"Provisioning profile does not allow this device" on Sequoia 15.2 VM

After upgrading the virtual machines used for building and testing our macOS application, it seems that something new in Sequoia is preventing virtual machines from running anything signed with a Mac Development certificate.

At first glance the issue seems very similar to this thread, but it could be unrelated. We are using the tart toolset to build and run our VMs. People seem to be having related issues there with Sequoia in particular.

I have added the VM's hardware UUID to the Devices list of our account. I have included that device in the devices list of our Mac Development provisioning profile. I have re-downloaded the profile, ensured that it is properly getting built into the app, and ensured that the hardware UUID of the VM matches the embedded provisioning profile:

Virtual-Machine App.app/Contents % system_profiler SPHardwareDataType | grep UUID                                                                  
      Hardware UUID: 0CAE034E-C837-53E6-BA67-3B2CC7AD3719
Virtual-Machine App.app/Contents % grep 0CAE034E-C837-53E6-BA67-3B2CC7AD3719 ../../App.app/Contents/embedded.provisionprofile
Binary file ../../App.app/Contents/embedded.provisionprofile matches

However, when I try to run the application, it fails, and while I have searched the system logs to find a more informative error message, the only thing I can find is that the profile doesn't match the device somehow:

Virtual-Machine App.app/Contents % open ../../App.app 
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x6000039440f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Virtual-Machine App.app/Contents % log show --info --debug --signpost --last 3m | grep -i embedded.provisionprofile
2025-01-21 16:33:32.369829+0000 0x65ba     Error       0x0                  2872   7    taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] embedded provisioning profile not valid: file:///private/tmp/builds/app/.caches/Xcode/DerivedData/Build/Products/Debug/App.app/Contents/embedded.provisionprofile error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.}

I don't understand why the provisioning profile wouldn't allow the device if the hardware UUID matches. I have also attempted to add the Provisioning UDID in the devices list instead, but the form rejects that value because it's a different format (the form specifically requests a hardware UUID for macOS development, and a provisioning UDID for everything else).

If there is any debugging tool that lets me check a provisioning profile against the running hardware and print a more verbose reason for why it's not allowed on the device, please let me know.

Otherwise I'd have to conclude that, since I haven't experienced this issue before on an earlier OS, it has something to do with virtual machines running macOS Sequoia. (The same Mac Development-signed application runs just fine on my MacBook Pro running 15.2, as well as the VM host, which is also running 15.2.) I have also tried resetting the VM's hardware UUID and adding that one to the devices list, to no effect.

This is obviously seriously impacting our CI/CD pipelines to allow for proper UI testing of our application. If anyone is aware of any workarounds, I would love to hear them!

Answered by DTS Engineer in 822691022
Written by jckbiggs in 822451022
I have filed FB16398210

Ta!

I can confirm that it’s landed in the right place. Unfortunately, I’ve no info to share as to how we’re gonna about fixing this. For updates, keep an eye on Feedback Assistant.

Written by jckbiggs in 822451022
would I be able to contact developer support to remove the erroneous devices from my account?

It certainly wouldn’t hurt to ask.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Written by jckbiggs in 773051021
ensured that the hardware UUID of the VM matches the embedded provisioning profile

You should be using the Provisioning UDID field. The fact that macOS 15 guests and the Developer website disagree as to whether that UDID format is valid is something that Apple needs to investigate [1]. I’ve asked about this internally already, but I’d appreciate you filing a bug about this and posting your bug number here. We’ll use that to track this issue.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Notably, macOS 14 guests use a UDID format that’s matches that used by real hardware:

SonomaGuest % sw_vers
ProductName:            macOS
ProductVersion:         14.1.2
BuildVersion:           23B92
SonomaGuest % system_profiler SPHardwareDataType
Hardware:

    Hardware Overview:

      …
      Provisioning UDID: 0000FE00-9C4ED9F68BBDC72D
      …

This is acceptable to the Developer website.

I'm guessing you've discovered this by now, but just so other folks can see, here's what the same data looks like on Sequoia:

Sequoia-Virtual-Machine ~ % sw_vers
ProductName:		macOS
ProductVersion:		15.2
BuildVersion:		24C101

Sequoia-Virtual-Machine ~ % system_profiler SPHardwareDataType
Hardware:

    Hardware Overview:

      ...
      Hardware UUID: C4D11F94-0B5C-5D18-909F-9F5B4B4FD382
      Provisioning UDID: b043d27202c7ac37ca3c6b82673302225485cae9
      ...

The latter value is not accepted on the Apple Developer website devices list and is blocking a legitimate and important use case for us and likely many others. I have filed FB16398210 and look forward to hearing back, it might be a faster solution to allow the UDID to be entered in any format on the devices list, but that's just my suggestion. :)

Also, if this is a legitimate issue, would I be able to contact developer support to remove the erroneous devices from my account? I can only disable them and I don't want them to count towards my device limit if they aren't ever going to work.

Written by jckbiggs in 822451022
I have filed FB16398210

Ta!

I can confirm that it’s landed in the right place. Unfortunately, I’ve no info to share as to how we’re gonna about fixing this. For updates, keep an eye on Feedback Assistant.

Written by jckbiggs in 822451022
would I be able to contact developer support to remove the erroneous devices from my account?

It certainly wouldn’t hurt to ask.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I don’t have any news to share about FB16398210, but I did want to pass along a potentially useful titbit: While macOS 15 will create VMs with the new UDID format, it’s able to run existing VMs that were created with the old format.

I recently bumped into this issue and I was able to work around it by firing up my macOS 15.1 VM. I’d created that VM on macOS 14, so it got the old format. I’m now running macOS 15.2, and it was able to boot and run this old VM just fine.

I realise that this isn’t a real solution to this problem, but it might be a useful option for some of you.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Now that we’ve fixed the issue described in this other thread, and thus it’s possible to encounter this problem in Xcode, I wanted to share a description of how it fails in that case. When you add a restricted entitlement to your Mac app, causing Xcode to try to create a provisioning profile for it, you see this error in Signing & Capabilities:

An attribute in the provided entity has invalid value

An invalid value 'UUU' was provided for the parameter 'udid'

Where UUU is the provisioning UDID of the virtual Mac.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm also hitting into this same issue (unable to add a VM's Provisioning UDID to the developer portal). Would it be worthwhile to file an additional feedback issue, or just watch this thread for updates to FB16398210?

Written by Toonetown in 824275022
Would it be worthwhile to file an additional feedback issue … ?

There’s no need to do it from our perspective. The only benefit to you is that you’ll be notified in Feedback Assistant when the issue is resolved.

If you do file a bug, be clear that you want it dup’d to FB16398210 to that it doesn’t generate unnecessary thrash.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have logged FB16495166 as well. Please feel free to set it as a duplicate of FB16398210

"Provisioning profile does not allow this device" on Sequoia 15.2 VM
 
 
Q