Hello I work for a company which is not itself a carrier, however we develop applications on behalf of carriers (the relationship between us and several large household name US carriers has existed for many years). The applications that we develop typically need carrier and/or special entitlements, for example: com.apple.CommCenter.fine-grained/public-subscriber-info com.apple.developer.coretelephony.sim-inserted com.apple.developer.pushkit.unrestricted-voip com.apple.developer.usernotifications.filtering com.apple.developer.associated-domains Obtaining those entitlements for the carrier applications that are released to the App Store is itself not a problem as the customers apply for them and they are duly granted and applied to the applications. However, what is a problem is working around the strict Apple development and distribution requirements and limitations, and the consequences that has given that the apps don't belong to our Apple account but the customers. Typically, a customer would provide us a developer certificate and set of provisioning profiles, but they would keep the distribution certificate and do the TestFlight/App Store release themselves. There's two limitations that come into play here, the first is that we can't distribute the app to TestFlight and secondly, we can only install the customer's apps on hardware registered with their Apple account. Given how the limitation for that is 100 in total, and these are large companies, they just don't have slots available and hence we might have a single device on which their app can run. These are very severe limitations given the complex nature of the applications and the need to have several developers/testers involved, which isn't possible. To mitigate those limitations we have "mirror" versions of customers' apps, these are apps which are identical to the customer apps except they have bundle ids registered to our Apple account. This enables the apps to be developed by any number of developers and distributed via Testfight and hence to any number of testers. But the problem is, the functionality of the mirror apps is severely reduced due to the fact they don't have the entitlements of the customers' apps. To get to the point of the post - I would like to know if there any potential solutions to this? For example: could it be possible for our mirror applications to be granted required entitlements (given the relationships we have with the customers. I'm sure the customers could vouch for us as a company and the need for this) could the entitlements be granted if we switched the mirror apps over to an Enterprise account (as enterprise apps can't be released to the App Store)? any other technical options or suggestions? Thank you

Hi, We have recently been approved for Endpoint Security entitlement on our account. We have an application (golang) that we need to assign this entitlement and sign manually. We have packaged the entitlement correctly with the application. We have tried using a Developer ID Application certificate that we created before this entitlement was given to our account and also with a newly created certificate. However the application crashes when it is launched and I see the following error in the console logs (the full crash report is too big to post). Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate? Any help would be much appreciated, we have been stuck on this for a bit. Thanks Sriram Translated Report (Full Report Below) Incident Identifier: EAA48D72-705A-420B-8179-6D9049A81657 CrashReporter Key: 4F18A957-F0B8-BE5D-A1D7-74191ABCF38A Hardware Model: MacBookPro14,1 Process: endpoint-security-example-test [6728] Path: /Users/USER/*/endpoint-security-example-test Identifier: endpoint-security-example-test Version: ??? Code Type: X86-64 (Native) Role: Unspecified Parent Process: zsh [2463] Coalition: com.apple.Terminal [1663] Responsible Process: Terminal [2417] Date/Time: 2024-07-31 13:34:45.7397 -0700 Launch Time: 2024-07-31 13:34:45.7294 -0700 OS Version: macOS 13.6.8 (22G820) Release Type: User Report Version: 104 Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Triggered by Thread: 0 Thread 0 Crashed: 0 0x116b40070 _dyld_start + 0 1 ??? 0x1 ??? Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b0da09d0 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000116b40070 rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x116b3b000 - 0x116bd6fff () <2b649d59-89d8-3db6-9ba4-a6aecba42f6e> ??? 0x10f15f000 - 0x10f21afff () <9440f210-132b-3da1-b7f5-4d2d62bc8e0d> ??? 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ??? Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed EOF

I am working on mac app development which will be distributed outside the App Store. I added the network extension capability to my project and created a bundle id and provisioning profile with the same feature. When I configured the provisioning profile using Xcode (manual signing), it was configured fine. But when I added the packet tunnel capability to my network extension, it started giving me an error. I have created a Developer ID Application Certificate and use it when creating a provisioning profile. I have followed steps mentioned here for doing same: Distribute outside the Mac App Store (macOS), Network Extensions Entitlement Is this any Xcode bug or am I missing something? Please check screenshot below for error.

