Hello,
I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue.
The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list.
Here are examples of the Universal Links I'm generating:
https://www.strike-force.app/invite?type=invite&userID=...
https://www.strike-force.app/invite?type=invite&friendRequestID=...
https://www.strike-force.app/profile?userID=...
I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid.
Technical Details & Error Logs
In the console, I am consistently seeing the following error message:
Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B
Received port for identifier response: <(null)> with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port
This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200.
curl -i https://strike-force.app/.well-known/apple-app-site-association
curl -i https://www.strike-force.app/.well-known/apple-app-site-association
I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error.
Any insights or suggestions would be greatly appreciated.
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments:
If you were referred here from an existing thread, reply on that thread.
If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Determining if an entitlement is real
In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows:
The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way.
Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim.
That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error.
The developer misinterprets that error [1] in one of two ways:
As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem.
As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation.
The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion.
Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles.
There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all.
IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else.
Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements.
IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused.
If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial:
Remove it from your .entitlements file so that your app starts to build again.
Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing.
If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that.
[1] It’d be nice if the Xcode errors were more clear in this case (r. 155327166).
Commonly Hallucinated Entitlements
This section lists some of the more commonly hallucinated entitlements:
com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property.
com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID).
com.apple.InAppPurchase — Likewise.
com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony.
com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here.
UIBackgroundModes — See the previous point.
com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property.
com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here.
IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution.
com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement.
com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature.
com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework.
com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain.
com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here.
[1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE.
The capability associated with "FAMILY_CONTROLS" could not be determined. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator.
Topic:
Code Signing
SubTopic:
Entitlements
I added a extension called Call Directory to an IOS app as we want to call blocking and caller id. I was able to add App Groups to both runner and CallDirectory. I cannot see of add Call Directory capability. Am I missing something. I added the extension through the Call Directory Target template. If I try to add this to CallDirectory.enitlements manually com.apple.developer.callkit.call-directory
call-blocking
caller-identification
i recieve this signing error. Provisioning profile "iOS Team Provisioning Profile: "" doesn't include the com.apple.developer.callkit.call-directory entitlement. I cannot add Call Directory to an identifier in Apple Developer either.
Hello,
I'm working in Xcode Version 16.4. I have not been able to sign in without errors. I've paid for the dev account. I've created certificates. Downloaded and uploaded CSRs. Use background mode, not used background mode. Nothing seems to work. Thank you for looking into this! Hopefully you can point me in the right direction or find a solution. Attached screenshots with errors.
Topic:
Code Signing
SubTopic:
Entitlements
Hi, I have a .NET MAUI app which I've added subscriptions to using the Plugin.InAppBilling nuget package. When I tested on TestFlight I got an almost immediate crash. After doing some research I followed advice to add an Entitlements.plist file to Platforms > iOS with the following entry:
com.apple.developer.in-app-purchase
The distribution provisioning profile I'm using to sign my app has the App ID set to an Identifier which has "In-App Purchase" ticked, but greyed out in it's "Capabilities" section on https://developer.apple.com/. I'm not sure why it's ticked and greyed out, but I assume that means that "In-App Purchase" is enabled.
The app runs file locally but when I create an IPA file and add it to Transporter for upload to App Store Connect I get the following error:
"Validation failed (409)
Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, key 'com.apple.developer.in-app-purchase' in 'Payload/[Removed].app/[Removed]' is not supported. (ID: [Removed])".
Here is the structure of my csproj code for creating a IPA file for iOS:
The command I use:
dotnet publish [Removed]/app.csproj -f:net9.0-ios -c:Release ^
/p:PlatformTarget=Arm64 ^
/p:RuntimeIdentifier=ios-arm64 ^
/p:ServerAddress=[Removed] ^
/p:ServerUser=[Removed] ^
/p:ServerPassword=[Removed] ^
/p:ArchiveOnBuild=true ^
/p:BuildIpa=true
I'm stuck trying to figure this out. If you could please point out any issues with what I'm doing or if you have any suggestions to resolve the problem I would very much appreciate it.
Thanks,
Ben
Hello everyone,
I'm hoping to find a solution for a critical issue that is blocking my app's submission to the App Store.
My app uses the Screen Time API and therefore has a main app and a DeviceActivityMonitor extension.
