This was working a few days ago, but it has since stopped and I can't figure out why. I've tried resetting TCC, double-checking my entitlements, restarting, deleting and rebuilding, and nothing works. My app is a sandboxed macOS SwiftUI LSUIElement app that, when invoked, checks to see if the frontmost process is Terminal, then tries to get the frontmost window’s title. func getFrontmostWindowTitle() throws -> String? { let trusted = AXIsProcessTrusted() print("getFrontmostWindowTitle AX trusted: \(trusted)") guard let app = NSWorkspace.shared.frontmostApplication else { return nil } let appElement = AXUIElementCreateApplication(app.processIdentifier) var focusedWindow: AnyObject? let status = AXUIElementCopyAttributeValue(appElement, kAXFocusedWindowAttribute as CFString, &focusedWindow) guard status == .success, let window = focusedWindow else { if status == .cannotComplete { throw Errors.needAccessibilityPermission } return nil } var title: AnyObject? let titleStatus = AXUIElementCopyAttributeValue(window as! AXUIElement, kAXTitleAttribute as CFString, &title) guard titleStatus == .success else { return nil } return title as? String } I recently renamed the app, but the Bundle ID has not yet changed. I have com.apple.security.accessibility set to YES in the Entitlements file (although i had to add it manually), and a NSAccessibilityUsageDescription string set in Info.plist. The first time I ran this, macOS nicely prompted for permission. Now it won't do that, even when I use AXIsProcessTrustedWithOptions() to try to force it. If I use tccutil to reset accessibility and apple events, it still doesn't prompt. If I drag my app from the build products folder to System Settings, it gets added to the system TCC DB (not the user DB). It shows an auth value of 2 for my app: % sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT client,auth_value FROM access WHERE service='kTCCServiceAccessibility' OR service='kTCCServiceAppleEvents';" com.latencyzero.<redacted>|2 <redactd> I'm at a loss as to what went wrong. I proved out the concept earlier and it worked, and have since spent a lot of time enhancing and polishing the app, and now things aren't working and I'm starting to worry.

Hi guys, I'm trying to upload my app with Tap to Pay on iPhone functionality. However, I'm getting error message "Profile doesn't include com.apple.developer.proximity-reader.payment.acceptance entitlement." I've confirmed many times that I have the distribution profile with this capability. Any idea what might be the issue? The development environment works perfectly.

Tap to Pay capabilities are enable and I can use in development profile but I cannot make build that I can upload on TestFlight using the distribution profile because during create build I am getting "Provisioning profile doesn't support the Tap to Pay on iPhone capability." this should be working because I checked twice that distribution profile and certificate have this capability and added in Xcode. how can I resolve this mismatched profile issue I am using Xcode - 15.0.1

Two months ago we got approval for using the Notification Filtering entitlement. We rushed out to implement it in our app, only to find out that the permission was set for the wrong bundle identifier. We expected to get the permission for the notification extension's bundle identifier, yet it is added for the main app's bundle identifier. Per the official docs, the entitlement permission should be in the notification service extension target: After you receive permission to use the entitlement, add com.apple.developer.usernotifications.filtering to the entitlements file in the Notification Service Extension target. However, this fails to get signed when compiling for non-simulator targets because of the bundle mismatch issue. Simulator perfectly filters notifications. Adding the entitlement to the main app does compile, but filtering does not work (as expected). We reached out to Apple twice (Case-ID: 14330583) but we have yet to receive any response. Could there be something else wrong instead of the identifier mismatch?

Hi everyone, I’m working an Objective-C lib that performs Keychain operations, such as generating cryptographic keys and signing data. The lib will be used by my team in a Java program for macOS via JNI. When working with the traditional file-based Keychain (i.e., without access control flags), everything works smoothly, no issues at all. However, as soon as I try to generate a key using access control flags SecAccessControlCreateWithFlags, the Data Protection Keychain returns error -34018 (errSecMissingEntitlement) during SecKeyCreateRandomKey. This behavior is expected. To address this, I attempted to codesign my native dynamic library (.dylib) with an entitlement plist specifying various combinations of: keychain-access-groups com.apple.security.keychain etc. with: My Apple Development certificate Developer ID Application certificate Apple Distribution certificate None of these combinations made a difference, the error persists. I’d love to clarify: Is it supported to access Data Protection Keychain / Secure Enclave Keys in this type of use case? If so, what exact entitlements does macOS expect when calling SecKeyCreateRandomKey from a native library? I’d really appreciate any guidance or clarification. Thanks in advance! Best regards, Neil