Hi, I'm trying to get a smart card reader to run with Xcode. I set up the com.apple.security.smartcard entitlement in the .entitlements file and added it in Bild Settings -> Code Signing Entitlements. But when I run: codesign -d --entitlements - Path/to/App, nothing smart card related shows up. Also the TKSmartCardSlotManager.default isn't nil, but .slotNames are. Do I have to install some drivers manually? Please help.

When using the following API, is it expected that the app would require both incoming and outgoing permissions with App Sandbox? public func sendto(_: Int32, _: UnsafeRawPointer!, _: Int, _: Int32, _: UnsafePointer<sockaddr>!, _: socklen_t) -> Int Since I'm only sending UDP broadcasts, I would have expected outgoing to be sufficient. Thanks!

I'm trying to install from Xcode (15.4) to my physical device but I get the following error: Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) The project was successfully building previously, but after encountering an issue while implementing Infobip (a 3rd party library for push notifications) where we weren't getting notifications sent from the Infobip dashboard, we had to change Provisioning Profile to one with a production setup for the aps-environment (given that the suggestion from the Infobip support team was to ensure that the provisioning profile and environment match). Note that it was development before. After downloading the new Provisioning Profile onto Xcode, the project fails to build now with the error mentioned above. I don't know what to do now, and I'm stuck.

Hello, My app used camera extension to implement virtual camera. After cosigned with Developer ID Application, My app can run on other mac. But can't run on MacOS 10.15. Print system log as follows: Aug 22 16:08:11 YL1150-C01177PG com.apple.xpc.launchd[1] (com.apple.xpc.launchd.oneshot.0x10000060.Presentation Assistant[95558]): Binary is improperly signed. Aug 22 16:08:20 YL1150-C01177PG com.apple.xpc.launchd[1] (com.yealink.PresentationAssistant.app.4612[95559]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/Presentation Assistant.app/Contents/MacOS/Presentation Assistant: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Aug 22 16:08:20 YL1150-C01177PG com.apple.xpc.launchd[1] (com.yealink.PresentationAssistant.app.4612[95559]): Binary is improperly signed. Aug 22 16:08:51 YL1150-C01177PG com.apple.xpc.launchd[1] (com.apple.mdworker.shared.04000000-0700-0000-0000-000000000000[95551]): Service exited due to SIGKILL | sent by mds[114] My app entitlements is: ??qq?<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>xxxxx.com.yealink.PresentationAssistant.app</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.device.microphone</key> <true/> <key>com.apple.security.device.camera</key> <true/> <key>com.apple.security.device.usb</key> <true/> <key>com.apple.security.device.bluetooth</key> <true/> <key>com.apple.security.device.print</key> <true/> <key>com.apple.security.device.audio-input</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.assets.pictures.read-write</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.assets.music.read-write</key> <true/> <key>com.apple.security.assets.movies.read-write</key> <true/> <key>com.apple.security.files.all</key> <true/> <key>com.apple.security.files.bookmarks.app-scope</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.automation.apple-events</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> </dict> </plist> I found that it works on macos 10.15 as long as I remove system-extension.install. What should I do?

