My chromium based browser distributing outside the app store got the "com.apple.developer.web-browser.public-key-credential" entitlement and singed with a developer profile. But it seems to work partially since "AuthenticationServicesHelper" asks for the machine password each time we try to signin through passkey (in Github) while Google account throws an error to create passkey though it shows we can create them. I think Apple doesn't trust the App inspite of the entitlement. how do we resolve this?

The driver does not show up in the app settings after switching to “DriverKit USB Transport - VendorID”. Previously, the app used “DriverKit USB Transport (development)” and everything worked as expected. The entitlements looked like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <string>*</string> </dict> </array> </dict> </plist> I received approval to use “DriverKit USB Transport - VendorID”. I updated the App ID configuration in the portal, removed all development entitlements, updated the provisioning profile, and edited the driver’s .entitlements as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <integer>1111</integer> </dict> </array> </dict> </plist> The app installs on an iPad with an M processor, but the driver does not appear in the settings. In the logs I see the following: 272 debug 19:50:42.005193+0300 installd 7935 signing bytes in 5 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bugkAE/extracted/Payload/****.app/SystemExtensions/****Driver.dext/****.Driver(arm64) 272 debug 19:50:42.012068+0300 installd open(/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bugkAE/extracted/Payload/****.app/SystemExtensions/net.svedm.****.SDRDriver.dext/Info.plist,0x0,0x1b6) = 4 272 debug 19:50:42.012712+0300 installd 0xc2e14c618 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>application-identifier</key><string>****.Driver</string><key>com.apple.application-identifier</key><string>****</string><key>com.apple.developer.driverkit</key><true/><key>com.apple.developer.driverkit.transport.usb</key><array><dict><key>idVendor</key><integer>3034</integer></dict></array><key>com.apple.developer.team-identifier</key><string>****</string><key>com.apple.security.get-task-allow</key><true/><key>get-task-allow</key><true/></dict></plist> 0 error 19:53:08.930054+0300 kernel Sandbox: MyApp(844) deny(1) sysctl-read kern.bootargs 0 error 19:53:08.931571+0300 kernel Sandbox: driverkitd(77) deny(1) syscall-unix 284 syscall-unix-denied-SIGKILL 0 error 19:53:09.985946+0300 kernel 1 duplicate report for Sandbox: driverkitd(77) deny(1) syscall-unix 284 syscall-unix-denied-SIGKILL 0 error 19:53:09.985985+0300 kernel Sandbox: MyApp(844) deny(2) file-test-existence /usr/bin/swift-backtrace 0 error 19:53:09.986011+0300 kernel Sandbox: MyApp(844) deny(2) file-test-existence /usr/bin/arm64e But I don’t quite understand what is going wrong. Any ideas?

We are developing an iOS application with a key feature designed to enhance user safety: real-time assessment of Wi-Fi network security. The "Safe Wi-Fi" feature aims to inform users about the security level of the Wi-Fi network they are currently connected to. Our goal is to provide this information seamlessly and continuously, even when the user isn't actively using the app. Currently, we've implemented this feature using a NWPathMonitor. The limitation of NWPathMonitor is that it doesn't function when the app is in a kill state. We are looking for guidance on how to achieve persistent Wi-Fi security monitoring in the background or when the app is killed. Is there any API (Public, Special API, etc) or a recommended approach that allows for real-time Wi-Fi connection monitoring (including connection changes and network details) even when the app is not actively running or is in a kill state. Thank you in advance for your help.

Hello everyone, I'm a new developer who just finished building my app. I'm now preparing to submit it to the App Store but wanted to beta-test it first via TestFlight. During the upload process, I encountered an error prompting me to add sandbox entitlements, which I did. The app successfully made it to TestFlight, and I invited myself and a few fellow developers to test it. However, we're running into an issue: On first launch, the app displays a popup directing users to Privacy & Security > Accessibility to grant permissions. The sandboxed version does not show the app as a toggle in Accessibility settings. Manually adding the app via the + button and selecting it directly doesn’t seem to resolve the permission issue. I understand that I may need additional entitlements depending on the app's functionality, but I'm unsure which ones are required. Specifically: Which entitlement controls whether the app appears in Accessibility settings? Additionally: How can I test these permission workflows locally (without re-uploading to TestFlight) to verify fixes before resubmitting? Any guidance on debugging this—whether related to entitlements, sandboxing, or local testing—would be greatly appreciated! Thanks in advance.

