We applied months ago for the NEAppPushProvider entitlement to do air gapped push notifications. The enterprise SA's we work with have been pushing the issue internally—but nothing has happened. How do you actually get entitlements added to your profile? I could see a week time, but 3 or so months now is a bit crazy.

"Since this app contains an App Clip, the com.apple.developer.associated-appclip-app-identifiers entitlement should be present and include the value of the App Clip's application identifier. Please add this entitlement, then resubmit". Added then also still I am getting the warning from TestFlight ? Please help to resolve the particular issue

We have an Enterprise Apple developer account “Cisco System, Inc. “STBU” - JBF29L28EJ”. We use it to make in-house distribution for QE testing. I found that development provisioning profile in this account includes new “relay” capability in the entitlement, but in-house distribution provisioning profile doesn’t have it. Below is the entitlement list in in-house distribution provisioning profile that doesn't include "relay": Entitlements <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string>dns-settings</string> </array> <key>aps-environment</key> <string>production</string> We now cannot make in-house distribution build without this entitlement.

I'm using some CoreML models from C++. I've been trying to profile them using the CoreML Instrument in Instruments. It seems that that only works when I sign my binaries with the get-task-allow entitlement. Is there an easier way? Ideally I'd like to be able to profile a Python program that calls my C++ code and I would rather not re-sign Python.

I'm trying to use App Groups capability to enable file sharing between my multiple apps. But i'm wondering which app will be counted as the disk space occupier when I write a file to the shared path? Thanks for your consideration.

We are launching a commandline golang binary as daemon. However, SecKeyCreateRandomKey does not return in macos Sonoma. We tried to attach entitlement to the daemon, but it's still not working. The same commandline golang binary works when we launch it as a user process. We would like to get your support to fix this issue.

Hello, I have read com.apple.security.app-sandbox entitlement is required for macOS applications distributed through appstore. If so, how can it be possible for an application like Microsoft Word to read/write files in Documents folder ? It should be forbidden, due to sandbox ? Thanks

Hi, We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development. We can build and debug Tap to Pay on development, but unable to build release. We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.

My development certificate is configured with SensitiveContentAnalysis, and this configuration has also been added to xcode. Error after running: MAD request(1) returns error: Error Domain=NSOSStatusErrorDomain Code=-18 "User Safety either not entitled for client or not enabled" UserInfo={NSLocalizedDescription=User Safety either not entitled for client or not enabled}

Good day, I have an application that opens links in various browsers available on the device. For this reason, I want to make the app eligible to be chosen as the default browser. To do this, I reviewed the Apple article at this link: https://developer.apple.com/documentation/xcode/preparing-your-app-to-be-the-default-browser. However, unfortunately, I still haven't figured out how to do it. The article mentions that you need to send an email request. I sent an email, but my message was ignored. Dear colleagues or Apple staff, could you please explain in the most detailed and step-by-step manner how I can make my app available to be set as the default browser? I would greatly appreciate it because, unfortunately, this question isn't widely discussed in the community, and there are no videos with step-by-step guides. Thank you very much!

Hi, I'm looking for a way to allow two TeamID in a PPPC predicate. When an app move from one company to another (different TeamIDs) PPPC configuration profiles need to cover the transition period. However those profiles do not allow duplicated path-based entries. Then the binary /usr/bin/local/sample can have only one PPPC payload for full disk access authorizations. To solve this problem I'd like to use an OR operator in the predicate, such as: identifier Sample and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and (certificate leaf[subject.OU] = TEAMID001 or certificate leaf[subject.OU] = TEAMID002) But I cannot find any documented information about the supported syntax. Does anybody already did this before ?

I wrote my app with the entitlement "com.apple.developer.submerged-shallow-depth-and-pressure" and also with underwater-depth for WKBackgroundMode. All is working fine when I tested the app. When I want to put the app in the store I got the following error: **Missing entitlement. The Info.plist for the watchOS app bundle at “Watch App.app” uses the underwater-depth value for WKBackgroundModes without the com.apple.developer.submerged-depth-and-pressure entitlement signed into the bundle. ** I wonder why the entitlement in the error message is without -shallow- and why I get this message.