We have a cross platform App available on Mac, iOS & soon tvOS. We are adding a new App Group to be used by this app. We also have a as yet unpublished future Mac Catalyst app that will need access to the App Group. The Apple docs suggest prefixing app groups on Mac with the team ID but not on other platforms. We would like to avoid prefixing with the team ID because: my understanding is that Mac Catalyst apps don't use the team ID and we would like to support that use case to communicate between our current cross platform app and the future catalyst app. Having a single code base but different group container IDs per platform means a bunch of extra conditional logic in the project we would rather avoid. So with that context our aim is to have an app group that is named consistently across platforms and meets sandboxing requirements for App Store distribution. However when developing using the non-team prefixed app group name on macOS Sequioa I see the following alert every time I launch the app. I have the App Group listed correctly in the entitlements file and if I change the app group name on macOS from group.com.example to (TEAMID).com.example then it works as expected so I think the rest of the setup is correct. Looking at the Sequoia Beta release notes it states: Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app. I am using Xcode managed signing and looking at the provisioning profiles I can see that the iOS one includes the app group but the macOS one does not. I assume that if I could somehow get the app group correctly add to the macOS provisioning profile then all would be good. But I am now stuck on how to get the app group added to the macOS provisioning profile. It seems whatever I try Xcode does not want to add it. Presumably this is because it expects you to instead use a team ID prefixed app group which would not need to be added. Is there any magic I can do to make this work with automatic signing? If not then how would I go about setting it up manually and is that the best solution?

I've submitted several requests for Family Controls Distribution access for all of my app targets over two weeks ago and have not gotten any response. The app I've been working on for over a year is finally ready to beta test to 200+ waitlisted users but this final roadblock is killing me! Anyone know what to do? Is there anyone else I could reach out to other than the apple request form to get help with this? Thank you!

Hello, I requested the Family Controls (Distribution) entitlement and was granted access: However, the "Additional Capabilities" Tab is not showing up in the associated App ID in "Certificates, Identifiers & Profiles": Thank you in advance, FCG

This post is in response to the information on app groups posted here: https://developer.apple.com/forums/thread/721701 I have a multi-platform (macOS and iOS) app that uses an app group to store the Core Data database, so that extensions and widgets can also access the database. It seems to be impossible to add an app group in Xcode that doesn't start with group.. When I use the team identifier as detailed here , Xcode prepends group. to the app group identifier. So far, I've simply been using an app group identifier that looks like this: group.com.example.MyAppName. This has worked on macOS and iOS. However, I noticed that when the app launches on macOS 15, the user is shown a dialog that says " would like to access data from other apps." If the user selects "Don't Allow", the app will crash, since it can't access the Core Data database located in the app group directory. How can I work around this, considering that this is a multi-platform app, and both the iOS and macOS versions need to store the Core Data database in the app group directory? What is the proper way to configure app groups for multi-platform apps?

We would like to codesign up for the app that uses LuaJIT to be downloadable as the app with the identified developer on Apple silicon macOS. It means no targeting to the App Store which can be problematic due to LuaJIT usage. Looks like there is no problem making the application run with the signature, but the performance is really bad. All times are for running on an M2 chip, MacOS Sonoma 14.6. Our x86_64 build works fine. Reference LuaJIT benchmark takes around 0.15 seconds (seed 2, 100 runs). Same build for arm64 with ad-hoc signature, no entitlements, and needs around 1.8 seconds (seed 2, 100 runs) to run the same benchmark code. I created luajit_app in Xcode to investigate. It simply opens a window, you select Lua script, and it runs it and prints output to the text area. Signed by my developer ID, run from Xcode immediately after build: I see the same behaviors for the x86_64 build. It needs around 0.43 seconds (seed 2, 1000 runs) to finish the benchmark code. The arm64 build without added entitlements needs around 16 seconds (seed 2, 1000 runs). Added entitlements com.apple.security.cs.disable-executable-page-protection: The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs). Added entitlements com.apple.security.cs.allow-jit which fixed LuaJIT to use MAP_JIT flag: The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs). 2nd and other app runs need around 19 seconds for benchmark. Ad-hoc signed without developer ID and team, com.apple.security.cs.allow-jit: Run from Xcode The first app runs after the build/rebuild The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs), but the first run sometimes takes around 5 seconds (seed 2, 1000 runs). 2nd and next runs of the app The arm64 build typically needs around 19 seconds (seed 2, 1000 runs). Bad signed, signature fix from the command line: Signed with codesign --force --deep --sign MYID -o runtime --entitlements entitlements.plist luajit_app_bad_sign.app or AD-HOC Behaviors are similar to Xcode runs. The first time the app runs usually takes around 5 seconds and 0.14 seconds later for benchmark script. Sometimes first benchmark runs takes 5 seconds, the second run 19 seconds and later runs take 0.14 seconds. Later app runs typically fall to 19 seconds needed to do benchmark script. End I have also tried ad-hoc and the developer signature with both entitlements for the origin app, but no difference in time needs for the benchmark was observed. Any ideas what is going on?