Getting "Error Domain=NSCocoaErrorDomain Code=513 "You don’t have permission to save the file" unexpectedly while attempting to create a small log file. Here's some background. This is a Swift app I wrote for my own use six years ago. A week ago, I made a small update to the app, which has not been changed in over two years. First time using Xcode 16.4 on this app, which required some code updates of course. The code creating this file has not been changed. Now for the first time, I'm getting this permissions error on a folder with wide-open permissions. This is the code. Worked for years under previous versions of Xcode. * if let outputURL = URL(string: "file://" + logPath + "/output_" + outputFormatter.string(from:Date()) + ".txt"){ do{ try outputString.write(to: outputURL, atomically:false, encoding: .utf8) }catch let error as NSError{ print ("log write error (error) (nl) (outputString)") } }

Hi I am building obs studio using cmake and Xcode. I used cmake --preset macos -DOBS_CODESIGN_IDENTITY="" to generate the build folder and inside X code used Provisioning Profile with Developer ID Application certification. The build was generated successfully but when I tried to turn on the virtual camera I see missing Missing entitlement com.apple.developer.system-extension.install error. (My Provisioning profile has System Extension Capability checked on apple developer portal) If I use this flow instead: cmake --preset macos -DOBS_CODESIGN_TEAM=63B5A5WDNG Build using Xcode with Automatic manage signing with Apple Developer Certificate. Obs studio builds successfully and Virtual camera extension also works fine. My primary goal is to notarise my app which contains OBS studio and Blackhole Audio driver for distribution outside app store. If I try to sign my obs app generated in second step codesign --deep --force --timestamp --verify --verbose \ --options runtime --sign "Developer ID Application:***" "OBS.app" The obs app fails to launch due to some errors. Can anyone please guide me which step I might be doing wrong, Much Appreciated. Thanks

Please provide a descriptive title for your feedback: Downloading Developer ID provisioning profiles - missing new entitlements Which area are you seeing an issue with? App Store Connect What type of feedback are you reporting? Incorrect/Unexpected Behavior Please provide the App name/App ID if possible: com.onexengineering.themedeck.macos Please describe the issue and what steps we can take to reproduce it bug in App Store Connect where downloading Developer ID provisioning profiles are missing the new entitlements regenerated from scratch -- App Store Connect says entitlements are good, but actual file confirms entitlements are missing App Store provisioning profiles seem to be unaffected (ignore my incorrect naming of files)

I have downloaded the ShinyTV example to test simplified sign-in on tvOS since it is not working in my own app, and I am having the same issue there. After assigning my team to the sample app, the bundle ID updates with my team id. I copy the bundle ID into a file entitled "apple-app-site-association" with this format: { "webcredentials": { "apps": [ "{MyTeamID}.com.example.apple-samplecode.ShinyTV{MyTeamID}" ] } } I upload the file to my personal site, ensuring that the content type is application/json. I adjust the Associated Domain entitlement to: webcredentials:*.{personal-site.com}?mode=developer using the alternate mode to force it to load from my site, not the CDN. When I run the build on tvOS, and click the Sign In button, it fails with these errors: Failed to start session: Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 "Failed to prepare authorization requests" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"Missing associated web credentials domains\" UserInfo={NSLocalizedDescription=Missing associated web credentials domains}" ), NSLocalizedDescription=Failed to prepare authorization requests} Session failed: Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 "Failed to prepare authorization requests" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"Missing associated web credentials domains\" UserInfo={NSLocalizedDescription=Missing associated web credentials domains}" ), NSLocalizedDescription=Failed to prepare authorization requests} ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"(null)\"" )} Failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Failed to prepare authorization requests" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"Missing associated web credentials domains\" UserInfo={NSLocalizedDescription=Missing associated web credentials domains}" ), NSLocalizedDescription=Failed to prepare authorization requests} What am I missing here?

