macOS Autonomous Single App Mode

Question

Created Sep ’20

Replies 5

Boosts 0

Views 1.1k

Participants 2

I am setting up Autonomous Single App Mode for macOS, following the guide:
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

My app is also signed like this:

To be granted access, applications must be signed with the specified bundle identifier and team identifier using an
Apple-issued production developer certificate. Applications must specify the com.apple.developer.assessment
entitlement with a value of true.

But when app is launched, it just crashed, saying something like "code signature is invalid".
If I remove the new "com.apple.developer.assessment" from entitlement, it will launch normally.

So how to make it work?

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’20

This is a special entitlement that must be granted to you by Apple. To use this special entitlements you need two things:

The entitlement added to your entitlements.plist
A provisioning profile that includes this entitlement in its allowlist

It sounds like you’ve done the first. What about the second?

Note that Xcode does not know how to deal with special entitlements and thus you must switch to manual signing.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

Jacky.Wang OP

Sep ’20

eskimo, Thanks for your response. I will try to apply a provisioning profile firstly.

My app is built and signed using command line.
After app is built, I use codesign to sign the whole app, like:

Code Block codesign --force --verify --verbose --entitlements XXX.entitlements --options runtime --sign "Developer ID Application: XXX" XXX.app

How to sign it with the provisioning profile? I did not find any related parameter in codesign.

0

Answer 3

DTS Engineer OP

Apple

Sep ’20

Accepted Answer

How to sign it with the provisioning profile? I did not find any
related parameter in codesign.

The profile isn’t included in the code signature, at least not directly. Rather, the profile must be embedded within your bundle at a known path, namely Contents/embedded.provisionprofile.

IMPORTANT Make sure to copy it in before you sign the app because doing so afterwards will break the seal on the code signature.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Jacky.Wang OP

Oct ’20

Hi eskimo,

I failed to apply the provisioning profile containing this entitlement "com.apple.developer.assessment".

When I created the new profile, there is no step to set the entitlement.
Then I went to edit the app identifier related to the new profile, but still not found "com.apple.developer.assessment" in the capabilities list.
I only find a MDM related item named "com.apple.developer.associated-domains.mdm-managed", no effect.

1

Answer 5

DTS Engineer OP

Apple

Oct ’20

I’m familiar with two assessment special entitlements:

The modern one, as described in com.apple.developer.automatic-assessment-configuration
A legacy one (com.apple.developer.edu-assessment-mode)

Neither of these match the entitlement listed in the document you referenced (com.apple.developer.assessment). I don’t know if that’s a bug in that doc or a limitation of my understanding of these entitlements. Annoyingly, the modern documentation for this feature doesn’t cover entitlements at all.

At this point I recommend that you open a DTS tech support incident and talk to our assessment expert about this issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0