I am developing an app that will utilize the Family Controls capability to use the DeviceActivity API. I understand that I need to request access to the Family Controls entitlement before releasing the app, but I am nowhere near that stage. I want to be able to test the Family Controls/Device Activity APIs while developing the app in debug mode, but I don't have the ability to add the Family Controls capability to my app. When I go to add it, it doesn't show up in the available options of capabilities to add. Do I need authorization for the Family Controls entitlement to even use the APIs in testing/development? Am I missing a prerequisite checkbox somewhere that would add the capability to the available options? I'm using XCode 16.0.

Hi, I need to import a trusted certificate to the system keychain without prompting the user. I’m importing the certificate with this command line: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" <certificate> that running from the post install script of my PKG. I'm running the PKG from my daemon service. The certificate is imported to the keychain but it's not trusted. This is the error that i'm getting: sectrustsettingssettrustsettings: the authorization was denied since no user interaction was possible. What is the right why for doing it? Thanks

I was granted permissions for family controls distribution for the main target of my app. Do I also need to request permission for the other targets like ShieldConfiguration, ShieldActionExtension, etc.? If no, how can i add the distribution capabilities to those targets?

After adding com.apple.developer.persistent-content-capture entitlement the app crashes on macOS 10.13.6 with following crash report Process: Remote for Mac [20489] Path: /Applications/Remote for Mac.app/Contents/MacOS/Remote for Mac Identifier: com.cherpake.macrc.server Version: ??? Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Remote for Mac [20489] User ID: 501 Date/Time: 2024-10-09 09:28:35.482 +0300 OS Version: Mac OS X 10.13.6 (17G14042) Report Version: 12 Anonymous UUID: A2BB761B-2A18-0E9E-2470-21BD6C22E7A8 Time Awake Since Boot: 780000 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 kernel messages: VM Regions Near 0 (cr2): --> __TEXT 0000000105bdc000-0000000105cdd000 [ 1028K] r-x/r-x SM=COW Thread 0 Crashed: 0 ??? 0x00000001099bb19c _dyld_start + 0 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeea023c10 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x00000001099bb19c rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x105bdc000 - 0x105cdcff7 +??? (0) <AB898262-B28C-3B3E-881C-31A6363FF1F6> (null) 0x1099ba000 - 0x109a04adf +??? (551.5) <CB9BFB56-4511-36F1-A546-891FF770C01C> (null) External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 332075 thread_create: 0 thread_set_state: 0 VM Region Summary: ReadOnly portion of Libraries: Total=1584K resident=0K(0%) swapped_out_or_unallocated=1584K(100%) Writable regions: Total=8408K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8408K(100%) VIRTUAL REGION REGION TYPE SIZE COUNT (non-coalesced) =========== ======= ======= STACK GUARD 56.0M 2 Stack 8192K 2 __DATA 528K 5 __LINKEDIT 268K 4 __TEXT 1328K 3 shared memory 8K 3 =========== ======= ======= TOTAL 66.1M 13 Download link https://dl.cherpake.com/Remote-for-Mac-7962.pkg.zip

We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?

Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!

We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?

Hi. I'm an iOS developer, We are creating a Automaker Carplay app for an Automaker provider, but we are facing some troubles: Xcode error: Provisioning profile "iOS Team Provisioning Profile: BundleIdentifier" doesn't match the entitlements file's value for the com.apple.developer.carplay-protocols entitlement. We have the entitlements requested and approved by apple, but we cannot deploy the app in real devices. We don't know if we need to do an extra step. Thank you very much.