We have been struggling to get support and answeres regarding this roadblock : Request in whitelisting of the NFC Tag Reading and Writing (NDEF) entitlement for our iOS application Our application utilizes Core NFC to enable reading and writing of NFC tags, simplifying user interactions with NFC-enabled devices and services. The NDEF entitlement is essential for our app to deliver its core functionality effectively. Build Environment: Our app is developed and built using Xcode 16.4 on Codemagic’s cloud-based CI/CD platform, which utilizes a compatible macOS version (e.g., macOS Sonoma 14.4 or later). The app targets iOS 18 and uses Core NFC APIs for NDEF tag reading and writing. so far we cant get it to read or write as ios is restricking us

Hello Everyone, I am currently building an app using React Native with Swift bridging, integrating VoIP functionality using Twilio, PushKit, and CallKit. I am encountering the following issue during development: "The current provisioning profile doesn't include the com.apple.developer.voip-push-notification entitlement." What I’ve Done So Far: VoIP Certificate: I have created a valid VoIP Services certificate in the Apple Developer portal. Bundle Identifier and Provisioning Profile: A new Bundle ID was created specifically for this app. I created a provisioning profile for this Bundle ID and downloaded it for use in Xcode. Xcode Capabilities Push Notifications: Enabled Background Modes: Voice over IP: Enabled, Remote notifications: Enabled Entitlements File I have an entitlements file named VoiceCallDemoProjectRelease.entitlements with the following content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.voip-push-notification</key> <true/> </dict> </plist> This entitlements file is properly linked in the project’s build settings. Project Setup I have integrated PushKit for VoIP push handling and CallKit for incoming call UI and control. Problem: In the Apple Developer portal under my App ID settings, I only see an option to enable Push Notifications. There is no option available to enable Voice over IP, and therefore the provisioning profile generated does not include the com.apple.developer.voip-push-notification entitlement. Despite enabling VoIP background mode in Xcode, adding the entitlement in my project, and using a valid VoIP certificate, the profile does not include the required entitlement. Additional Information: I am using an Individual Apple Developer Account, not an Organization account. I have already attempted re-downloading the provisioning profile, restarting Xcode, and cleaning the build folder. Question: What steps should I take to resolve this and ensure that the com.apple.developer.voip-push-notification entitlement is included in my provisioning profile? Is this limitation due to the type of developer account (individual vs. organization), and do I need to upgrade to an Organization account to access this entitlement? Is there any way to request for 'com.appple.developer.voip-push-notification' entitlement to Apple Team ? Any clarification would be appreciated. Thank you.

Hello Engineers My app was rejected with the message below, BUT I don't have this entitlements in my project! I already removed all Xcode files under ${HOME}/Developer/Xcode, but the problem still alive! Guideline 2.4.5(i) - Performance In order to continue reviewing your app, we require additional information. Your app uses one or more entitlements which do not appear to have matching functionality within the app. Please reply to this message in App Store Connect and describe how and where the app uses the following entitlements. You will not need to upload a new binary to provide this information. Apps should have only the minimum set of entitlements necessary for the app to function properly. If there are entitlements that are not needed, please remove them and submit an updated binary. You will need to Developer Reject the app to upload an updated version. "com.apple.security.assets.pictures.read-write" "com.apple.security.assets.movies.read-write" "com.apple.security.assets.music.read-write" "com.apple.security.files.downloads.read-write" Here my entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.org.eof.apps</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> </plist> code-block Who or where are these entitlements inserted? Which button should be clicked to deactivate them? Link to my project: DRFXBuilder Regards

We’re exploring the use of Apple’s Automatic Assessment Configuration entitlement for an iOS app currently in the proof-of-concept stage. We’re enrolled in the Apple Developer Program with an active subscription. Both the Account Holder and team members have accepted all relevant license agreements. However, when we try to access the entitlement request form at: 👉 https://developer.apple.com/contact/request/automatic-assessment-configuration/ We are immediately redirected to: 🚫 https://developer.apple.com/unauthorized/ This happens for all team members, including the Account Holder, so it doesn’t appear to be a role-specific permissions issue. The app is still in the proof-of-concept stage — there’s no App Store listing or App ID yet. We’re trying to confirm entitlement eligibility before proceeding further. Questions: Is an App Store listing or App ID required to access this request form? Are there any hidden prerequisites (account permissions, team roles, prior submissions, etc.) that need to be fulfilled? Has anyone here successfully submitted this form — and if so, what steps or conditions were required? Any guidance or shared experience would be greatly appreciated. Thanks in advance!

