Can someone tell me the applications requirements for using the secure enclave on MacOS? Does the application need to be signed with the secure-enclave entitlement in order to use it? Since this is a restricted entitlement, does my App ID need approval to use it from Apple? Currently I'm building in XCode 16 on Sequoia (15.5) using developer signing. My application is a C/C++ daemon running as plist out of /Library/LaunchDaemons. I have also built it as an application using the instructions here but this has not lead to a solution: https://developer.apple.com/documentation/xcode/signing-a-daemon-with-a-restricted-entitlement/ When I run my application from the command line via sudo signed but without the secure-enclave entitlement enabled in my entitlements file it runs. The first call to: SecAccessControlRef access = SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, kSecAccessControlPrivateKeyUsage, &error); succeeds without error. The call to create the key using: SecKeyRef privateKey = SecKeyCreateRandomKey(attributes, &error); then fails with error: (OSStatus error -50 - Failed to generate keypair) Here are the setup attributes (keySize = 256): CFDictionarySetValue(attributes, kSecAttrKeyType, kSecAttrKeyTypeECSECPrimeRandom); CFDictionarySetValue(attributes, kSecAttrKeySizeInBits, keySize); CFDictionarySetValue(attributes, kSecAttrLabel, keyName); CFDictionarySetValue(attributes, kSecAttrApplicationTag, keyLabel); CFDictionarySetValue(attributes, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave); // Store in the Secure Enclave CFDictionarySetValue(attributes, kSecAttrKeyClass, kSecAttrKeyClassPrivate); CFDictionarySetValue(attributes, kSecAttrAccessControl, access); CFDictionarySetValue(attributes, kSecAttrIsPermanent, kCFBooleanTrue); // persist key across app restarts and reboots CFDictionarySetValue(attributes, kSecAttrCanEncrypt, kCFBooleanTrue); CFDictionarySetValue(attributes, kSecAttrCanDecrypt, kCFBooleanTrue); CFDictionarySetValue(attributes, kSecAttrAccessible, kSecAttrAccessibleWhenUnlockedThisDeviceOnly); CFDictionarySetValue(attributes, kSecReturnPersistentRef, kCFBooleanTrue); When I run the application signed and include the "com.apple.developer.secure-enclave" in my entitlements file it crashes at startup. I believe this is to be expected based on above. How do I proceed such that my application can use the secure enclave correctly?

Error in application:didFailToRegisterForRemoteNotificationsWithError: no valid aps-environment entitlement string found for application have tried out the below commands % codesign -d --entitlements - /path/to/your.app % security cms -D -i /path/to/your.app/embedded.mobileprovision and it seems both are working fine, Im currently developing react native app with expo and firebase for notifications this works fine when im running it via installing the app from testflight, but the issue occurs when i test in testflight or while the apple team reviewing my app My entitlements file <dict> <key>aps-environment</key> <string>production</string> </dict> </plist>

Hi, I am developing an iOS app that includes a ReplayKit Broadcast Upload Extension which requires the com.apple.developer.broadcast-upload entitlement. The app is intended for internal development and testing on my own devices and is not yet distributed on the App Store. Even after setting com.apple.developer.broadcast-upload=true in my .entitlements file, and linking it in Build Settings &gt; Code Signing Entitlements; my downloaded provisional profile still did not contain the broadcast-upload entitlement. May I know if I need explicit Apple's approval for adding the broadcast-upload entitlement; even if it's just for testing on my own devices? Thanks.

Hi everyone, I'm working with a third party to integrate their USB driver into our app and I'm wondering if iPadOS supports bundling a prebuilt .systemextension file with the entitlement com.apple.developer.system-extension.redistributable into our app that has the com.apple.developer.driverkit.communicates-with-drivers entitlement? If not, is there a way to bundle a third party USB driver into our iPad app?

Hello, I'm working in Xcode Version 16.4. I have not been able to sign in without errors. I've paid for the dev account. I've created certificates. Downloaded and uploaded CSRs. Use background mode, not used background mode. Nothing seems to work. Thank you for looking into this! Hopefully you can point me in the right direction or find a solution. Attached screenshots with errors.

