Hello, I already have got approval from Apple for com.apple.developer.family-controls entitlement When I am building my app, there is one part where I need to check the list of applications which I have blocked with my app. To get the list I have to have com.apple.developer.managed-settings entitlement ... Now how and where show I get hold of it ? I already got permission for Family Control, how do I get hold of this now ?

We were recently approved for the "User Assigned Device Name" for a specific app Identifier. The "Additional Capabilities" tab isn't present on that App ID. I am an admin in the developer portal, and this does not appear for the account holder as well. Any help would be appreciated.

I'm creating an App that can accepted PDFs from a shared context. I am using iOS, Swift, and UIKit with IOS 17.1+ The logic is: get the context see who is sending in (this is always unknown) see if I can open in place (in case I want to save later) send the URL off to open the (PDF) document and load it into PDFKit's pdfView.document I have no trouble loading PDF docs with the file picker. And everything works as expected for shares from apps like Messages, email, etc... (in which case URLContexts.first.options.openInPlace == False) The problem is with opening (sharing) a PDF that is sent from the Files App. (openInPlace == True) If the PDF is in the App's Document Folder, I need the Security scoped resource, to access the URL from the File's App so that I can copy the PDF's data to the PDFViewer.document. I get Security scoped resource access granted each time I get the File App's context URL. But, when I call fileCoordinator.coordinate and try to access a file outside of the App's document folder using the newUrl, I get an error. FYI - The newUrl (byAccessor) and context url (readingItemAt) paths are always same for the Files App URL share context. I can, however, copy the file to a new location in my apps directory and then open it from there and load in the data. But I really do not want to do that. . . . . . Questions: Am I missing something in my pList or are there other parameters specific to sharing a file from the Files App? I'd appreciate if someone shed some light on this? . . . . . Here are the parts of my code related to this with some print statements... . . . . . SceneDelegate func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) { // nothing to see here, move along guard let urlContext = URLContexts.first else { print("No URLContext found") return } // let's get the URL (it will be a PDF) let url = urlContext.url let openInPlace = urlContext.options.openInPlace let bundleID = urlContext.options.sourceApplication print("Triggered with URL: \(url)") print("Can Open In Place?: \(openInPlace)") print("For Bundle ID: \(bundleID ?? "None")") // get my Root ViewController from window if let rootViewController = self.window?.rootViewController { // currently using just the view if let targetViewController = rootViewController as? ViewController { targetViewController.prepareToLoadSharedPDFDocument(at: url) } // I might use a UINavigationController in the future else if let navigationController = rootViewController as? UINavigationController, let targetViewController = navigationController.viewControllers.first as? ViewController { targetViewController.prepareToLoadSharedPDFDocument(at: url) } } } . . . . ViewController function I broke out the if statement for accessingScope just to make it easier for me the debug and play around with the code in accessingScope == True func loadPDF(fromUrl url: URL) { // If using the File Picker / don't use this // If going through a Share.... we pass the URL and have three outcomes (1, 2a, 2b) // 1. Security scoped resource access NOT needed if from a Share Like Messages or EMail // 2. Security scoped resource access granted/needed from 'Files' App // a. success if in the App's doc directory // b. fail if NOT in the App's doc directory // Set the securty scope variable var accessingScope = false // Log the URLs for debugging print("URL String: \(url.absoluteString)") print("URL Path: \(url.path())") // Check if the URL requires security scoped resource access if url.startAccessingSecurityScopedResource() { accessingScope = true print("Security scoped resource access granted.") } else { print("Security scoped resource access denied or not needed.") } // Stop accessing the scope once everything is compeleted defer { if accessingScope { url.stopAccessingSecurityScopedResource() print("Security scoped resource access stopped.") } } // Make sure the file is still there (it should be in this case) guard FileManager.default.fileExists(atPath: url.path) else { print("File does not exist at URL: \(url)") return } // Let's see if we can open it in place if accessingScope { let fileCoordinator = NSFileCoordinator() var error: NSError? fileCoordinator.coordinate(readingItemAt: url, options: [], error: &error) { (newUrl) in DispatchQueue.main.async { print(url.path()) print(newUrl.path()) if let document = PDFDocument(url: newUrl) { self.pdfView.document = document self.documentFileName = newUrl.deletingPathExtension().lastPathComponent self.fileLoadLocation = newUrl.path() self.updateGUI(pdfLoaded: true) self.setPDFScale(to: self.VM.pdfPageScale, asNewPDF: true) } else { print("Could not load PDF directly from url: \(newUrl)") } } } if let error = error { PRINT("File coordination error: \(error)") } } else { DispatchQueue.main.async { if let document = PDFDocument(url: url) { self.pdfView.document = document self.documentFileName = url.deletingPathExtension().lastPathComponent self.fileLoadLocation = url.path() self.updateGUI(pdfLoaded: true) self.setPDFScale(to: self.VM.pdfPageScale, asNewPDF: true) } else { PRINT("Could not load PDF from url: \(url)") } } } } . . . . Other relevant pList settings I've added are: Supports opening documents in place - YES Document types - PDFs (com.adobe.pdf) UIDocumentBrowserRecentDocumentContentTypes - com.adobe.pdf Application supports iTunes file sharing - YES And iCloud is one for Entitlements with iCloud Container Identifiers Ubiquity Container Identifiers . . . . Thank you in advance!. B