The online documentation for fs_snapshot_create, which is on a website which apparently I'm not allowed to link to on this forum, mentions that some entitlement is necessary, but doesn't specify which one. Searching online I found someone mentioning com.apple.developer.vfs.snapshot, but when adding this to my entitlement file and building my Xcode project, I get the error Provisioning profile "Mac Team Provisioning Profile: com.example.myApp" doesn't include the com.apple.developer.vfs.snapshot entitlement. Searching some more online, I found someone mentioning that one has to request this entitlement from DTS. Is this true? I couldn't find any official documentation. I actually want to make a snapshot of a user-selected directory so that my app can sync it to another volume while avoiding that the user makes changes during the sync process that would make the copy inconsistent. Would fs_snapshot_create be faster than traversing the chosen directory and creating clones of each nested file with filecopy and the flag COPYFILE_CLONE? Although I have the impression that only fs_snapshot_create could make a truly consistent snapshot.

Hi there! I've been getting this error when I've checked multiple times that I've included the right entitlements as well as provisiong profile. My one concern is that perhaps I'm unable to submit to internal or external TestFlight with Family Controls (Development) and need the one for distrubution, but have yet to submit my appplication for this ability. If anyone has any inisght into this issue lmk!

Has anyone here encountered this? It's driving me crazy. It appears on launch. App Sandbox is enabled. The proper entitlement is selected (com.apple.security.files.user-selected.read-write) I believe this is causing an issue with app functionality for users on different machines. There is zero documentation across the internet on this problem. I am on macOS 26 beta. This error appears in both Xcode and Xcode-beta. Please help! Thank you, Logan

Hello Apple Developer Community, I'm experiencing a persistent issue with App Groups configuration for an iOS app extension that I can't resolve despite trying multiple approaches. I hope someone can help identify what I'm missing. Problem Description I'm getting this error when trying to build my iOS App Extension: Provisioning profile "iOS Team Provisioning Profile: com.idlrapp.Spleeft.SpleeftDataSaver" doesn't include the com.apple.developer.app-groups entitlement. My Setup Main App Bundle ID: com.idlrapp.Spleeft Extension Bundle ID: com.idlrapp.Spleeft.SpleeftDataSaver App Group ID: group.com.idlrapp.spleeft.shared Extension Type: Action Extension (Share Sheet) What I've Verified App Group Creation ✅ Created App Group group.com.idlrapp.spleeft.shared in Apple Developer Portal ✅ App Group shows as "Active" in the portal App ID Configuration ✅ Both App IDs (com.idlrapp.Spleeft and com.idlrapp.Spleeft.SpleeftDataSaver) have "App Groups" capability enabled ✅ Both App IDs are configured with the same App Group: group.com.idlrapp.spleeft.shared Entitlements Files Main App (Spleeft.entitlements): Extension (SpleeftDataSaver.entitlements): Xcode Configuration ✅ Both targets use "Automatically manage signing" ✅ Same Apple Developer Team selected for both ✅ App Groups capability shows correctly in Signing & Capabilities for both targets The Issue When I examine the downloaded .mobileprovision file, I can see it contains: However, Xcode expects to find: What I've Tried Multiple regenerations of provisioning profiles: Deleted all local provisioning profiles Toggled "Automatically manage signing" off/on Downloaded manual profiles from Developer Portal Verified App Group configuration: Double-checked App Group exists and is active Confirmed both App IDs have App Groups capability enabled Verified App Group assignment in both App IDs Entitlements cleanup: Ensured consistent App Group IDs across all files Removed duplicate/conflicting entries Clean builds and cache clearing: Product → Clean Build Folder Derived Data deletion Xcode restart Key Observation The provisioning profile contains com.apple.security.application-groups (which appears to be macOS-style) but Xcode expects com.apple.developer.app-groups (iOS-style) for the App Extension. The main app builds fine, but the extension consistently fails with this entitlement mismatch. Questions Is there a known issue with App Groups entitlement generation for iOS App Extensions? Should the provisioning profile contain com.apple.developer.app-groups instead of com.apple.security.application-groups? Is there a way to force regeneration of provisioning profiles with the correct entitlements? Are there additional steps required for App Extensions that differ from main apps? Any guidance would be greatly appreciated. This is blocking our App Extension development and we've exhausted our troubleshooting options. Environment: Xcode: [Tu versión de Xcode] iOS Deployment Target: [Tu target] Developer Account: [Paid/Individual/Team] Thank you for your time and assistance.