The main app has been successfully granted the Family Controls (Distribution) entitlement. However, the DeviceActivityMonitor extension is stuck with only the Family Controls (Development) entitlement.
This mismatch causes my build to fail during the archive/distribution process with the error:
"Provisioning profile failed qualification. Profile doesn't support Family Controls (Development)."
This is a hard blocker, as the extension is a mandatory part of the API. I have already filled out the entitlement request form and also contacted Developer Support (Case #102666581576), who confirmed they could not assist and directed me here.
My question is:
What is the correct procedure to escalate or resolve the issue of a required extension not receiving the distribution-level Family Controls entitlement after the main app has already been approved?
Has anyone else encountered this specific "Development" vs. "Distribution" mismatch and found a definitive way to resolve it? Any guidance would be greatly appreciated.
Thank you!
Hi Apple Developer Community,
I'm experiencing an issue with Family Controls entitlements for my iOS app that I'd like to discuss and see if others have encountered similar problems.
Background:
My app (BrightStart) uses Family Controls to help users build healthy morning routines by temporarily blocking distracting apps until they complete a sunlight exposure session. The core functionality relies on automatic time-based blocking (e.g., block social media apps from 6-8am daily).
The Problem:
I have Family Controls working perfectly in development builds, but I'm blocked from distributing via TestFlight due to entitlement issues with my Device Activity Monitor extension.
Technical Details:
Main app bundle ID: app.brightstart.app
✅ Has both "Family Controls (Development)" and "Family Controls (Distribution)" options available
Extension bundle ID: app.brightstart.app.BrightStartMonitorExtension
❌ Only shows "Family Controls (Development)" - no Distribution option
Error when archiving for TestFlight:
❌ Provisioning profile failed qualification
Profile doesn't support Family Controls (Development).
Family Controls (Development) feature is for development only.
Please use Family Controls (Distribution) for distribution.
Impact:
Cannot upload to TestFlight for beta testing
Native FamilyActivityPicker falls back to mock UI in distributed builds
Automatic scheduled app blocking (via DeviceActivityMonitor) doesn't function in production
Questions for the community:
Has anyone successfully gotten "Family Controls (Distribution)" enabled for a Device Activity Monitor extension?
Is this a known limitation, or should I expect this option to be available?
Are there alternative approaches for time-based automatic app blocking that work in distribution builds?
Should I contact Apple Support directly about enabling this entitlement for the extension?
Btw, Cursor wrote this summary above, so it could be just hallucinating the issue? Would really appreciate anyone's thoughts here.
Good afternoon,
Our team is currently developing a mobile application that includes video call functionality, and we are seeking the optimal approach to enable incoming calls on iOS devices.
Ideally, we would like calls to be delivered even when the app is completely closed or after the device is restarted. As I understand it, this may require obtaining VoIP permissions; otherwise, calls may only work when the app is open or running in the background.
I would appreciate it if you could confirm my understanding and advise me on the steps or requirements for obtaining the appropriate permissions.
Currently, when I try to launch the app in XCode, I see an error (screenshot).
Hi All,
Like many others I'm a little confused with gaining access to the family controls capability.
Our app is ready to push to testflight, and we sent the request to apple last week. However only learning today that we need to request for the shield extension as well.
I wanted to ask what the expected timeline is for being approved?
I've seen posts here saying less than a week, and some people having to wait longer than 6 weeks.
Any advise or guidance on getting approved smoothly & swiftly would be highly appreciated
Hello Apple support,
A few days ago, I received an e-mail granting the entitlement for Critical Alerts to my app VIAWEB Mobile, bundle ID br.com.viawebsystem.VIAWEBservice . This was my second attempt: in the first time I requested the entitlement for all our apps, but it was denied. This time I requested for just our main app, and now it was approved.
I have just followed several tutorials and instructions available on the Internet, but I couldn't enable this capability in my app. What I tried and where I stopped:
In my Xcode 16.4, target "VIAWEB Mobile", Signing & Capabilities, All: unchecked the Automatic manage signing and checked again, selected the correct Team. In the iOS section, Xcode Managed Profile, click in the little "i" and there is no Critical Alerts in the Capabilities list, nor com.apple.developer.usernotifications.critical-alerts in the Entitlements list. And so, there is no Critical Alerts in the "+ Capability" window.
