I have enabled the eSIM (In-House) under Enterprise Account but notice under com.apple.CommCenter.fine-grained has a sub-text of this “public-subscriber-info”. Can Apple Support please change “public-subscriber-info” to “public-cellular-plan” for my Enterprise account?

I'm developing a sandboxed application with Xcode which allows the user to open and work with Audio Unit plugins. Working with a beta-tester having a lot of AUs on its laptop running on macOS 12.5.1, we encountered some weird crashes while opening some plugins (Krotos, Flux Audio, Sound Toys, etc.). The message we got was in French, I try to translate it but the original English version could be a little bit different: Impossible to open “NSCreateObjectFileImageFromMemory-p47UEwps” because the developper can not be verified. After this first warning, a Fatal Error 100001 message opens and the plugin seems crashed (but not the host). I easily found some music application users encountering similar issues on the web. From what I read, this error is related to new security rules introduced in macOS 12. And, effectively, some of these plugins tested on an older system work normally. I also read that some (insecure) entitlements of the Hardened Runtime should be able to fix this issue, especially Allow Unsigned Executable Memory Entitlement, whose the doc says: In rare cases, an app might need to override or patch C code, use the long-deprecated NSCreateObjectFileImageFromMemory (which is fundamentally insecure), or use the DVDPlayback framework. Add the Allow Unsigned Executable Memory Entitlement to enable these use cases. Otherwise, the app might crash or behave in unexpected ways. Unfortunately, checking this option didn't fix the issue. So, what I tried next was to add Disable Executable Memory Protection (no more success), and finally Allow DYLD Environment Variables and Allow Execution of JIT-compiled Code: none of them solved my problem. I really don't see what else to do, while I'm sure that a solution exists because the same plugins work perfectly on other application (Logic, Live Ableton). Any help would be greatly appreciated. Thanks !

Dear Sirs, I’d like to write a virtual audio driver that also exchanges data with a application and thus probably also offers a driver extension using IOUserClient. My first implementation was based on the sample https://developer.apple.com/documentation/audiodriverkit/creating_an_audio_device_driver and everything works fine and as expected on my development machine and I can install/uninstall the dext from within my application. But I had to learn that I will not be given the required entitlement com.apple.developer.driverkit.family.audio as AudioDriverKit seems to be not intended to be used for virtual drivers. So I found out that this sample should be used as starting point for virtual audio drivers: https://developer.apple.com/documentation/coreaudio/creating_an_audio_server_driver_plug-in. But this sample does not include a dext offering the IOUserClient interface which I think I need. The next sample I found was https://developer.apple.com/documentation/coreaudio/building_an_audio_server_plug-in_and_driver_extension . This doesn’t use AudioDriverKit and it includes IOUserClient so it seems to be a good start. Nevertheless it also requires some entitlements which are com.apple.developer.driverkit and com.apple.developer.driverkit.transport.usb. The client also probably needs the entitlement com.apple.developer.driverkit.userclient-access. Would I be given these entitlements for a pure virtual audio driver and why would I need com.apple.developer.driverkit.transport.usb? And is there a chance that AudioDriverKit will also be opened for virtual drivers as it seems to be a much more modern approach and doesn’t require a reboot for installing? Thanks and best regards, Johannes

I'm trying to sign some PHP binaries so that they are happy to run PHP extensions compiled by other people. I've tried creating a signing-entitlements.plist such as: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.disable-library-validation</key> <true/> </dict> </plist> but when trying to run the following: codesign --entitlements signing-entitlements.plist --force --options runtime --sign '$release_certificate' '$file' ...I get the following error: signing-entitlements.plist: cannot read entitlement data Do I need to convert the XML to some other format perhaps? Is it even the right entitlement to achieve what I am trying to do? Thanks for any help!

In our team we have two apps A and B, unfortunately app B was released with iCloud entitlement with selected container ID of the app A. It lead to a problem that our app A displays in iCloud "Manage Storage" list on iOS as app B. Because of that people are loosing all of theirs data as they thing it is app A. App B stores uses only Key-Value storage in iCloud How can we override that name so it displays A again?

I have recently moved our CI/CD pipeline to using xcode cloud. Everything has been going great until we tried to test our VoIP pushes in our test environment. In our old system, our entitlements file set the apns-environment to develop, so when we distributed an archived build to our QA team, it would generate sandbox APNS device tokens for testing. But since I have switched to xcode cloud, it looks to be generate production apns device tokens now, so all of our sandbox pushes are failing to send. Is there a way I can make sure xcode cloud send builds that have the apns-environment set to development?

