I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)
Although how did that get there?
I presume you’re referring to the In-App Purchase capability. If so, that’s expected. It’s shown for all non-wildcard App IDs.
But when I download it... it doesn't have it.
I presume that the first two instances of “it” mean “the provisioning profile” and the last one means “the Endpoint Security entitlement in its allow list”. How are you checking for that?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Ok, sorry for the confusing use of pronouns. I should have paid them more.
I added the com.apple.developer.endpoint-security.client entitlement to the entitlements file for the app. I created a profile, using the portal, that had Endpoint Security as an additional entitlement; it was signed with our Developer ID certificate. I downloaded the newly-created profile, and examined it using emacs: it did not have the com.apple.developer.endpoint-security.client entitlement in it. For the executable (which kept getting killed, of course), I saw that there was a complaint about signature and profile mismatch in system.log, so I used codesign and cms to look at the entitlements and profile for the executable, and the com.apple.developer.endpoint-security.client entitlement was not in the cms output.
Thanks for the clarification. That does, indeed, seem weird.
When you click on the info button next to the ES capability in your App ID, what do you see? See the screen shot below for what I’d expect to see.
Oh, one more thing:
I added the
com.apple.developer.endpoint-security.cliententitlement to the entitlements file for the app.
What do you mean by “app” here? There’s two ways to use ES:
System extension
launchd daemon
In the first case this entitlement belongs on the sysex itself, not an the app. And these have different bundle IDs, and hence different App IDs, and hence different provisioning profiles. You need to make sure if you’re checking the credentials for the sysex’s bundle ID.
If you’re building a launchd daemon, following the approach suggested in Signing a Daemon with a Restricted Entitlement, there’s only one bundle ID in place and so it’s hard to get mixed up (-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
grrrr apple did not email me despite this thread being marked as watched.
The first screen shot is missing the specific info I was looking for. Click on the info button next to the ES capability and post a screen shot that includes that. See how, in my example, there’s a popup showing the supported platforms and distribution models.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I thought ES was only available on macOS. Here it is:
I thought ES was only available on macOS.
That’s correct. My goal was to confirm the Distribution Support value was correct, and it seems to be.
It's a
launchd-driven app
Everything on our platforms is driven by launchd one way or another. I’m interpreting this to mean that it’s a launchd daemon in an app wrapper, per Signing a Daemon with a Restricted Entitlement. Let me know if that’s wrong.
Earlier you wrote:
I created a profile, using the portal, that had Endpoint Security as an additional entitlement; it was signed with our Developer ID certificate. I downloaded the newly-created profile … it did not have the
com.apple.developer.endpoint-security.cliententitlement in it.
I just walked through that process and it’s working for me. Here’s what I did specifically:
In Certificates, Identifiers and Profiles, I selected Identifiers on the left.
I clicked the add button and registered a new, explicit App ID, making sure to enable Endpoint Security under Additional Capabilities.
Back in Certificates, Identifiers and Profiles, I selected Profiles on the left.
I clicked the add button, selected Distribution > Developer ID, and clicked Continue.
I choose the App ID from step 2 and clicked continue.
I walked through the rest of the profile generation process.
I clicked Download to download the profile.
As you can see, the profile has the ES entitlement in its allowlist:
% security cms -D -i Test698942D_DevID.provisionprofile | plutil -convert xml1 -o - -
…
<key>Entitlements</key>
<dict>
…
<key>com.apple.developer.endpoint-security.client</key>
<true/>
…
</dict>
…
</dict>
</plist>
Please run through this process and let me know what results you get.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I just did all that, and got the same results I have been getting. I have tried creating a brand new one, and deleting the old one(s) and recreating, I have tried having App Groups + System Extension, I have tried with only Endpoint Security. I have looked at the downloaded file using vi, and with 'security cms'.
I am, at this point, going to make a screen recording, and file a TSI. I really hope it'll be obvious what I'm doing wrong 😩.
Quinn discovered it! I only got permission for it for development, while I was creating the profile with distribution.
Now to figure out how to get it for distribution...
(Since Quinn and I are 8 hours apart, temporally, this took back&forth a couple of days communicating via TSI.)
Since Quinn and I are 8 hours apart, temporally, this took back & forth a couple of days
Yep )-:
For those reading along at home, when you receive approval to use a special entitlement, like this Endpoint Security additional capability, make sure to read the accompanying email from the approval folks. It might look like boilerplate but often it contains critical tidbits. In this case the capability was approved for development signing only, and hence the problem discussed in this thread.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
In my defense, I missed the word "only" in "approved for development only" -- the one I need it for is a "Developer ID" and that shares many of the same letters.
Why I can't find Addtional Capabilities | Endpoint Security when create Identifiers? Is there a problem or a missing step?
I can’t see your second screen shot )-: but below is an example of what you should be seeing.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I was unable to use my Apple developer account to create a provisioning profile file with Endpoint Security permissions.
What should I do about this problem? Can you help me?
oh, sorry! here it is!
Thank you for your answer, which solved my trouble!