If I go to Certificates, Identifiers & Profiles, Identifiers, and click to edit my App ID Configuration, there is no Critical Alerts to enable in the Capabilities list. In Capability Requests, I just see the plus sign next to Critical Alerts (to make an additional request), and the status Approved when I click on View Requests (2).
Can you provide me with updated instructions on how I can enable this entitlement for my app?
Thank you! Best regards,
The VIAWEB Developer Team.
I'm trying to help out one of our vendors by building a skeleton PCI dext which they can flesh out.
However, I can't seem to get the signing right.
I can't sign it at all using no team or my personal team. "Signing for requires a development team", and "Personal development teams ... do not support the System Extension capability".
I can't sign the driver because "DriverKit Team Provisioning Profile: doesn't match the entitlements file's value for the com.apple.developer.driverkit.transport.pci entitlement.
I think this problem occurs because our company has already been assigned a transport.pci entitlement, but for our own PCI vendor ID. But I want to build and test software that works with our vendor's PCI device.
I tried generating a profile for the driver manually, it contained only our own company's PCI driver match:
IOPCIPrimaryMatch = "0x0000MMMM&0x0000FFFF";
where MMMM is our own PCI vendor ID.
Is there a better way to inspect the profile Xcode is using than the postage-stamped sized info popup which truncates the information? I would download the generated profile but it doesn't appear on the profile, but Xcode is accessing it from somewhere.
When I look at the available capabilities I can add to an app identifier on the Developer portal, I see com.apple.developer.driverkit.transport.usb, which is "development only". There's no "development only" capability for PCI. Does this mean it isn't possible to develop even a proof-of-concept PCI driver without being first granted the DriverKit PCI (Primary Match) entitlement?
When adding capabilities to a driver, the list of available capabilities shown in Xcode has one "DriverKit PCI (Primary Match) entry", but if I double click it, two such entries appear in the Signing and Capabilities tab for my driver target. On the Developer portal, when I look at my driver's Identifier, there are two Capabilities labelled DriverKit PCI (Primary Match). Why?
I have an app that runs as a status bar app, mostly. I have set the following in the info.plist file for the app:
<key>Application is agent (UIElement)</key>
<true/>
However, I get a compile error:
Provisioning profile Mac Team Provisioning Profile: yout.Drive doesn't include the Application is agent (UIElement) entitlement.
Checking the entitlements, I do not see this entitlement anywhere. Where and how do I set this?
Hello,
Unable to see the App Sandbox entitlement while creating a new App ID. Have tried to recreate APP ID multiple times. Don't see the option in Developer portal.
We've been trying to get the CarPlay Navigation Entitlement for a couple years now without much luck.
Did you have a similar experience? How did you succeed getting the entitlement?
Part of the form requires us to submit Screenshots. Did you provide screenshots of your on-device experience or wireframe for CarPlay?
How was your experience?
Hi everyone, I'm working with a third party to integrate their USB driver into our app and I'm wondering if iPadOS supports bundling a prebuilt .systemextension file with the entitlement com.apple.developer.system-extension.redistributable into our app that has the com.apple.developer.driverkit.communicates-with-drivers entitlement?
If not, is there a way to bundle a third party USB driver into our iPad app?
Hello community,
I'm new here, so please excuse my blunt question. I'm trying to understand how everything works and the logic behind it.
I have an idea for an app which requires the FamilyControl entitlement. Now I am not sure if the idea even works, so I wanted to test it on my own device.
Am I correct, that I cannot even test an App with such entitlements without paying for the ADP? Not even on my own device?
I completely understand I need to be a member in the ADP if I want to distribute my app, but I'm not there, yet, and I just want to do a proof-of-concept.
I thought I can't be the first one with that question, but couldn't find a past topic on this, so I'm posting it.
Regards,
Niklas
Two months ago we got approval for using the Notification Filtering entitlement. We rushed out to implement it in our app, only to find out that the permission was set for the wrong bundle identifier.
We expected to get the permission for the notification extension's bundle identifier, yet it is added for the main app's bundle identifier.