Hi! I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift): func installDriver() { guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else { return } let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main) activationReq.delegate = self OSSystemExtensionManager.shared.submitRequest(activationReq) } I'm getting an error: OSSystemExtensionErrorDomain error 8: Code Signature Invalid which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out? I'm posting here entitlements and codesign output for my extension and containing application for further information. Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com.. [Key] com.apple.security.device.camera [Value] [Bool] true Executable=**********/Contents/MacOS/***** [Dict] [Key] com.apple.application-identifier [Value] [String] 893K7MTL2H.com..RoomDevice [Key] com.apple.developer.system-extension.install [Value] [Bool] true [Key] com.apple.developer.team-identifier [Value] [String] 893K7MTL2H [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com..******** Executable=***/Contents/MacOS/**** Identifier=com..RoomDevice Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 Hash choices=sha256 CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 CMSDigestType=2 Launch Constraints: None CDHash=3584714367d59119b462d0f830247d27ff1fbace Signature size=4688 Authority=Developer ID Application: ****************(893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:09 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=6 Internal requirements count=1 size=216 Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension Identifier=com.******.RoomDevice.Extension Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1 CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f Hash choices=sha256 CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f CMSDigestType=2 Launch Constraints: None CDHash=70580825016b7e262fb15c280ba380ad4e871bc1 Signature size=4688 Authority=Developer ID Application: ************ Ltd. (893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:05 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=0 Internal requirements count=1 size=224 Please anyone help. Thanks in advance!

Currently building a freemium iOS app without any login features. In order to track the paid features (i.e. unlimited token usage) I am using device ID in the database (using Google Firebase). Problem is I see new device IDs pop up in the database for the same user using the same device. This breaks the paid feature and removes their access to unlimited tokens when this new device ID activates. Other then creating a formal login system (e.g. username and password) what is the best way to log a user's device info so that the app user can keep their paid features? Thanks for the help!

I'm the developer of a small utility for Mac called "MusicDeviceHost". https://apps.apple.com/us/app/musicdevicehost/id1261046263?mt=12 As the name suggests, it is a host application for audio units (music device components). See also "Using Sound Canvas VA with QMidi": https://youtu.be/F9C4BiBR A problem occurs while trying to authorize the "Sound Canvas VA" component, Roland Cloud Manager (v3.0.3) returns the following error: “Authorization Error - RM Service not connected Error Connecting to Roland Cloud Manager Service” I guess the error is caused by some permission denied to the sandboxed application version. The NOT sandboxed version of MDH actually works flawlessly. I am using the following entitlements: com.apple.security.app-sandbox com.apple.security.network.client So connecting to the service should work, because "com.apple.security.network.client" is enabled. At Roland, they say: "Cloud Manager isn't supported in a sandboxed environment." But as far as I can see, MainStage and other sandboxed apps works fine... So what is the right answer? Is there someone out there with the same issue? Thanks for helping :)

I am getting the error below after successfully notarizing my app and then I try to install from the DMG and try to launch it, it crashes. Termination Reason: Namespace TCC, Code 0 This app has crashed because it attempted to access privacy-sensitive data without a usage description. The app's Info.plist must contain an com.apple.security.device.audio-input key with a string value explaining to the user how the app uses this data. Note: I have already added the entitlements to my electron-builder config and and I can see the entitlements in the Info.plist of my .app in the Applications directory. hardenedRuntime: true, extendInfo: { NSMicrophoneUsageDescription: 'Need microphone access for recognizing audio', 'com.apple.security.app-sandbox': true, 'com.apple.security.cs.allow-jit': true, 'com.apple.security.device.audio-input': true, 'com.apple.security.cs.allow-unsigned-executable-memory': true, 'com.apple.security.cs.disable-executable-page-protection': true, 'com.apple.security.cs.disable-library-validation': true, 'com.apple.security.device.microphone': true, 'com.apple.security.network.client': true, 'com.apple.security.files.user-selected.read-write': true, 'com.apple.security.cs.allow-dyld-environment-variables': true, }

Hello, I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement. Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application. The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log: macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2]. So I have few questions: Do I need to launch the helper (child) process a particular way to be able to attach debugger to it? Is there a tool to inspect sandboxes (rules applied and the inheritance)? Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway? Thank you. [1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask. [2] I know that's what XPCServices are for but don't ask :-)

Hello @eskimo (or whoever can help): our company builds a product which is delivered outside the app store as pkg. It contains a launch daemon which is a .NET build on an external build server and signed. Then the whole pkg is notarized. The build server is macOS 10.15.7 (Catalina) On macOS 13.x I can launch the daemon in Terminal without problem, but on Sonoma public beta I get "killed by Signal:9" and in Console I get: "standard 07:44:53.694349-0700 kernel ASP: Security policy would not allow process: 1377, /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service" This happens on both Intel and Apple CPU VMs. Besides, when I disable SIP the error does not show up anymore and the binary runs like a charm. What has changed between macOS 13 and macOS 14 ? The binary entitlements: com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-executable-page-protection com.apple.security.cs.allow-dyld-environment-variables com.apple.security.cs.disable-library-validation The command to code sign: /usr/bin/codesign --force --options=runtime --timestamp --entitlements "#{absolutePathToEntitlement}" --sign "#{applicationCertname}" "#{tPACCLOUD_ARTEFACTS_X64}/#{item}" where #{item} are the binaries and .dylibs

