Hello everyone, I'm hoping to find a solution for a critical issue that is blocking my app's submission to the App Store. My app uses the Screen Time API and therefore has a main app and a DeviceActivityMonitor extension. The main app has been successfully granted the Family Controls (Distribution) entitlement. However, the DeviceActivityMonitor extension is stuck with only the Family Controls (Development) entitlement. This mismatch causes my build to fail during the archive/distribution process with the error: "Provisioning profile failed qualification. Profile doesn't support Family Controls (Development)." This is a hard blocker, as the extension is a mandatory part of the API. I have already filled out the entitlement request form and also contacted Developer Support (Case #102666581576), who confirmed they could not assist and directed me here. My question is: What is the correct procedure to escalate or resolve the issue of a required extension not receiving the distribution-level Family Controls entitlement after the main app has already been approved? Has anyone else encountered this specific "Development" vs. "Distribution" mismatch and found a definitive way to resolve it? Any guidance would be greatly appreciated. Thank you!

Hi, I have a .NET MAUI app which I've added subscriptions to using the Plugin.InAppBilling nuget package. When I tested on TestFlight I got an almost immediate crash. After doing some research I followed advice to add an Entitlements.plist file to Platforms > iOS with the following entry: com.apple.developer.in-app-purchase The distribution provisioning profile I'm using to sign my app has the App ID set to an Identifier which has "In-App Purchase" ticked, but greyed out in it's "Capabilities" section on https://developer.apple.com/. I'm not sure why it's ticked and greyed out, but I assume that means that "In-App Purchase" is enabled. The app runs file locally but when I create an IPA file and add it to Transporter for upload to App Store Connect I get the following error: "Validation failed (409) Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, key 'com.apple.developer.in-app-purchase' in 'Payload/[Removed].app/[Removed]' is not supported. (ID: [Removed])". Here is the structure of my csproj code for creating a IPA file for iOS: The command I use: dotnet publish [Removed]/app.csproj -f:net9.0-ios -c:Release ^ /p:PlatformTarget=Arm64 ^ /p:RuntimeIdentifier=ios-arm64 ^ /p:ServerAddress=[Removed] ^ /p:ServerUser=[Removed] ^ /p:ServerPassword=[Removed] ^ /p:ArchiveOnBuild=true ^ /p:BuildIpa=true I'm stuck trying to figure this out. If you could please point out any issues with what I'm doing or if you have any suggestions to resolve the problem I would very much appreciate it. Thanks, Ben

Hello, I'm working in Xcode Version 16.4. I have not been able to sign in without errors. I've paid for the dev account. I've created certificates. Downloaded and uploaded CSRs. Use background mode, not used background mode. Nothing seems to work. Thank you for looking into this! Hopefully you can point me in the right direction or find a solution. Attached screenshots with errors.

I added a extension called Call Directory to an IOS app as we want to call blocking and caller id. I was able to add App Groups to both runner and CallDirectory. I cannot see of add Call Directory capability. Am I missing something. I added the extension through the Call Directory Target template. If I try to add this to CallDirectory.enitlements manually com.apple.developer.callkit.call-directory call-blocking caller-identification i recieve this signing error. Provisioning profile "iOS Team Provisioning Profile: "" doesn't include the com.apple.developer.callkit.call-directory entitlement. I cannot add Call Directory to an identifier in Apple Developer either.

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&userID=... https://www.strike-force.app/invite?type=invite&friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details & Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: <(null)> with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

An open-source app that I bundle for macOS needs to use the disable-library-validation entitlement. In spite of TN3125: Inside Code Signing: Provisioning Profiles | Apple Developer Documentation#Entitlements-on-macOS claiming that hardened runtime entitlements don't need provisioning profiles and the app successfully notarizing, trying to run the app fails with the error "Disallowing because no eligible provisioning profiles found". So I created a provisioning profile, but when creating the App ID the only selection that seemed relevant was Hardened Runtime. That turns out not to include disable-library-validation so now launching fails with "Unsatisfied entitlements: >com.apple.security.cs.disable-library-validation" What's the right capability?