Per the official docs, the entitlement permission should be in the notification service extension target:
After you receive permission to use the entitlement, add com.apple.developer.usernotifications.filtering to the entitlements file in the Notification Service Extension target.
However, this fails to get signed when compiling for non-simulator targets because of the bundle mismatch issue. Simulator perfectly filters notifications.
Adding the entitlement to the main app does compile, but filtering does not work (as expected).
We reached out to Apple twice (Case-ID: 14330583) but we have yet to receive any response.
Could there be something else wrong instead of the identifier mismatch?
Topic:
Code Signing
SubTopic:
Entitlements
Tags:
Entitlements
Code Signing
App ID
User Notifications
Hello everyone,
I'm hoping to get some guidance on a frustrating codesigning issue. I have a macOS application that successfully completes the entire notarization and stapling process, but it is still rejected by Gatekeeper during the final verification step. The rejection only happens when I apply the entitlements that I believe are necessary for my app's functionality.
The application is built with PyInstaller and has the following components:
A main executable written in Python.
A bundled Tcl/Tk instance for the GUI.
Embedded Playwright components, which include the Node.js runtime and a full Chromium browser instance. These are located deep inside the .app bundle.
The Problem
The core of my application relies on Playwright to perform some automated tasks, and its bundled Chromium browser requires specific entitlements to function under the Hardened Runtime. Specifically, it needs com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory.
My signing process is as follows:
Prepare Entitlements: I use two separate .plist files:
main_app_entitlements.plist: This is for the main Python executable and only contains com.apple.security.cs.allow-jit.
jit_helper_entitlements.plist: This is for the node and Chromium Helper executables within the Playwright framework. It contains both com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory.
Inside-Out Signing: I perform a deep signing process. I find all binaries, dylibs, and frameworks, sort them by path length (deepest first), and sign each one individually with the appropriate entitlements. The main .app bundle is signed last.
Notarization: I zip the .app bundle and submit it using xcrun notarytool submit --wait. The tool reports a successful notarization every time.
Stapling: I use xcrun stapler staple on the .app bundle, and it confirms that the ticket was successfully stapled.
The point of failure
The final step is to verify the result with spctl:
spctl --assess --type execute --verbose --ignore-cache "MyApp.app"
This is where it fails.
The output is:
MyApp.app: rejected
source=Unnotarized Developer ID
This "Unnotarized Developer ID" message is confusing because xcrun notarytool and stapler both report complete success.
The crucial detail
If I run the entire process without any entitlements—just signing with the Hardened Runtime enabled—the final spctl assessment passes. However, the application then crashes at runtime as soon as it tries to use Playwright, which is expected since the browser helpers are missing their required JIT entitlements.
My question
Is there a known issue where using com.apple.security.cs.allow-jit or com.apple.security.cs.allow-unsigned-executable-memory on nested helper executables can invalidate an otherwise successful notarization?
Is my strategy of applying different, granular entitlements to different executables within the same app bundle correct?
Could the issue be related to how or when these entitlements are applied during an "inside-out" signing process? Is there a better way to structure the signing of these complex components?
I'm confident the notarization itself is working, but it seems Gatekeeper's local assessment is stricter and is being tripped up by my entitlement configuration.
Thank you in advance for any help or suggestions you can provide
Hi
I am building obs studio using cmake and Xcode.
I used
cmake --preset macos -DOBS_CODESIGN_IDENTITY="" to generate the build folder
and inside X code used Provisioning Profile with Developer ID Application certification.
The build was generated successfully but when I tried to turn on the virtual camera I see missing Missing entitlement com.apple.developer.system-extension.install error.
(My Provisioning profile has System Extension Capability checked on apple developer portal)
If I use this flow instead:
cmake --preset macos -DOBS_CODESIGN_TEAM=63B5A5WDNG
Build using Xcode with Automatic manage signing with Apple Developer Certificate.
Obs studio builds successfully and Virtual camera extension also works fine.
My primary goal is to notarise my app which contains OBS studio and Blackhole Audio driver for distribution outside app store.
If I try to sign my obs app generated in second step
codesign --deep --force --timestamp --verify --verbose \
--options runtime
--sign "Developer ID Application:***"
"OBS.app"
The obs app fails to launch due to some errors.
Can anyone please guide me which step I might be doing wrong,
Much Appreciated.
Thanks