Hi everyone, We’ve enabled both StoreKit External Purchase and StoreKit External Purchase Link entitlements for our app (“RoadRecord útnyilvántartó”) and confirmed they are active in Xcode and App ID configuration. However, the App Store Connect interface still does not display the section to configure the External Purchase Link (nor the “Alternative Payment” section), which blocks us from submitting the app. When trying to submit the app, we see this error: “To submit this app version, you must first set up your account for alternative payment.” There’s no UI to complete this step in App Store Connect. Case ID: 14557560 App ID: 1441553506 We’ve contacted Developer Technical Support and were advised to post here for escalation and further technical investigation. Any help or confirmation from Apple staff would be greatly appreciated. We are ready to submit as soon as the UI becomes available. Thanks! Gábor

I have tried multiple time through multiple channels and you have yet to respond to my request. I am developing an App on xcode APP Bundle ID: garymdmd.MediaPace Apple ID: 6740823496 Apple has granted me distribution use of the Family Control/Screentime module for my main app. According to your engineer's post here: https://developer.apple.com/forums/thread/764919 That permission should be extended to your extensions that are part of the app. When you try to setup the extension identifiers they do not show the "added capabilities" column that sow sup when getting permission for the main app so you are not able to endow the extension with these permissions which seem to be needed to work with the app. I am trying to add these bundle identifier extensions: garymdmd.MediaPace.ScreenTimeMonitorDuo garymdmd.MediaPace.DeviceActivityReport Can you please tell me how to get this to work or to add permissions to these extensions. I have sent in the request form multiple times (here - https://developer.apple.com/contact/request/family-controls-distribution) and Apple simply writes back that I have permission after a few weeks but nothing changes for the extension capabilities.

Hi Team! Has anyone found a reliable way to detect CarPlay connection without the app needing to be in the foreground? I’m exploring a concept where, for example, as someone nears home while driving, a prompt appears on the CarPlay screen asking “Would you like to turn on the lights / open garage?” triggered by proximity and CarPlay connection. Would be cool to have it work automatically, but knowing you're in the car is kind of important. From what I can see, apps can’t reliably detect CarPlay connection unless they’re actively open on the CarPlay screen. Most background detection methods (like external screen connect notifications) appear deprecated. That is, unless you're specifically approved as a "messaging" or "navigation" app that appear to get special privilages to send alerts from the background. If I send an alert (or poll Carplay periodically) it just gives silent/dead response. Is there any approach, framework, entitlement, or UI pattern that could allow a passive trigger or background detection while driving with CarPlay connected? I can't see any way to bring an app to the foreground either. Not looking to abuse any rules... just want to understand if anyone’s found a clean, approved workaround. Thanks in advance!

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

Hello, I upgraded my Apple Developer account from free to paid (Individual), but I cannot enable “Background Modes” (specifically “Location updates”) for any of my App IDs—including both old App IDs created while on the free account and brand new App IDs created after upgrading. When I go to Apple Developer Portal &gt; Identifiers &gt; [select App ID] &gt; Edit, the option for “Background Modes” is missing from the list of capabilities. This is preventing me from enabling required entitlements for background location in Xcode, and all provisioning profiles fail with errors such as: Provisioning profile "iOS Team Provisioning Profile: [my bundle id]" doesn't include the com.apple.developer.location.always and com.apple.developer.location.background entitlements. Steps I’ve Taken: Upgraded to a paid Apple Developer Program (verified in my account). Created new App IDs after upgrading—Background Modes is still missing. Created new Xcode projects with new App IDs and bundle identifiers—same result. Refreshed provisioning profiles, cleaned Xcode, logged out/in—no change. Contacted Apple Support; advised to file a Code-Level Support request, but the issue is with the portal/App ID capabilities, not my code. My Question: Has anyone experienced this issue where Background Modes capability is missing for all App IDs, even after upgrading to a paid account? Is there any workaround, or does this require intervention from Apple Developer Support to “unlock” the missing capabilities for my developer account? Any insight or advice would be appreciated! Thank you.

I tried to test out the new Wi-Fi aware framework but encountered the issue in the title. My operation steps are as follows: 1) create a hello world project using Xcode 26.0 beta 2) add Wi-Fi Aware entitlement and service following the sample code in "Building peer-to-peer apps" 3) run my code on an iPhone 16 Pro and fail at the building stage. The error message is "Provisioning profile "iOS Team Provisioning Profile: [my project name]" doesn't include the com.apple.developer.wifi-aware entitlement." I also tried to build the sample app but faced the same issue.