Hello Apple Developer Community, I'm experiencing a persistent issue with App Groups configuration for an iOS app extension that I can't resolve despite trying multiple approaches. I hope someone can help identify what I'm missing. Problem Description I'm getting this error when trying to build my iOS App Extension: Provisioning profile "iOS Team Provisioning Profile: com.idlrapp.Spleeft.SpleeftDataSaver" doesn't include the com.apple.developer.app-groups entitlement. My Setup Main App Bundle ID: com.idlrapp.Spleeft Extension Bundle ID: com.idlrapp.Spleeft.SpleeftDataSaver App Group ID: group.com.idlrapp.spleeft.shared Extension Type: Action Extension (Share Sheet) What I've Verified App Group Creation ✅ Created App Group group.com.idlrapp.spleeft.shared in Apple Developer Portal ✅ App Group shows as "Active" in the portal App ID Configuration ✅ Both App IDs (com.idlrapp.Spleeft and com.idlrapp.Spleeft.SpleeftDataSaver) have "App Groups" capability enabled ✅ Both App IDs are configured with the same App Group: group.com.idlrapp.spleeft.shared Entitlements Files Main App (Spleeft.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Extension (SpleeftDataSaver.entitlements): <key>com.apple.developer.app-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> Xcode Configuration ✅ Both targets use "Automatically manage signing" ✅ Same Apple Developer Team selected for both ✅ App Groups capability shows correctly in Signing & Capabilities for both targets The Issue When I examine the downloaded .mobileprovision file, I can see it contains: <dict> <key>com.apple.security.application-groups</key> <array> <string>group.com.idlrapp.spleeft.shared</string> </array> <!-- Other entitlements... --> </dict> However, Xcode expects to find: <array> <string>group.com.idlrapp.spleeft.shared</string> </array> What I've Tried Multiple regenerations of provisioning profiles: Deleted all local provisioning profiles Toggled "Automatically manage signing" off/on Downloaded manual profiles from Developer Portal Verified App Group configuration: Double-checked App Group exists and is active Confirmed both App IDs have App Groups capability enabled Verified App Group assignment in both App IDs Entitlements cleanup: Ensured consistent App Group IDs across all files Removed duplicate/conflicting entries Clean builds and cache clearing: Product → Clean Build Folder Derived Data deletion Xcode restart Key Observation The provisioning profile contains com.apple.security.application-groups (which appears to be macOS-style) but Xcode expects com.apple.developer.app-groups (iOS-style) for the App Extension. Questions Is there a known issue with App Groups entitlement generation for iOS App Extensions? Should the provisioning profile contain com.apple.developer.app-groups instead of com.apple.security.application-groups? Is there a way to force regeneration of provisioning profiles with the correct entitlements? Are there additional steps required for App Extensions that differ from main apps? Any guidance would be greatly appreciated. This is blocking our App Extension development and we've exhausted our troubleshooting options. Thank you for your time and assistance.

Invalid Provisioning Profile. The provisioning profile included in the bundle XXX.XXX.XX [Payload/Runner.app/PlugIns/OneSignalNotificationServiceExtension.appex] is invalid. [Missing code-signing certificate]. A Distribution Provisioning profile should be used when submitting apps to the App Store. For more information, visit the iOS Developer Portal. With error code STATE_ERROR.VALIDATION_ERROR.90161 for id 81c3cef4-fefe-468d-910c-cf7a4b5377a8 Any help? I have tried to create new provisioning profile and identifiers but still get this error when uploading app to the App Store.

AVCaptureVideoDataOutput.preparesCellularRadioForNetworkConnection requires com.apple.developer.avfoundation.video-data-output-prepares-cellular-radio-for-machine-readable-code-scanning. But I cannot acquire its entitlement. I can't find its entitlement on 'Certificates, Identifiers &amp; Profiles'. Any solutions? Provisioning profile "iOS Team Provisioning Profile: ......" doesn't include the com.apple.developer.avfoundation.video-data-output-prepares-cellular-radio-for-machine-readable-code-scanning entitlement.