Hi Forum, We’re building a security-focused SDK for iOS that includes SIM Binding and SIM Swap detection to help prevent fraud and unauthorised device access, particularly in the context of banking and fintech apps. We understand that iOS limits access to SIM-level data, and that previously available APIs (such as those in CoreTelephony, now deprecated from iOS 16 onwards) provide only limited support for these use cases. We have a few questions and would appreciate any guidance from the community or Apple engineers: Q1. Are there any best practices or Apple-recommended approaches for binding a SIM to a device or user account? Q2. Is there a reliable way to detect a SIM swap when the app is not running (e.g., via system callback, entitlement, or background mechanism)? Q3. Are fields like GID1, GID2, or ICCID accessible through any public APIs or entitlements (such as com.apple.coretelephony.IdentityAccess)? If so, what is the process to request access? Q4. For dual SIM and eSIM scenarios, is there a documented approach to identify which SIM is active or whether a SIM slot has changed? Q5. In a banking or regulated environment, is it possible for an app vendor (e.g., a bank) to acquire certain entitlements from Apple and securely expose that information to a security SDK like ours? What would be the compliant or recommended way to structure such a partnership? Thanks in advance for any insights!

I've created an app that grabs the current URL and Title/name from the frontmost window/tab of Safari or any of a number of Chromium browsers, using NSAppleScript. The app sits in the menu bar and can be summoned by shortcut key combo. let script = """ tell application \"Safari\" if not (exists front window) then return {\"\", \"\"} set theTab to current tab of front window set theURL to URL of theTab set theTitle to name of theTab return {theURL, theTitle} end tell """ if let appleScript = NSAppleScript(source: script) { let output = appleScript.executeAndReturnError(&error) if output.numberOfItems == 2 { let url = output.atIndex(1)?.stringValue let title = output.atIndex(2)?.stringValue if let url = url, !url.isEmpty { return (url, title) } } } If I sign an archived build and run it locally it works beautifully, no matter which browser I am using. But the URL/title grabbing breaks in sandbox due to permissions. I read and have been informed that I need to use com.apple.security.scripting-targets entitlement. The example for this is in WWDC 2012 and talks about accessing Mail compose window. <key>com.apple.security.scripting-targets</key> <dict> <key>com.apple.mail</key> <array> <string>com.apple.mail.compose</string> </array> </dict> However, I don't want to control the app or use any access groups, as I've looked through the sdef and Safari/Chrome do not provide any access groups whose contents I'm interested in. I just want to get the property/values of a window/tab. So I think I could be quite restrictive about the read-only access to two properties or objects that I need. That said, I'm going back and forth with TestFlight review kind of shooting in the dark. I need help! So I figure it's time to ask: what content should my entitlement have? Or am I on the wrong path entirely? I know it's possible because an app called Neptunes does it to get properties from Music.app Many thanks in advance, matt