We are working on a screen capture app. I have provisioning setup for a developer id certificate for do direct distribution and a distribution certificate for Mac Store distribution; I submitted the app to the store with the distribution certificate provisioning active. We need to add documentation so while we are waiting, we decided to distribute the app directly and this is where the problems come in. I made the developer id certificate and archive-&gt;exported the app. Then I manually stapled the app with "xcrun stapler staple Madshot360.app". I created a dmg file with the exported app. The problems are; The app captures screen area with ScreenCaptureKit. A prior version of the app used a development certificate. When a user runs this new developer id cert app. the macos gets confused because it doesn't connect the new version to the already permissioned older app version. The user has to manually delete the old permission and then restart the app so the new version creates a new record which can then be enabled. This is confusing for the user since the permission says the app is enabled but it really isn't. We experimented with IT using a command line to delete the old app permission. That did not remove the old permission but now the user can't delete this record at all. What can I do to force the removal of a permission that is broken. The command we ran was this. "sudo tccutil reset ScreenCapture com.madwire.Madshot360" The app used to display it's normal warning that screen recording needed the users permission. This is the permission I talk about above. Now there is a second permission screen that states the following; "Madshot360" is requesting to bypass the system private window picker and directly access your screen and audio. This will allow Madshot360 to record your screen and system audio, including personal or sensitive information that may be visible or audible. Allow, Open System Settings. This is basically what the normal alert does. Why the second window and how can I stop it from appearing when the user has already allowed it. Is it because the binary is distributed directly from my computer? Summary: What can I do when a permission is broken? Is there a command that IT can use to remove any old permissions before installing the app. This app is to be used internally. Is there a command line that will remove a specific app's permission before installing the app? Remember, the command line I showed you basically further broke the permissions for this app. What is causing this second warning dialog to be displayed?

Hi All. I'm working on Single-Sign-On feature in my application to let customers sign into their TV Provider. I need to add Video Subscriber SSO entitlement (com.apple.developer.video-subscriber-single-sign-on) to the app, but I found out that it's a special entitlement, need to contact Apple to enable it for my Apple account. On https://developer.apple.com/account I navigated to Support -&gt; Contact Us -&gt; Development and Technical -&gt; Entitlements and ask in the email about missing entitlement (ticket ID 102478794279). The support team couldn't help me, they redirected me to the operations team. I've been waiting for a few months now but they inform me to keep waiting. Is there a better way to contact Apple and get Video Subscriber SSO entitlement in an efficient way?

We have a Mac app that uses some restricted macOS entitlements, thus to test it we embed a development provisioning profile, that needs to contain the correct provisioning UDID. Typically, for test VMs, we extract the provisioning and UDID and add it to the developer portal and then re-generate the provisioning profiles. However when we try to do this in our newly created VM (Apple Silicon), our executable won't run, and macOS logs that the provisioning profile doesn't allow the device: 2025-06-12 12:37:52.168 E taskgated-helper[27489:e97da] [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///Applications/foo.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.} 2025-06-12 12:37:52.169 E taskgated-helper[27489:e97da] [com.apple.ManagedClient:ProvisioningProfiles] Disallowing com.company.foo because no eligible provisioning profiles found 2025-06-12 12:37:52.169 Df amfid[112:e99b0] [com.apple.xpc:connection] [0xb34c74a00] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() 2025-06-12 12:37:52.169 Df taskgated-helper[27489:e97da] [com.apple.xpc:connection] [0x839144000] invalidated because the client process (pid 112) either cancelled the connection or exited 2025-06-12 12:37:52.169 E amfid[112:e91ac] [com.apple.MobileFileIntegrity.framework:default] Failure validating against provisioning profiles: &lt;private&gt; 2025-06-12 12:37:52.169 E amfid[112:e91ac] [com.apple.MobileFileIntegrity.framework:default] Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=&lt;private&gt;, NSLocalizedDescription=No matching profile found} 2025-06-12 12:37:52.169 Df amfid[112:e91ac] /Applications/foo.app/Contents/MacOS/foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Applications/foo.app/, NSLocalizedDescription=No matching profile found} The UDID for this VM does look weird, in System Profiler: But I can verify that this UDID string is present in the provisioning profile embedded in the app bundle: $ security cms -D -i /Applications/foo.app/Contents/embedded.provisionprofile | grep -i 7cd9234e9aa4fa8ba528ee417f857b2c993a20a3 &lt;string&gt;7CD9234E9AA4FA8BA528EE417F857B2C993A20A3&lt;/string&gt; I also tried deleting the manually added device from the Developer portal and installing Xcode on the VM and letting Xcode register the device, but I end up in the same situation there. Even after letting Xcode itself register the device, it says that "this device not registered to your account" and then when I click "Register device" it changes into " already exists". Has anyone else managed to get Mac development provisioning profiles to work in a VM?