Hi Apple DTS & community folks, I’m reaching out regarding an issue we’ve encountered with the com.apple.developer.mail-client capability for our app (bundle identifier: so.notion.Mail). We were granted this entitlement last week to allow the app to be set as a default Mail client. While everything works as expected when archiving and distributing builds locally in Xcode, we’re running into a problem when using Xcode Cloud. Specifically, Xcode Cloud attempts to archive and distribute an Ad-Hoc build, but the Ad-Hoc provisioning profile does not include this special entitlement. Since we’re using Xcode-managed profiles, we don’t have the ability to create or adjust an explicit profile ourselves. This issue only arises in Xcode Cloud—local distribution works unless we explicitly attempt an Ad-Hoc build (which is not our intent). I’ve included a screenshot of the error for reference. We found this forum post describing the same issue, where the resolution was Apple enabling the entitlement for Ad-Hoc builds. We’d like to request that Apple enable this capability for Ad-Hoc builds for the Notion Mail application so that Xcode Cloud distribution functions correctly. Thank you for your help!

Hi, I just released a new version of an app that was transferred from another developer account. The previous version of this app used the App Groups feature to store some important data, and I would like to retrieve that data. In the new version, I’m using the same bundle identifier and the same App Group ID (which has already been deleted from the original developer account). I also added the App Groups entitlement in the project settings and set the same App Group ID. However, I still cannot access the data in the App Group. From the documentation and issues I’ve found, it seems that an app should still have permission to access the same App Group after being transferred. Did I miss something? Thanks!

I am receiving an entitlement error from stripe terminal SDK when integrating Tap to Pay from apple in the info.plist. Im hoping that someone can give me their input on my error output rather than diving into the stripe sdk to point me in the right direction of something I may have missed with entitlements. I have been approved for tap to pay entitlement and am following the instructions here from apple: https://developer.apple.com/documentation/proximityreader/setting-up-the-entitlement-for-tap-to-pay-on-iphone com.apple.developer.proximity-reader.tap-to-pay

I have a macOS app that captures screen images. The first time I run this application, a dialog is shown directing the user to give my app Screen Recording permission. Is there a way I can trigger this dialog earlier and detect whether the permission was granted?

We were recently approved for the "User Assigned Device Name" for a specific app Identifier. The "Additional Capabilities" tab isn't present on that App ID. I am an admin in the developer portal, and this does not appear for the account holder as well. Any help would be appreciated.

Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!

Hi, I just updated my machine to macOS 15, and while developing and running my app (with Xcode), I keep getting messages about my app "would like to access data from other apps". This happens even from Xcode Previews, so it's pretty annoying. My production app doesn't seem to be affected by this problem; the system prompt just pops when running the debug version. I came across something about App Groups in macOS and how something has changed in macOS15 regarding system permissions. I use the "group.***" prefix in my macOS app, without the team prefix. Is that the problem here? But why is my production app working fine, but the development app is triggering the prompt repeatedly? Would love any feedback or workarounds. Thanks.

I want to use the com.apple.vm.networking entitlement which has a note: This entitlement is restricted to developers of virtualization software. To request this entitlement, contact your Apple representative. https://developer.apple.com/support/technical/ says: « Request entitlements using entitlement forms and ask for status updates in the resulting email thread. » but I haven't been able to find these "entitlement forms". Does anyone know what the right process is to request an entitlement?

I applied for the Family Controls (Distribution) entitlement on November 22nd. But I never received a confirmation email after I submitted the request. I then reached out to support who said they would check with the internal team to at least confirm if I had applied. It's now been 20 days and I have received no updates on the status of my application. This entitlement is existential to my app and I have been completely blocked while waiting for this as I can't even distribute the app on TestFlight. I've considered reapplying again just to be safe, but I am worried that might make things worse. I am a bootstrapped solo founder, and a prolonged delay (or outright denial) of this entitlement would be devastating to me. Does anyone have any advice on where to go from here?

I've got a Flutter app that is a “reader” app. The External Link Account Entitlement has already been requested and granted. It is already added as an Additional Capability to the App ID. The com.apple.developer.storekit.external-link.account entitlement is already present in the .entitlements file. Also SKExternalLinkAccount key is added to the Info.plist file with the correct URL. ExternalLinkAccount.open() is invoked via a MethodChannel call handler and things work perfectly in debug mode. The modal appears as expected and opens the link in the external browser. Xcode archive is also sucessful and the entitlement seems to be in place when inspecting the app with: codesign -d --entitlements :- ./path/to/app But when trying to distribute the app via Xcode the entitlement disappears. Other entitlements are not affected by this issue, eg.: com.apple.developer.associated-domains for universal links. This happens with automatically managed singing and a manually selected provisioning profile as well. When inspecting the latter in Xcode the necessary capability and entitlement is included. But when distributing to App Store Connect the entitlement disappears with both recommended and custom settings. I ran flutter clean mulitple times. What am I missing here?

