Entitlement values for the Enhanced Security and the Additional Runtime Platform Restrictions

Privacy & Security General
1024jp OP
Created 3w
Replies 3
Boosts 0
Views 848
Participants 3

I recently turned on the enhanced security options for my macOS app in Xcode 26.0.1 by adding the Enhanced Security capability in the Signing and Capabilities tab. Then, Xcode adds the following key-value sets (with some other key-values) to my app's entitlements file.

	<key>com.apple.security.hardened-process.enhanced-security-version</key>
	<integer>1</integer>
	<key>com.apple.security.hardened-process.platform-restrictions</key>
	<integer>2</integer>

These values appear following the documentation about the enhanced security feature (Enabling enhanced security for your app) and the app works without any issues.

However, when I submitted a new version to the Mac App Store, my submission was rejected, and I received the following message from the App Review team via the App Store Connect.

Guideline 2.4.5(i) - Performance

Your app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issue before resubmitting a new binary.

  • Entitlement "com.apple.security.hardened-process.enhanced-security-version" value must be boolean and true.
  • Entitlement "com.apple.security.hardened-process.platform-restrictions" value must be boolean and true.

When I changed those values directly in the entitlements file based on this message, the app appears to still work. However, these settings are against the description in the documentation I mentioned above and against the settings Xcode inserted after changing the GUI setting view.

So, my question is, which settings are actually correct to enable the Enhanced Security and the Additional Runtime Platform Restrictions?

Answered by DTS Engineer in 862162022

If you haven't already, please file bugs on this and then post the bug number back here.

Answering your question here "officially":

So, my question is, which settings are actually correct to enable the Enhanced Security and the Additional Runtime Platform Restrictions?

Xcode is using the correct values:

<key>com.apple.security.hardened-process.enhanced-security-version</key>
<integer>1</integer>
...
<key>com.apple.security.hardened-process.platform-restrictions</key>
<integer>2</integer>

For obvious reason, App Review uses an automated system to validate that entitlements have the correct value and format, and that's what's causing the rejection. They're working to sort that out now.

I'd try replying to them and link them the documentation pages, asking them to double check.

Unfortunately, it doesn't help that the documentation has issues (r.162641480) as well and claims that one of those values should be a string.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Replies  3
Boosts  0
Views  848
Participants  3
kthchew OP
2w

So, for testing, I created a short Swift program that intentionally triggers a protection behind the platform restrictions entitlement:

import Foundation
import MachO

var port: mach_port_t = UInt32(MACH_PORT_NULL)
mach_port_allocate(mach_task_self_, MACH_PORT_RIGHT_RECEIVE, &port)
mach_port_insert_right(mach_task_self_, port, port, mach_msg_type_name_t(MACH_MSG_TYPE_MAKE_SEND))
mach_port_move_member(mach_task_self_, port, 1000)

In my testing, this crashes (as expected) with the EXC_GUARD exception type when com.apple.security.hardened-process.platform-restrictions is an integer set to 2 (just as the documentation and Xcode says). It does not crash when it is a boolean set to true.

That suggests to me that App Review is mistaken. I'd try replying to them and link them the documentation pages, asking them to double check.

1
DTS Engineer OP
Apple
2w
Accepted Answer
Recommended

If you haven't already, please file bugs on this and then post the bug number back here.

Answering your question here "officially":

So, my question is, which settings are actually correct to enable the Enhanced Security and the Additional Runtime Platform Restrictions?

Xcode is using the correct values:

<key>com.apple.security.hardened-process.enhanced-security-version</key>
<integer>1</integer>
...
<key>com.apple.security.hardened-process.platform-restrictions</key>
<integer>2</integer>

For obvious reason, App Review uses an automated system to validate that entitlements have the correct value and format, and that's what's causing the rejection. They're working to sort that out now.

I'd try replying to them and link them the documentation pages, asking them to double check.

Unfortunately, it doesn't help that the documentation has issues (r.162641480) as well and claims that one of those values should be a string.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

1
DTS Engineer OP
Apple
2w

Following your advice, I sent an explanation of this situation to the store review and requested a new review.

Following up on this, your app has now been approved.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

1
Entitlement values for the Enhanced Security and the Additional Runtime Platform Restrictions
First post date Last post date
 
 
Q