I'm developing a CarPlay version of my app, with the CarPlay EV Charging App entitlement (com.apple.developer.carplay-charging). However, I would like to use the Search template to searching for charging stations — but it seems this template is only available for Navigation Apps(maps). In this case, what is the recommended approach? Is it possible to apply both entitlements simultaneously and use the Search template only?

My app is approved for the Web Browser Public Key Credential Request managed capability and has it added to its App ID Configuration: It has been added to my entitlements file: I am able to build and run unit tests in Xcode locally using my managed profile. When I push changes and Xcode Cloud tries to build and run the app, I get the following error: Mirrai encountered an error (Failed to install or launch the test runner. (Underlying Error: Could not launch “MirraiTests”. Runningboard has returned error 5. Please check the system logs for the underlying cause of the error. (Underlying Error: The operation couldn’t be completed. Launch failed. (Underlying Error: Launchd job spawn failed)))) Removing just the com.apple.developer.web-browser.public-key-credential entitlement, with no other changes, results in all tests passing on Xcode Cloud. Some thoughts: In project settings, the test target has a different bundle id (appending Tests to the app bundle id). Under "Certificates, Identifiers & Profiles," the managed capability is added to the bundle id but it is an explicit bundle id and not a wildcard. Do I need to apply for the managed capability for the test bundle id as well? Or for a wildcard bundle id? xcodebuild-test-without-building.log

Xcode Cloud is unable to run unit tests for a MacOS target after adding a restricted capability (keychain-access-groups). Have tried setting both manual and automatic signing (with a Mac OS development profile). The tests run on my locally fine, but when pushed to Xcode Cloud the crash report indicates a Code Signing Issue, downloading the Artifact for Test Products for AppTests and viewing the app contents I noted that when built locally embedded.provisionprofile appears within the App/Contents that doesn't appear in Xcode Cloud. To reproduce, create a new MacOS app with a test plan, run a Test job (successfully runs) then add the capability for Keychain Sharing: <array> <string>$(AppIdentifierPrefix)com.transmedics.RemoteView.group</string> </array> to the entitlements. Run the job again and tests with the project fails in Xcode Cloud, with code signing issues in the crash report.

Dear Girls, Guys and Engineers. I'm currently building a Home Network Scanner App for People which want to know which Bonjour Devices are in her/his Home Network environment. From an older Question I got the answer, that I need an Entitlement to do this. I started to work on the App and requested the Multicast Entitlement from Apple. They gave me the Entitlement for my App and now I'm trying to discover all devices in my Home Network but I got stuck and need Help. I only test direct on device, like the recommendation. I also verified that my app is build with the multicast entitlement there where no problems. My problem is now, that is still not possible to discover all Bonjour services in my Home Network with the Help of the NWBrowser. Can you please help me to make it work ? I tried to scan for the generic service type: let browser = NWBrowser(for: .bonjour(type: "_services._dns-sd._udp.", domain: nil), using: .init()) but this is still not working even tough I have the entitlement and the app was verified that the entitlement is correctly enabled if I scan for this service type, I got the following error: [browser] nw_browser_fail_on_dns_error_locked [B1] Invalid meta query type specified. nw_browser_start_dns_browser_locked failed: BadParam(-65540) So what's the correct way now to find all devices in the home network ? Thank you and best regards Vinz