I keep getting this error when trying to install Audio app extension. Everything is reviewed from certificates to profiles, for some reason CreatingCustomAudioEffects sample is deployed correctly but when Creating new Project (Audio Extension App) from new project Option, it doesn't work at all. If I remove Extension from Frameworks and deploy app, then no problem but then App crashes as extension is missing. Something wrong with Xcode? I am pretty sure it used to build new projects but not anymore. Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.0k1RXy/extracted/AudioUnitsAppExtensionTest.app : 0xe8008015 (A valid provisioning profile for this executable was not found.) Please ensure sure that your app is signed by a valid provisioning profile. If this issue persists, please attach the following when sending a report to Apple: A sysdiagnose from this Mac A sysdiagnose from the device failing installation An IPA of the app failing installation

Hello, I went through the verification process to get the Tap to Pay on iPhone entitlement, and after a couple of corrections I was finally assured that I was granted the entitlement for production use. However, in App Store Connect, I can only see "Development" for "Provisioning Support" of the entitlement, and I'm not able to publish the app to Testflight because the profile doesn't support the entitlement (I'm using automatic code signing with XCode). Where is this going wrong? The Tap to Pay support assured me they granted the right entitlement and pointed me to the developer support. Thank you, Johannes

We've been trying to get the CarPlay Navigation Entitlement for a couple years now without much luck. Did you have a similar experience? How did you succeed getting the entitlement? Part of the form requires us to submit Screenshots. Did you provide screenshots of your on-device experience or wireframe for CarPlay? How was your experience?

Hello everyone, I’ve been stuck for weeks on an issue with Family Controls + Device Activity entitlements in my iOS app, and Apple Developer Support has not provided a solution so far. I’m hoping someone here who has successfully implemented Family Controls + Device Activity can point me in the right direction. About the App • The app is a Digital Wellbeing app called Breakloop. • It lets users select apps they want to block, requires them to complete a positive affirmation before opening those apps, and can re-block apps after a set time (e.g., 10 minutes). • This functionality exactly matches the purpose of Family Controls and Device Activity APIs. What Works So Far • Family Controls capability is enabled in the main app target in Xcode. • We have valid Apple Developer certificates (Apple Development) and a team account. • The main app builds and runs fine when using Family Controls alone. • We have App IDs for: • bl.Breakloop (main app) • bl.Breakloop.BreakloopMonitorExtension • bl.Breakloop.BreakloopShieldConfigurationExtension The Problem The provisioning profiles for the extension targets (BreakloopMonitorExtension and BreakloopShieldConfigurationExtension) do not include the com.apple.developer.device-activity entitlement even though: • The App IDs in the Developer Portal have Family Controls (Development) enabled. • The extensions have the correct entitlements file with both: com.apple.developer.family-controls com.apple.developer.device-activity • Xcode Signing & Capabilities points to the correct provisioning profile + certificate. Because the provisioning profiles don’t include the entitlement, the build fails with: Provisioning profile doesn't include the com.apple.developer.device-activity entitlement. What Apple Support Said Apple Support told me: • “Family Controls grants access to Device Activity.” • They cannot enable it manually or guarantee that profiles will include the entitlement. • They sent links to the documentation but no further assistance. What I Need Help With 1. Has anyone successfully built extensions using Family Controls + Device Activity? 2. Do I need to request any additional approval for Device Activity, or should it appear automatically once Family Controls is enabled? 3. Is there a known Xcode or Apple Developer Portal configuration issue that causes the entitlement to be missing in provisioning profiles? 4. Any working example of a project setup that uses Family Controls + Device Activity in extensions would be extremely helpful. Extra Info • We use the latest Xcode + iOS SDK. • Tried recreating certificates, profiles, and App IDs multiple times. • Followed Apple’s docs for Family Controls + Device Activity exactly. I would greatly appreciate any guidance, especially from someone who has this working with iOS app extensions. Thank you!