Hello! My question is about 1) if we can use any and or all accessibility features within a sandboxed app and 2) what steps we need to take to do so. Using accessibility permissions, my app was working fine in Xcode. It used NSEvent.addGlobalMonitorForEvents and localMoniter, along with CGEvent.tapCreate. However, after downloading the same app from the App Store, the code was not working. I believe this was due to differences in how permissions for accessibility are managed in Xcode compared to production. Is it possible for my app to get access to all accessibility features, while being distributed on the App Store though? Do I need to add / request any special entitlements like com.apple.security.accessibility? Thanks so much for the help. I have done a lot of research on this online but found some conflicting information, so wanted to post here for a clear answer.

我没有勾选entitlements 中的” com.apple.security.network.server“和” com.apple.security.device.usb“，但是确实在打包时又自动出现在包里，我现在无法解决这个问题，我需要帮助，谢谢 我的.entitlements 文件如下： 排查命令： codesign -d --entitlements :- ./Device\ Guard.app Executable=/Users/zhanghai/Library/Developer/Xcode/DerivedData/MacGuardApp-fvfnspyxcojxojdfclyohrnupgsh/Build/Products/Debug/Device Guard.app/Contents/MacOS/Device Guard warning: Specifying ':' in the path is deprecated and will not work in a future release

our app has a helper to perform privileged operations. previously that helper was installed via SMJobBless() into the /Library/LaunchDaemons/ and /Library/PrivilegedHelperTools/ we also had a script that would install the helper from the command-line, which was essential for enterprise users that could not manually install the helper on all their employee's Macs. the script would copy the files to their install location and would use launchctl bootstrap system as the CLI alternative to SMJobBless(). the full script is here: https://pastebin.com/FkzuAWwV due to various issues with the old SMJobBless() approach we have ported to helper to the new SMAppService API where the helpers do not need to be installed but remain within the app bundle ( [[SMAppService daemonServiceWithPlistName:HELPER_PLIST_NAME] registerAndReturnError:&err] ) however, we are having trouble writing a (remote-capable) CLI script to bootstrap the new helper for those users that need to install the helper on many Macs at once. running the trivial sudo launchctl bootstrap system /Applications/MacUpdater.app/Contents/Library/LaunchDaemons/com.corecode.MacUpdaterPrivilegedInstallHelperTool2.plist would just result in a non-informative: Bootstrap failed: 5: Input/output error various other tries with launchctl bootstrap/kickstart/enable yielded nothing promising. so, whats the command-line way to install a SMAppService based helper daemon? obviously 'installing' means both 'registering' (which we do with registerAndReturnError in the GUI app) and 'approving' (which a GUI user needs to manually do by clicking on the notification or by going into System Settings). thanks in advance! p.s. we wanted to submit this as a DTS TSI, but those are no longer available without spending another day on a reduced sample projects. words fail me. p.p.s. bonus points for a CLI way to give FDA permissions to the app!