Hi, I work for a company that makes an iPad app, and we have requested the user-assigned-device-name entitlement multiple times and been rejected every time. I am familiar with the requirements listed here. I'm just wondering if anybody else who needed this entitlement ran into any surprises, e.g. "I thought that ____ was in line with their requirements but it turns out they really care about _____". Alternatively if anyone knows how to get someone at Apple to tell us why it was rejected, that would be cool too. Thanks!

Hello! I'm curious about how com.apple.developer.hid.virtual.device entitlement works with apps. So the documentation hints that it should only be used within a driver. However, on macOS 13 I can successfully compile an app and create a virtual HID device. On earlier versions, such as macOS 12, the app crashes on launch and there's a message in the console: ASI found [libsystem_secinit.dylib] (sensitive) 'failed to compile sandbox profile /System/Library/Sandbox/Profiles/application.sb:1010:15: unbound variable: iokit-user-client-class-name ' Everything seems to be working with the sandbox turned off. Is there a way to use the aforementioned entitlement in a sandboxed app or should I fall back to DriverKit?

Hello everyone, I seem to have a problem with networking-multicast permissions. The program we developed uses the UPnP protocol, so we applied for networking-multicast permission for our development plan. Reference: < https://developer.apple.com/contact/request/networking-multicast>. After that, we set Identifiers with check Multicast Networking in Additional Capabilities and update Profiles. After rebuilding the program, the program can find UPnP devices in the network on my iPhone, and it does work. The program is developed using Flutter, runs on both iOS/Android platforms, and has both professional and regular versions. No matter which platform or version can work properly. When only one program is installed on an iOS device, everything is fine. But if two programs are installed on the same device at the same time (for example, our professional version and normal version, BundleID is different), various problems will occur: case 1: Install the normal version Start the normal version： Does work case 2: Install the professional version Start the professional version： Does work case 3: Install the normal version Install the professional version Start the normal version： Unable to discover UPnP device Start the professional version： Unable to discover UPnP device case 4: Install the professional version Install the normal version Start the professional version： Unable to discover UPnP device Start the normal version： Unable to discover UPnP device case 5: Install the normal version Start the normal version： Does work Install the professional version Start the professional version： Does work case 6: Install the professional version Start the professional version： Unable to discover UPnP device Install the normal version Start the normal version： Unable to discover UPnP device Sum up the phenomenon: There is no problem with installing a separate program. Install two programs at the same time: it will work only if it is executed in a specific order (case 5). Add a few points: We use Flutter development, iOS and Android use the same code. There is no problem with the above case on Android. 2. We use flutter_flavor ( reference: https://pub.dev/packages/flutter_flavor) configuration ordinary version & professional version. 3. In all cases where problems occur, the pop-up window of the system requesting networking-multicast will not pop up. It looks like that UPnP is not working because of permissions. 4. In all cases only one Application run at anytime. Before starting the new program, we will forcibly exit the other program to ensure that the port is released. 5. We found an UPnP programs developed by other developers on the Appstore, which do not conflict with our regular version or professional version, and both sides can work properly. We think this looks like a bug of the iOS system. I wonder if anyone else has encountered a similar situation? Would you like to give us a hint of the direction of our solution? Thank you very much. Or at least, I wonder if anyone can help us figure out whether this problem is the bug of the iOS system or the problem of our program itself. Thanks a lot.

I have a sandboxed/hardened app that is distributed outside of the MacAppStore. I want to allow the app to auto-update itself. I currently have the ability in the app to figure out if there is a newer version which then informs the user and gives them an option to download the app (currently it downloads to ~/Downloads in the app container). The app comes as a simple zip file that only includes the app itself. Once downloaded, then NSWorkspace.shared.open(URLtoDownloadedUpdate) will expand the zip and place the app in ~/Downloads. What I want is it to replace the current version of the app w/ this newly downloaded version. Is this possible? First, how do I find out where the old app is stored? And then how do I replace it with the new version when the old app is still running? I realize many people use Sparkle to do this instead of rolling their own. I simply do not want to depend on a third party.

