, thanks.

Hello Team, We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development. We can build and debug Tap to Pay on development, but unable to build release. We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.

Hiya folks! I'm David and I work on rust-analyzer, which is a language server for Rust similar to sourcekit-lsp. I'm using the new Instruments profiling tooling functionality in Xcode 16.3 and Xcode 26 (Processor Trace and CPU Counters) to profile our trait solver/type checker. While I've been able to use the new CPU Counters instrument successfully (the CPU Bottleneck feature is incredible! Props to the team!), I've been unable to make use of the Processor Trace instrument. Instruments gives me the error message "Processor Trace cannot profile this process without proper permissions". The diagnostic suggests adding the com.apple.security-get-task-allow entitlement to the code I'm trying to profile, or ensure that the build setting CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES is enabled in Xcode. Unfortunately, I don't know how I can add that entitlement to a self-signed binary produced by Cargo and I'm not using Xcode for somewhat obvious reasons. Here's some information about my setup: Instruments Version 26.0 (17A5241e) I'm on an 14" MacBook Pro with M4 Pro. It's running macOS Version 26.0 Beta (25A5295e). I've enabled the "Processor Trace" feature in "Developer Tools" and even added the Instruments application to "Developer Tools". As a last-ditch effort before posting this, I disabled SIP on my Mac. Didn't help. To reproduce my issue: Get Rust via https://rustup.rs/. Clone rust-analyzer: git clone https://github.com/rust-lang/rust-analyzer.git. cd rust-analyzer Run cargo test --package hir-ty --lib --profile=dev-rel -- tests::incremental::add_struct_invalidates_trait_solve --exact --show-output. By default, this command will output a bunch of build progress with the output containing something like Running unittests src/lib.rs (target/dev-rel/deps/hir_ty-f1dbf1b1d36575fe). I take the absolute path of that hir_ty-$SOME-HASH string (in my case, it looks like /Users/dbarsky/Developer/rust-analyzer/target/dev-rel/deps/hir_ty-f1dbf1b1d36575fe) and add it to the "Launch" profile. To the arguments section, I add --exact tests::incremental::add_struct_invalidates_trait_solve. I then try to record/profile via Instruments, but then I get the error message I shared above. Below is output of codesign -dvvv: ❯ codesign -dvvv target/dev-rel/deps/hir_ty-f1dbf1b1d36575fe Executable=/Users/dbarsky/Developer/rust-analyzer/target/dev-rel/deps/hir_ty-f1dbf1b1d36575fe Identifier=hir_ty-f1dbf1b1d36575fe Format=Mach-O thin (arm64) CodeDirectory v=20400 size=140368 flags=0x20002(adhoc,linker-signed) hashes=4383+0 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=99e96c8622c7e20518617c66a7d4144dc0daef28 CandidateCDHashFull sha256=99e96c8622c7e20518617c66a7d4144dc0daef28f22fac013c28a784571ce1df Hash choices=sha256 CMSDigest=99e96c8622c7e20518617c66a7d4144dc0daef28f22fac013c28a784571ce1df CMSDigestType=2 CDHash=99e96c8622c7e20518617c66a7d4144dc0daef28 Signature=adhoc Info.plist=not bound TeamIdentifier=not set Sealed Resources=none Internal requirements=none Any tips would be welcome! Additionally—and perhaps somewhat naively—I think I'd expect the Processor Trace instrument to just work with an adhoc-signed binary, as lldb and friends largely do—I'm not sure that such a high barrier for CPU perf counters is warranted, especially on an adhoc-signed binary.

Hi, I am using a carrier account and have been able to use com.apple.CommCenter.fine-grained entitlement successfully for the past few years. Currently I am trying to use this entitlement in an app clip. but recieving the following error: Validation failed (409) Invalid entitlement. App clip 'xyz.app/AppClips/appClip.app' contains a code signing entitlement 'com.apple.coretelephony.SimAuthentication.allow' that is not supported. Remove the 'com.apple.coretelephony.SimAuthentication.allow' entitlement. (ID: 87f67652-0e22-441d-b7ec-ea4baacab39e) NSUnderlyingError : Validation failed (-19241) Invalid entitlement. App clip 'xyz.app/AppClips/appClip.app' contains a code signing entitlement 'com.apple.coretelephony.SimAuthentication.allow' that is not supported. Remove the 'com.apple.coretelephony.SimAuthentication.allow' entitlement. status : 409 Is it possible to use com.apple.CommCenter.fine-grained entitlement in an app clip? if so do you have any suggestion how to resolve this error?

HI When I try to add Declared Age Range in the capability, there is no such thing... I'm on XCode version 26.2 (17C52)

Hello! I recently submitted a request for the Family Controls (Distribution) for my app, and I’d be super happy if i could have some information about how long this process usually takes so i can plan accordingly. It would help immensly since we want to ship the app as soon as possible. I submitted the request around a week ago. Is there anything I can do on my end to help the process move more smoothly? Thanks in advance!

Hi, happy new year, I'm a Product Manager for a communications app that's currently in testflight. We requested the com.apple.developer.usernotifications.filtering entitlement on December 3rd, and have yet to receive a response from Apple. I understand that the holiday break may have gotten in the way, however it feels like we were lost in the queue as it's been 6 weeks with no response. Our app owner has checked-in inside appstoreconnect but has not received anything back. Is this common? Is there any process for getting a status update? Are we doing something wrong? Without this entitlement we cannot make the device ring in the background. The app is a voice and video messaging platform.