I’m hitting a WeatherKit JWT failure (WDSJWTAuthenticatorServiceListener Code = 2) at runtime even though the entitlement is present in both the signed binary and the embedded provisioning profile. Environment Team ID 5SZLQLQ9MD Bundle ID ParkProfessor.ParkProfessorDisneyland Device / OS iPhone 15 Pro · iOS 17.4.1 (hardware, not simulator) Xcode 15.3 (15E204a) Console output Failed to generate jwt token for: com.apple.weatherkit.authservice Error Domain=WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors Code=2 "(null)" Entitlement & profile snippets codesign -d --entitlements :- WeatherKitTest.app | grep -A2 weatherkit com.apple.developer.weatherkit security cms -D -i embedded.mobileprovision | grep -A2 weatherkit com.apple.developer.weatherkit What I’ve already tried Regenerated a new development certificate and a new iOS App Development provisioning profile with WeatherKit enabled. Confirmed the capability is selected in Certificates ▸ Identifiers ▸ Profiles and added in Xcode target settings. WeatherKit Terms of Service accepted in the portal. Deleted the app, removed any device management profiles, rebooted the phone, clean-built & ran again. Reproduced the issue in a minimal SwiftUI app that calls: WeatherService.shared.weather(for: CLLocation(latitude: 33.8121, longitude: -117.9190), including: .current) – same Code 2 error. Request It looks like the App ID may need a backend entitlement sync. Could someone from the WeatherKit team please check the status for Team 5SZLQLQ9MD, Bundle ID ParkProfessor.ParkProfessorDisneyland and enable WeatherKit token generation? Thanks!

We have a subscription WeatherKit app which has been on the App Store since December 2023. I am getting intermittent JWT auth failures on customer devices. In the great majority of cases, the request succeeds, but sometimes it fails, and sometimes it fails and never recovers. I’m working with a customer right now who is unable to get any weather data at all, and the logs he sends me show WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 2 The app uses the WeatherKit SDK (we are not using the REST API directly). We know we have the project setup as it has been working since launch, and I can verify weatherkit using security cms -D -i embedded.mobileprovision It it not a problem with the specific query, since I can get data for the dates and locations they are requesting. I can’t replicate the problem on my test devices. In case there is a rate limit issue: this app is a bit unusual and downloads an unusual amount of data at once using multiple queries in parallel using a TaskGroup. When the user creates a location, the app downloads a 10 day block of weather (7 days in the past + 3 day forecast) using WeatherService.shared.weather( for: location, including: WeatherQuery.daily( startDate: startDate, endDate: endDate ), WeatherQuery.hourly( startDate: startDate, endDate: endDate ) ) It also downloads about 2 months of daily precipitation data using multiple parallel calls to dailySummary in 10 day blocks: WeatherService.shared.dailySummary( for: location, forDaysIn: DateInterval(start: startDate, end: endDate), including: .precipitation ) In almost every case, including on my test devices, this works. But some users get WeatherDaemon.WDSJWTAuthenticatorServiceListener.Errors error 2 on every request. The two users yesterday that had this problem were both on iOS 18.5 for what that's worth, though the app supports 17.2+ Is anyone else seeing this? And can anyone suggest anything else to explore? It's obviously a terrible experience for customers who pay for the service and are unable to get any data. I did submit this info to Apple as FB18276275

My chromium based browser distributing outside the app store got the "com.apple.developer.web-browser.public-key-credential" entitlement and singed with a developer profile. But it seems to work partially since "AuthenticationServicesHelper" asks for the machine password each time we try to signin through passkey (in Github) while Google account throws an error to create passkey though it shows we can create them. I think Apple doesn't trust the App inspite of the entitlement. how do we resolve this?