An open-source app that I bundle for macOS needs to use the disable-library-validation entitlement. In spite of TN3125: Inside Code Signing: Provisioning Profiles | Apple Developer Documentation#Entitlements-on-macOS claiming that hardened runtime entitlements don't need provisioning profiles and the app successfully notarizing, trying to run the app fails with the error "Disallowing because no eligible provisioning profiles found". So I created a provisioning profile, but when creating the App ID the only selection that seemed relevant was Hardened Runtime. That turns out not to include disable-library-validation so now launching fails with "Unsatisfied entitlements: >com.apple.security.cs.disable-library-validation" What's the right capability?

My app uses a Provisioning Profile (as it bundles up a Network System Extension). I do not use "Automatically manage signing" as its causes code signing/deployment issues 🤷‍♂️ In Xcode (version 26), if I enable " Enhanced Security" and check "Enable Hardware Memory Tagging", Xcode states: Provisioning profile "<>" doesn't include the com.apple.security.hardened-process.checked-allocations and com.apple.security.hardened-process.checked-allocations.soft-mode entitlements. Normally to resolve such errors one simply adds the Capability in "Edit your App ID Configuration" and then regenerates the Provisioning Profile. However, I don't see any such capability to would add these entitlements? (I thought "Hardened Process" would be the one - but alas, no). Clicking the "for more information" link in Xcode to view the relevant(?) "Apple Developer Documentation" generates another error 😵‍💫 Didn't see anything in: https://developer.apple.com/documentation/xcode/enabling-enhanced-security-for-your-app

I am trying to sign a enterprise app with provisioning profile which shows the tap to pay entitlement on Dev portal, but when downloaded on Xcode, it says the profile is missing the tap to pay capability and entitlement The capability was enabled by apple already, it was working fine until the provisioning profile got renewed.

Hi, I just released a new version of an app that was transferred from another developer account. The previous version of this app used the App Groups feature to store some important data, and I would like to retrieve that data. In the new version, I’m using the same bundle identifier and the same App Group ID (which has already been deleted from the original developer account). I also added the App Groups entitlement in the project settings and set the same App Group ID. However, I still cannot access the data in the App Group. From the documentation and issues I’ve found, it seems that an app should still have permission to access the same App Group after being transferred. Did I miss something? Thanks!

Hi - appreciate your help in advance! Building a simple habit tracking app. I got approval for FamilyControls distribution. After creating a new provisioning profile with those capabilities enabled, when I try and build in xcode (16.4) using that Profile I get an error stating: "Provisioning profile "CreateMoreFamilyControlsv2" doesn't include the com.apple.developer.deviceactivity and com.apple.developer.deviceactivity.reporting entitlements" I've confirmed bundle identifier matches, Team etc Similarly when i do automatic signing see 3rd screenshot. Not sure what to do at this point, I've heard deviceActivity is automatically applied when family controls is approved but still running into this issue.

I'm posting this here after reading Quinn's post here: https://developer.apple.com/forums/thread/799000 The above entitlement is mentioned in IOUSBHostControllerInterface.h. It isn't an entitlement one can add using the + button on the Capabilities panel in Xcode. If I try to add it by hand, Xcode complains that it isn't in my profile. Is this a managed entitlement? We'd like to create a local USB "device" to represent a real device reachable over a network.

I am a professor at the Mercer University School of Medicine (Macon, GA) and I teach a stress reduction course for first year medical students. I am developing an app to allow the students to trace their mediations as well as time them. Using ChatGPT with Xcode, I was able to get all the features in the app working except that the stopwatch timer would not continue when the iPhone goes to sleep. When ChatGPT made some changes, the build failed because automated signing failed and the com.apple developer.activity kit entitlement is missing I don’t see Live Activities in the capability section of signing & Capabilities and I don’t know how to fix the provisioning profile. How can I get help for this? Thank you!