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

Hello, I would like to seek clarification regarding the availability of the NFC Secure Element (SE) / ISO7816 entitlement by region, specifically for Indonesia. I recently contacted Apple Developer Support regarding the use of NFC for reading ISO7816-compatible cards. I was informed that, at this time, the NFC & Secure Element entitlement is not available in Indonesia. For technical planning and compliance purposes, I would like to confirm the following: Is the NFC Secure Element / ISO7816 entitlement currently restricted by region, and is Indonesia officially unsupported at this time? For apps distributed on the App Store in Indonesia, is Core NFC limited to NDEF and non–Secure Element tag reading only? Are there any publicly supported alternatives or recommended architectural approaches for NFC-based workflows in regions where the Secure Element entitlement is unavailable? Is there any public documentation or guidance that outlines regional availability for NFC Secure Element features? I understand that entitlement approvals and availability may vary by region and are handled on a case-by-case basis. Any clarification from Apple engineers or developers with experience in this area would be greatly appreciated. Thank you for your time and assistance. Best regards.

I have applied for CarPlay support here Apply here to get your app approved for CarPlay use: https://developer.apple.com/contact/carplay/ but have not received any acceptance or answers. Does anyone know what to do?

I am developing CarPlay addition on our app. Which is distributed with the Enterprise In distribution method, so we do not have a product in the App Store. I am wondering if CarPlay support can be provided in applications distributed with the Enterprise in distribution method? If this is not possible, I will inform management that this is not possible. I am waiting for your answers, thanks.

Hello, I'm experiencing a significant delay getting the Family Controls entitlement approved for my Shield Configuration Extension, and I'm hoping someone here can help or has experienced something similar. Background: I'm developing an app that uses the Screen Time API with Family Controls. My main app bundle (lukedev.Bloka) was approved for Family Controls (Distribution) and works perfectly. The Problem My Shield Configuration Extension (lukedev.Bloka.Shield) has been stuck waiting for approval for over 2 weeks: Request ID: 6C8LD22UVM Submitted: November 20, 2025 Status: Still "Submitted" Current State: Only shows "Family Controls (Development)" in capabilities What I've Tried ✅ Submitted entitlement request via the proper channels ✅ Contacted Apple Developer Support (case #102762028251) ✅ Verified the main app has full Family Controls approval ✅ Deleted and regenerated all provisioning profiles multiple times ✅ Confirmed the App ID configuration is correct in the Developer Portal The Issue Without Family Controls (Distribution) approval for the Shield extension, I cannot: Test the complete app functionality on physical devices Submit the app to App Store Connect Move forward with development The error I'm getting during provisioning: Provisioning profile failed qualification Profile doesn't include the com.apple.developer.family-controls entitlement Questions Has anyone experienced multi-week delays for Shield extension entitlements? Is this normal? Should Shield extensions automatically inherit entitlements from the main app, or do they really require separate approval? The documentation isn't clear on this. Are there any known workarounds to test Shield Configuration Extensions during development while waiting for distribution approval? How can I escalate this request? Developer Support initially told me I already had approval (for the main app) but didn't address the extension's separate bundle ID. Technical Details Xcode: 16.2 Target: iOS 18+ Main App: Family Controls (Distribution) ✅ Approved Shield Extension: Family Controls (Development only) ❌ Stuck Why This Matters The Shield Configuration Extension is a core component of Screen Time API apps - it's not optional. Without it, the app cannot properly display blocking interfaces. The fact that it requires a separate 2+ week approval process (after the main app was already approved) seems like a significant oversight in Apple's review process. Has anyone successfully navigated this situation or found a way to expedite the review? Any help or insights would be greatly appreciated! Thanks, Luca

General: Forums topic: Family Controls Forums tag: Family Controls Configuring Family Controls documentation Requesting the Family Controls entitlement documentation Screen Time Technology Frameworks documentation FamilyControls documentation What's new in Screen Time API video Meet the Screen Time API video

When setting new entitlements com.apple.developer.networking.carrier-constrained.appcategory and com.apple.developer.networking.carrier-constrained.app-optimized, I have a question about how URLSession should behave. I notice we have a way to specify whether a Network connection should allow ultra-constrained paths via NWParameters allowUltraConstrainedPaths: https://developer.apple.com/documentation/network/nwparameters/allowultraconstrainedpaths There does not appear to be a similar property on URLSessionConfiguration. In an ultra-constrained (eg. satellite) network, should we expect all requests made through an URLSession to fail? Does all network activity when ultra-constrained need to go through a NWConnection or NetworkConnection specifically configured with allowUltraConstrainedPaths, or can URLSession ever be configured to allow ultra-constrained paths?

Hello, I am working to integrate the new com.apple.developer.networking.carrier-constrained.app-optimized entitlement in my iOS 26 app so that my app can use a carrier-provided satellite network, and want to confirm my understanding of how to detect and optimize for satellite network conditions. (Ref: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.carrier-constrained.app-optimized ) My current approach: I plan to set the entitlement to true once my app is optimized for satellite networks. To detect if the device is connected to a satellite network, I intend to use the Network framework’s NWPath properties: isUltraConstrained — I understand this should be set to true when the device is connected to a satellite network. (Ref: https://developer.apple.com/documentation/network/nwpath/isultraconstrained ) linkQuality == .minimal — I believe this will also be set in satellite scenarios, though it may not be exclusive to satellite connections. (Ref: https://developer.apple.com/documentation/network/nwpath/linkquality-swift.enum/minimal ) Questions: Is it correct that isUltraConstrained will reliably indicate a satellite connection? Should I also check for linkQuality == .minimal, or is isUltraConstrained sufficient? Are there any additional APIs or best practices for detecting and optimizing for satellite connectivity that I should be aware of? Thank you for confirming whether my understanding and approach are correct, and for any additional guidance.