The driver does not show up in the app settings after switching to “DriverKit USB Transport - VendorID”. Previously, the app used “DriverKit USB Transport (development)” and everything worked as expected. The entitlements looked like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <string>*</string> </dict> </array> </dict> </plist> I received approval to use “DriverKit USB Transport - VendorID”. I updated the App ID configuration in the portal, removed all development entitlements, updated the provisioning profile, and edited the driver’s .entitlements as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <integer>1111</integer> </dict> </array> </dict> </plist> The app installs on an iPad with an M processor, but the driver does not appear in the settings. In the logs I see the following: 272 debug 19:50:42.005193+0300 installd 7935 signing bytes in 5 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bugkAE/extracted/Payload/****.app/SystemExtensions/****Driver.dext/****.Driver(arm64) 272 debug 19:50:42.012068+0300 installd open(/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bugkAE/extracted/Payload/****.app/SystemExtensions/net.svedm.****.SDRDriver.dext/Info.plist,0x0,0x1b6) = 4 272 debug 19:50:42.012712+0300 installd 0xc2e14c618 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>application-identifier</key><string>****.Driver</string><key>com.apple.application-identifier</key><string>****</string><key>com.apple.developer.driverkit</key><true/><key>com.apple.developer.driverkit.transport.usb</key><array><dict><key>idVendor</key><integer>3034</integer></dict></array><key>com.apple.developer.team-identifier</key><string>****</string><key>com.apple.security.get-task-allow</key><true/><key>get-task-allow</key><true/></dict></plist> 0 error 19:53:08.930054+0300 kernel Sandbox: MyApp(844) deny(1) sysctl-read kern.bootargs 0 error 19:53:08.931571+0300 kernel Sandbox: driverkitd(77) deny(1) syscall-unix 284 syscall-unix-denied-SIGKILL 0 error 19:53:09.985946+0300 kernel 1 duplicate report for Sandbox: driverkitd(77) deny(1) syscall-unix 284 syscall-unix-denied-SIGKILL 0 error 19:53:09.985985+0300 kernel Sandbox: MyApp(844) deny(2) file-test-existence /usr/bin/swift-backtrace 0 error 19:53:09.986011+0300 kernel Sandbox: MyApp(844) deny(2) file-test-existence /usr/bin/arm64e But I don’t quite understand what is going wrong. Any ideas?

We are developing an iOS application with a key feature designed to enhance user safety: real-time assessment of Wi-Fi network security. The "Safe Wi-Fi" feature aims to inform users about the security level of the Wi-Fi network they are currently connected to. Our goal is to provide this information seamlessly and continuously, even when the user isn't actively using the app. Currently, we've implemented this feature using a NWPathMonitor. The limitation of NWPathMonitor is that it doesn't function when the app is in a kill state. We are looking for guidance on how to achieve persistent Wi-Fi security monitoring in the background or when the app is killed. Is there any API (Public, Special API, etc) or a recommended approach that allows for real-time Wi-Fi connection monitoring (including connection changes and network details) even when the app is not actively running or is in a kill state. Thank you in advance for your help.

Hello everyone, I'm a new developer who just finished building my app. I'm now preparing to submit it to the App Store but wanted to beta-test it first via TestFlight. During the upload process, I encountered an error prompting me to add sandbox entitlements, which I did. The app successfully made it to TestFlight, and I invited myself and a few fellow developers to test it. However, we're running into an issue: On first launch, the app displays a popup directing users to Privacy & Security > Accessibility to grant permissions. The sandboxed version does not show the app as a toggle in Accessibility settings. Manually adding the app via the + button and selecting it directly doesn’t seem to resolve the permission issue. I understand that I may need additional entitlements depending on the app's functionality, but I'm unsure which ones are required. Specifically: Which entitlement controls whether the app appears in Accessibility settings? Additionally: How can I test these permission workflows locally (without re-uploading to TestFlight) to verify fixes before resubmitting? Any guidance on debugging this—whether related to entitlements, sandboxing, or local testing—would be greatly appreciated! Thanks in advance.

Hi everyone, We’ve enabled both StoreKit External Purchase and StoreKit External Purchase Link entitlements for our app (“RoadRecord útnyilvántartó”) and confirmed they are active in Xcode and App ID configuration. However, the App Store Connect interface still does not display the section to configure the External Purchase Link (nor the “Alternative Payment” section), which blocks us from submitting the app. When trying to submit the app, we see this error: “To submit this app version, you must first set up your account for alternative payment.” There’s no UI to complete this step in App Store Connect. Case ID: 14557560 App ID: 1441553506 We’ve contacted Developer Technical Support and were advised to post here for escalation and further technical investigation. Any help or confirmation from Apple staff would be greatly appreciated. We are ready to submit as soon as the UI becomes available. Thanks! Gábor