I've developed and distributed a plugin for Unreal Engine (builds as a .dylib). The plugin dynamically loads an external library that is a .bundle The plugin has been notarized successfully. (Both the .dylib and the .bundle were signed with a Developer Application ID certificate.) When the plugin is downloaded, both the .dylib and the .bundle get flagged with the quarantine attribute, however because it was notarized, the plugin is able to be loaded inside of Unreal Engine with no problem. The issue occurs when the user moves the Unreal Engine project (with said plugin) to an external drive. In this case, once the project is opened and tries to load the plugin, an error saying is "***.bundle is damaged and can’t be opened. You should move it to the Trash." I'm wondering if this is an Unreal Engine issue, or a MacOS(notarization/signing/entitlements/etc) issue. Feels like if the .bundle is placed on an external drive, the OS does not check for notarization. If i move the project back to the HD of the laptop, everything works as expected. If i move the project to an external drive AND manually remove the com.apple.quarantine attribue (via terminal), then everything works as expected.

Hello, I am read some binaries are "SIP protected". SIP means System Integrity Protection. I know this is a security mechanism under macOS. But i don't understand what is a "SIP protected binary". Is it a binary located in a specific folder ? Is it a binary signed with "hardened runtime" ? Thanks

I have created a mechanism for TAP TO PAY in my app and it seems to be working fine while testing locally. I have added the additional capabilities in appstoreconnect for the app as development profile. However, when I try to submit the app to the appstore for testflight I am getting an error which seems to be beacause of the development profile for TAP TO PAY CAPABILITY. I am not sure how to convert the capability to distribution and need help.

I have two System extensions in my application. App proxy provider ( app-proxy-provider-systemextension) Endpoint Security (com.apple.developer.endpoint-security.client) But now, on one of my customer's computer, when it launched app proxy provider, the sysextd process said that /Applications/XXXXXX.app/Contents/Library/SystemExtensions/com.***.AppProxy.systemextension: entitlement com.apple.developer.endpoint-security.client not present or not true. As a network system extension, my app proxy provider was asking for an Endpoint Security entitlement, that is a very strange. I don't know how to debug it. Any ideas and help?

Hello, I currently am designing a data backup solution, and have an unsandboxed launch agent written in DotNet 6 that needs read access to files in order to back them up. It is configured together with its own App Group (with the sandboxed GUI). However, this Launch Agent cannot access files or enumerate directories in ~/Library/Group Containers/com.apple.notes whatsoever (even after enabling full disk access for the calling app, the files are not restricted either). I am trying to access the NoteStore.sqlite and similar files so that the Launch Agent can read the file and upload it to S3. Is there some entitlement I need to add, or access prompt? It seems like there is additional security layers for Sandboxed folders for apps that I'm trying to bypass. What is the recommended solution for my use case? (For Ventura and Sonoma users)

We requested the In-App Provisioning entitlement and received the email from Apple said： “The entitlement for In-App Provisioning has been assigned to your account, and you can now configure this capability for eligible apps. ” Then we enabled the In-App Provisioning capability in the Additional Capabilities tab of App ID Configuration, and according to Apple’s instruction, there should be an entitlements drop-down menu in the provision profile edition page，but we‘ve never seen such menu in our provision profile. So is there any suggestion about this problem？

Provisioning profile doesn't include the com.apple.developer.proximity-reader.payment.acceptance entitlement, I did confirm that bundleID capabilities of NFC added and also update the profile on developer console. I cannot use that specific key in entitlement. which steps or missing in this Tap and Pay capabilities I cannot identify.

My app uses a lot of memory, so I often get "memory limit" crashes. In Cerf & ID & Profiles i enabled increase Memory Limit Capability, in my myAppName.entitlements But result of print(os_proc_available_memory()) the same. Where my mistake? Thank you iPhone 8, iOS 15.2