I have two apps - say A and B in my AppStore account, deployed in the AppStore. App A has obtained the com.apple.developer.usernotifications.filtering entitlement and this is added to my AppStore account by Apple after approval. Note that this is added for the account, and not for the specific app. Now, my app B also wants this functionality. Followed all the steps as done for app A - adding the already approved entitlement to my app B's identifier, regenerating the profiles, adding the key in the entitlements file, calling the completion handler with empty content like - contentHandler(UNNotificationContent()) Still the notifications show, the filtering is not working. Do I have to request the entitlement for App B separately? Even if I do request again, I am not sure if there is going to be any difference in the steps already done. The difference can only be if Apple has a mapping with the app id internally in their system, for the filtering to work? If I have white-labelled versions of apps A or B, do I have to request again then? Or does Apple restrict only one app to have this entitlement from one AppStore account? Please guide on the next steps here.

We were recently approved for the "User Assigned Device Name" for a specific app Identifier. The "Additional Capabilities" tab isn't present on that App ID. I am an admin in the developer portal, and this does not appear for the account holder as well. Any help would be appreciated.

I want to use the com.apple.vm.networking entitlement which has a note: This entitlement is restricted to developers of virtualization software. To request this entitlement, contact your Apple representative. https://developer.apple.com/support/technical/ says: « Request entitlements using entitlement forms and ask for status updates in the resulting email thread. » but I haven't been able to find these "entitlement forms". Does anyone know what the right process is to request an entitlement?

On MacOS, I know that App Groups (com.apple.security.application-groups) do not require a provisioning profile. I was wondering if it's possible to sign them "ad hoc" and have it work? So maybe use a random TEAMID prefix and have it work? I would only need the app to work locally (for testing), not be distributed in that fashion, of course.

I am subscribed to an individual developer license. https://developer.apple.com/documentation/xcode/configuring-network-extensions "Network Extension" does not appear in the Capability section in Xcode. Below is my Xcode screenshot.

Hi, I am working on a personal HIDDriverKit project. The documentation suggests that you do not need the entitlements from Apple to do local development - that all you need to do is turn of SIP, enable developer mode, and turn signing to "Sign to Run Locally". However, I have followed all of these steps, and am still running into the error that to build, I need to have a provisioning profile with the DriverKit (development) feature (MacOS 15.2 Xcode 16.2). Am I missing something here regarding the steps for local development? Does one need to request a development version of the entitlements even for local development? Do I need a paid developer account to do this? Thank-you in advance.

After signing and notarizing our application, the entitlement “com.apple.security.get-task-allow” is removed. However, we want this entitlement to remain and we want to be able to create a corefile when needed. Is it possible to make the “com.apple.security.get-task-allow” entitlement persistent after signing and notarizing, so that our application can create a corefile?

This is .entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> Code signing: codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements -s "Developer ID Application: XXXX Ltd. (XXXXXX)" ./UES.app When I run it on macOS 13.x, it works fine. If I run the system on macOS 11.x, it reports a "killed" error (if codesign remove --entitlements ./UES.entitlements, Then the startup will not report an error, but the endpoint security rights cannot be used) System log: 2025-04-21 13:58:27.039638+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:27.039762+0800 0xd5bbf Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:27.039815+0800 0xd5bbf Default 0x0 0 0 kernel: proc 29354: load code signature error 4 for file "UES" 2025-04-21 13:58:27.040720+0800 0xd5bc0 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:27.045974+0800 0xd58be Error 0x0 66405 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n Action = oapp;\n AppMimimumSystemVersion = "10.13";\n AppPath = "/Applications/UES.app";\n ErrorCode = "-10826";\n} 2025-04-21 13:58:39.121619+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:39.121832+0800 0xd5e0f Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:39.121861+0800 0xd5e0f Default 0x0 0 0 kernel: proc 29415: load code signature error 4 for file "UES" 2025-04-21 13:58:39.122571+0800 0xd5e10 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:46.297915+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:46.298031+0800 0xd5f85 Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:46.298072+0800 0xd5f85 Default 0x0 0 0 kernel: proc 29485: load code signature error 4 for file "UES" 2025-04-21 13:58:46.300248+0800 0xd5f86 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES May I ask what the reason is?