Hi! I've applied for and received the multicast networking entitlement. I'm befuddled as to how to apply it. I'm somewhat new to iOS development. I've followed the instructions in this developer page as per the instructions in the email confirmation I received re entitlement granting. https://developer.apple.com/forums/thread/663271 I've logged into my developer account, navigated to identifiers, and checked/enabled Multicast Networking under Additional Capabilities and saved them. What do I do next? I've re-started Xcode but this new capability does not show up in my app. I've tried running codesign utility but the examples in the above url don't work. Any pointers/suggestions as to how to get this entitlement into my app? Thanks, Bobby

I created a driver using DriverKit on Intel macOS 12.6.1 and Xcode 13.3. I enabled auto-manage signing, and set the signing certificate to 'Sign to Run Locally'. Then, I created a provision profile for the driver and selected my M1 test device. After installing the profile, I ran the app on the M1 device and successfully activated the driver. However, when I tried to compile the project on M1 macOS 13.3 with Xcode 14.3.1, I encountered an error. It appears that DriverKit does not support the 'Sign to Run Locally' option on M1 devices. To resolve this issue, I switched to using the 'Apple Development' signing certificate. Unfortunately, even after making this change, I still received an error message regarding 'Sign to Run Locally' from the Xcode console. Both devices are logged in with the same developer account. Could you please advise me on how to resolve this problem? iig: #include <Availability.h> #include <DriverKit/IOService.iig> #include <DriverKit/IOUserClient.iig> //class OSAction; class epusbfilter: public IOService { public: virtual bool init() override; virtual kern_return_t Start(IOService * provider) override; virtual kern_return_t Stop(IOService * provider) override; virtual void free() override; virtual kern_return_t GetRegistryEntryID(uint64_t * registryEntryID) override; }; cpp: #include <os/log.h> #include <DriverKit/IOUserServer.h> #include <DriverKit/IOLib.h> #include <USBDriverKit/IOUSBHostInterface.h> #include <USBDriverKit/IOUSBHostPipe.h> #include "epusbfilter.h" #define Log(fmt, ...) os_log(OS_LOG_DEFAULT, "epusbfilter - no super," fmt "\n", ##__VA_ARGS__) struct epusbfilter_IVars { IOUSBHostInterface *interface; IOUSBHostPipe *inPipe; OSAction *ioCompleteCallback; IOBufferMemoryDescriptor *inData; uint16_t maxPacketSize; }; bool epusbfilter::init() { bool result = false; Log("init"); result = super::init(); return result; } void epusbfilter::free() { super::free(); Log("free"); } kern_return_t IMPL(epusbfilter, Start) { kern_return_t ret; Log("Start"); ret = Start(provider, SUPERDISPATCH); return ret; } kern_return_t IMPL(epusbfilter, Stop) { kern_return_t ret = kIOReturnSuccess; Log("Stop"); ret = Stop(provider, SUPERDISPATCH); return ret; } kern_return_t IMPL(epusbfilter, GetRegistryEntryID) { Log("GetRegistryEntryID"); return GetRegistryEntryID(registryEntryID, SUPERDISPATCH); } info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IOKitPersonalities</key> <dict> <key>epusbfilter</key> <dict> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleIdentifierKernel</key> <string>com.apple.kpi.iokit</string> <key>IOProviderClass</key> <string>IOUSBHostInterface</string> <key>IOClass</key> <string>IOUserUserClient</string> <!-- <key>IOResourceMatch</key>--> <!-- <string>IOKit</string>--> <key>IOUserClass</key> <string>epusbfilter</string> <key>IOUserServerName</key> <string>com.injection.epusbfilter.dext</string> <key>bConfigurationValue</key> <integer>1</integer>--> <key>bInterfaceNumber</key> <integer>0</integer> <key>idVendor</key> <string>*</string> <key>idProduct</key> <string>*</string> <key>UserClientProperties</key> <dict> <key>IOClass</key> <string>IOUserUserClient</string> <key>IOUserClass</key> <string>epusbfilter</string> </dict> </dict> </dict> </dict> </plist> entitlemens: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <string>*</string> <key>idProduct</key> <string>*</string> </dict> </array> </dict> </plist>

Hi, I have notarised system extension for MacOS, we use network extension for content filter. in debug it works and ask permission. but when I notarised it doest work any more... any help appreciate..

Hello, What is the key for In-App Purchases entitlement I can add to my app.entitlements file in my project, so that I can autonomously enable the In-App Purchase capability? I have searched far a wide for this, however, it's unclear where it can be located. I know I can enable this capability manually by opening Xcode -> Selecting the "Signing & Capabilities" tab -> selecting "+ Capability" -> selecting "In-App Purchase" capability. However, this is not really an ideal solution for adding the capability to my app, especially when automated processes for building, testing, distributing via CI/CD are integrated. It would beneficial to be able to reference some documentation or resources for enabling capabilities (or any other build settings) autonomously in a project as opposed to having to manually click my way through enabling them. Looking forward to hearing back. Thanks!