Hello everyone, Our team is currently developing a PTT (Push-to-Talk) application using the officially recommended PushToTalk framework. During development, we've encountered a point of confusion regarding the application's behavior after being force-quit by the user. Based on our understanding of the PushToTalk framework documentation (https://developer.apple.com/documentation/pushtotalk/creating-a-push-to-talk-app/) and the PTChannelManager session restoration mechanism, when a user manually kills the app from the background (App Switcher), the current PTT session (the system session managed by PTChannelManager) should terminate. Subsequent pushtotalk type pushes sent via APNS, without an active session, appear to be silently discarded by the system and cannot wake the app for processing (similar to what Kevin Elliott DTS mentioned in https://developer.apple.com/forums/thread/760506 Point D). This seems to prevent reliable PTT message reception in our app after a user force quits. However, we've observed that some popular PTT applications on the market (e.g., TenTen) appear to successfully receive and play PTT voice messages from friends even after the user has performed a force-quit action. This behavior seems inconsistent with our test results and understanding based on the standard framework, posing a challenge for us in providing similar reliability using standard methods. This naturally leads us to wonder how this capability is achieved. We've reviewed developer forums and are aware of the historical existence of a PTT-specific com.apple.developer.pushkit.unrestricted-voip entitlement, which allowed PushKit usage for PTT without CallKit binding. While Apple DTS engineers have repeatedly stated this entitlement is being deprecated and urged migration to the PushToTalk framework (e.g., https://developer.apple.com/forums/thread/763289), we are curious if the observed "wake-after-force-quit" capability might be related to some apps potentially still utilizing this outgoing special entitlement. Alternatively, is there perhaps a mechanism within the standard PushToTalk framework that allows wake-up after force quit that we haven't fully grasped? Therefore, we'd like to ask fellow developers for clarification and discussion: When using the standard PushToTalk framework, have others confirmed that the app indeed cannot be woken up by pushtotalk pushes after being force-quit by the user? Is this the expected behavior? Has anyone successfully achieved a TenTen-like experience (reliable PTT reception after force quit) using only the standard PushToTalk framework? If so, could you share key implementation insights or areas to focus on? (e.g., Is it related to specific usage patterns of the restorationDelegate?) How do you view this potential discrepancy between standard framework capabilities and the behavior exhibited by some apps? What considerations does this bring to development planning and user experience design (especially when users might have expectations set by the "always-on" behavior of other apps)? Are there any best practices or specific techniques when using PTChannelManager session management and restoration that maximize PTT message reliability (especially after the app is terminated by the system in the background), while still adhering to the framework's design principles (like user awareness of the session via UI)? [For instance, another developer raised challenges related to PTT framework restrictions here: https://developer.apple.com/forums/thread/773981] We hope this discussion can help clarify our understanding of the framework and gather community best practices for building reliable PTT functionality while adhering to Apple's guidelines. Thanks for any insights or shared experiences!

How do I gain access to the com.apple.developer.nearby-interaction entitlement for third-party accessory use with Qorvo DWM3001CDK? I've read the documentation but it is not available in Xcode Capabilities. What is the approval process?

Problem Statement We are experiencing a critical and persistent issue preventing the successful signing and building of our iOS application. The core problem is that provisioning profiles, whether automatically generated by Xcode or manually created in the Apple Developer Portal, consistently fail to include the UIBackgroundModes entitlement, leading to a build failure. Specific Question Why are provisioning profiles generated via the Apple Developer Portal and/or Xcode's automatic signing process consistently omitting the UIBackgroundModes entitlement for our App ID, even when this capability is explicitly configured in Xcode? We seek guidance or backend intervention to ensure our provisioning profiles include the necessary entitlement. Expected Outcome We expect to be able to successfully build and sign our iOS application, with provisioning profiles that correctly include the UIBackgroundModes entitlement, allowing for proper implementation of remote notifications. Observed Symptoms Primary Build Error: Consistent build failure with the exact error message: "Automatic signing failed: Provisioning profile 'iOS Team Provisioning Profile: com.scott.ultimatefix' doesn't include the UIBackgroundModes entitlement." Missing Entitlement in Profile (Confirmed by Inspection): Direct inspection of downloaded .mobileprovision files (including those manually generated in the Developer Portal for com.scott.ultimatefix) consistently shows the absence of the UIBackgroundModes entry within the section of the Entitlements dictionary. The aps-environment key for Push Notifications is present, indicating Push Notifications are enabled, but Background Modes are not. Certificates Correctly Recognized in Xcode: Our "Apple Development: Stephen Criscell Scott" and "Apple Distribution: Stephen Criscell Scott" certificates are correctly displayed and recognized in both Keychain Access and Xcode's Preferences &gt; Accounts &gt; Manage Certificates window (without "Not in Keychain" status). Furthermore, the Signing &amp; Capabilities tab for the target in Xcode now correctly shows Signing Certificate: Apple Development: Stephen Criscell Scott. Persistent Issue Across Resets: The problem persists despite extensive local cache invalidation, Xcode reinstallation, and even testing in a fresh macOS user account (which confirmed the issue was not user-specific).