I have tried multiple time through multiple channels and you have yet to respond to my request. I am developing an App on xcode APP Bundle ID: garymdmd.MediaPace Apple ID: 6740823496 Apple has granted me distribution use of the Family Control/Screentime module for my main app. According to your engineer's post here: https://developer.apple.com/forums/thread/764919 That permission should be extended to your extensions that are part of the app. When you try to setup the extension identifiers they do not show the "added capabilities" column that sow sup when getting permission for the main app so you are not able to endow the extension with these permissions which seem to be needed to work with the app. I am trying to add these bundle identifier extensions: garymdmd.MediaPace.ScreenTimeMonitorDuo garymdmd.MediaPace.DeviceActivityReport Can you please tell me how to get this to work or to add permissions to these extensions. I have sent in the request form multiple times (here - https://developer.apple.com/contact/request/family-controls-distribution) and Apple simply writes back that I have permission after a few weeks but nothing changes for the extension capabilities.

Hi Team! Has anyone found a reliable way to detect CarPlay connection without the app needing to be in the foreground? I’m exploring a concept where, for example, as someone nears home while driving, a prompt appears on the CarPlay screen asking “Would you like to turn on the lights / open garage?” triggered by proximity and CarPlay connection. Would be cool to have it work automatically, but knowing you're in the car is kind of important. From what I can see, apps can’t reliably detect CarPlay connection unless they’re actively open on the CarPlay screen. Most background detection methods (like external screen connect notifications) appear deprecated. That is, unless you're specifically approved as a "messaging" or "navigation" app that appear to get special privilages to send alerts from the background. If I send an alert (or poll Carplay periodically) it just gives silent/dead response. Is there any approach, framework, entitlement, or UI pattern that could allow a passive trigger or background detection while driving with CarPlay connected? I can't see any way to bring an app to the foreground either. Not looking to abuse any rules... just want to understand if anyone’s found a clean, approved workaround. Thanks in advance!

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

Hello, I upgraded my Apple Developer account from free to paid (Individual), but I cannot enable “Background Modes” (specifically “Location updates”) for any of my App IDs—including both old App IDs created while on the free account and brand new App IDs created after upgrading. When I go to Apple Developer Portal &gt; Identifiers &gt; [select App ID] &gt; Edit, the option for “Background Modes” is missing from the list of capabilities. This is preventing me from enabling required entitlements for background location in Xcode, and all provisioning profiles fail with errors such as: Provisioning profile "iOS Team Provisioning Profile: [my bundle id]" doesn't include the com.apple.developer.location.always and com.apple.developer.location.background entitlements. Steps I’ve Taken: Upgraded to a paid Apple Developer Program (verified in my account). Created new App IDs after upgrading—Background Modes is still missing. Created new Xcode projects with new App IDs and bundle identifiers—same result. Refreshed provisioning profiles, cleaned Xcode, logged out/in—no change. Contacted Apple Support; advised to file a Code-Level Support request, but the issue is with the portal/App ID capabilities, not my code. My Question: Has anyone experienced this issue where Background Modes capability is missing for all App IDs, even after upgrading to a paid account? Is there any workaround, or does this require intervention from Apple Developer Support to “unlock” the missing capabilities for my developer account? Any insight or advice would be appreciated! Thank you.

I tried to test out the new Wi-Fi aware framework but encountered the issue in the title. My operation steps are as follows: 1) create a hello world project using Xcode 26.0 beta 2) add Wi-Fi Aware entitlement and service following the sample code in "Building peer-to-peer apps" 3) run my code on an iPhone 16 Pro and fail at the building stage. The error message is "Provisioning profile "iOS Team Provisioning Profile: [my project name]" doesn't include the com.apple.developer.wifi-aware entitlement." I also tried to build the sample app but faced the same issue.