Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Entitlements Documentation

Post

Replies

Boosts

Views

Activity

Family control app uploading error
/Users/varunashokbhaisidpara/Desktop/Screenshot 2024-11-15 at 5.43.44 PM.png This error occurs When I try to upload an app on the test flight or App Store. I checked "Automatically manage signing" in the main target. and i have added extensions DeviceActivityMonitorExtension, ShieldConfigurationExtension, ShieldActionExtension, DeviceActivityReport. and all have selected "Automatically manage signing" in the target > signing and capability. pls provide me with an exact solution set by step. Thank you
2
0
95
2d
Endpoint Security entitlement while in dev
I'm working on a system extension leveraging endpoint security entitlement. However, while in development, is there a way to continue working and testing locally without having the endpoint security entitlement approved or needing the extension signed. I got these errors running a build: Provisioning profile "Mac Team Provisioning Profile: "com.xxxxx.extension" doesn't include the com.apple.developer.endpoint-security.client entitlement.
1
0
104
5d
Codesign dylib/framework with entitlements
Is it correct to codesign dylib/framewoks with entitlements? My understanding is that only executables need to have the entitlement and the dylibs loaded in that process will automatically inherit those entitlements. However, I am seeing a lot of scripts on the internet that are signing dylibs as well with entitlements. For eg - # sign *.dylibs find "$APP_BUNDLE" -type f -name "*.dylib" -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_FILE" --sign "$SIGNING_IDENTITY" {} \; Is this even allowed? I know of at least one app that has passed notarization checks as well. If allowed, can a dylib have more entitlements than the process that loaded it?
1
0
151
1w
External Link Account Entitlement Status
It seems as though requesting External Link Account Entitlement via the form is a bit of a black box. Is there a way to check on the status of our request? The app review team has informed me that they don't have any connection to the Account Entitlement teams so they unfortunately cannot help. Is there a way to check on our apps status or what we might need to change to have External Link Account Entitlement granted? Thanks
3
0
692
Mar ’23
Persistent File Access Prompt in macOS 15 for Ad-Hoc Signed Apps Using App Groups
Hello everyone, We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works: Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements. User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity. Issue Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users. Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears: This prompt appears on every launch of the app. Steps to Reproduce On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest"). Launch the newly created app. Observe the prompt requesting access to files outside the app's container. Close and relaunch the app; the prompt appears again. What We Have Tried Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group. Here’s a summary of our troubleshooting efforts: 1. Adjusting App Group Configuration Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData). Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement. 2. Provisioning Profile Creation Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included. Applied the provisioning profile to the user-created app during code signing. Despite these efforts, the issue continues. 3. Entitlements and Code Signing Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>id.com.BZG.ExampleTest</string> <key>com.apple.developer.team-identifier</key> <string>id</string> <key>com.apple.security.application-groups</key> <array> <string>id.group.BZG.unite.sharedData</string> </array> <key>com.apple.security.app-sandbox</key> <true/> </dict> </plist> Signed the user-created app with our Developer ID and the provisioning profile Verified the entitlements 4. Reviewing System Logs Observed error messages indicating unsatisfied entitlements: message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups **5. Consulting Documentation and WWDC Sessions ** Referenced post on App Groups in macOS vs iOS. Reviewed the macOS 15 Release Notes regarding SIP and app group container protection. Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23. Questions Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps? Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt? Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements? Is there anything to try that we're missing here to solve this? Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated. Thank you for your assistance!
1
0
158
2w
App Extensions do not contain correct iCloud Key Value Store identifier in provisioning profile after app transfer
I recently completed an app transfer from one developer account to another (both controlled by me). The old team ID was GZS3K47B3Y, the new one is LRG5645LP7. Almost everything is working properly, but I am seeing that my iCloud Key-Value store (NSUbiquitousKeyValueStore) is no longer shared across my app and app extensions after the transfer. Previously, my app and app extensions all shared a single iCloud Key-Value store, and they could all read/write to the same iCloud synced store. This is no longer working after the app transfer. According to this support page (https://developer.apple.com/help/app-store-connect/transfer-an-app/overview-of-app-transfer): "If your app uses iCloud Key-Value Storage (KVS), the full KVS value will be embedded in any new provisioning profiles you create for the transferred app. Update your entitlements plist with the full KVS value in your provisioning profile." This seems to be the case for the main app, whose provisioning profile contains the full value: com.apple.developer.ubiquity-kvstore-identifier: GZS3K47B3Y.com.serpentisei.studyjapanese But the app extension's provisioning profile now contains: com.apple.developer.ubiquity-kvstore-identifier: LRG5645LP7.* Is there a way to update the app extension provisioning profile to also include the original identifier from before the transfer, so that I can continue to share iCloud KVS access across the app and extension? Thanks!
1
0
224
2w
Family Controls Distribution Approval
I've submitted several requests for Family Controls Distribution access for all of my app targets over two weeks ago and have not gotten any response. The app I've been working on for over a year is finally ready to beta test to 200+ waitlisted users but this final roadblock is killing me! Anyone know what to do? Is there anyone else I could reach out to other than the apple request form to get help with this? Thank you!
1
0
421
Sep ’24
App Groups and macOS 15
Hi, I just updated my machine to macOS 15, and while developing and running my app (with Xcode), I keep getting messages about my app "would like to access data from other apps". This happens even from Xcode Previews, so it's pretty annoying. My production app doesn't seem to be affected by this problem; the system prompt just pops when running the debug version. I came across something about App Groups in macOS and how something has changed in macOS15 regarding system permissions. I use the "group.***" prefix in my macOS app, without the team prefix. Is that the problem here? But why is my production app working fine, but the development app is triggering the prompt repeatedly? Would love any feedback or workarounds. Thanks.
7
1
311
Oct ’24
Application for endpoint security distribution permission was rejected
Hey folks, I developed a DLP program based on Endpoint Security for the enterprise, and everything functioned normally. I also applied for the development permission of Endpoint Security before, which took 3 months. Now I want to distribute the software internally, so I tried to apply for a certificate for distribution permission. After waiting for 3 months, Apple told me that the permission was rejected. This is the replay content: Thank you for your interest in Endpoint Security. After carefulconsideration, we regret that we're unable to approve your request at this time. If you'd like to submit another request for this capability, please review andconfirm that your app details and justification meet the criteria before resubmittting. Rejecting duplicate request. Apple Developer Relations I don't know what's wrong, what should I do to get distribution or developer id permissions.
0
0
136
2w
Issues with Embedding Python Interpreter in MacOS App Distributed via TestFlight
Hello Apple Community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. The top-level app is built with Xcode 16.1 and it's written 100% in Swift6. For test purposes we are running the app on MacOS Sequoia 15.0, 15.1 and Sonoma 14.4. The app can be downloaded via TestFlight and Console app shows the next errors: Crash Reports python3.11 Application Specific Signatures: Unable to get bundle identifier for container id python3: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. tccd process error Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=62822, auid=502, euid=502, binary_path=[PATH TO SAMPLEAPP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=577, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, The next documents were helping a lot to reach the current state althought sometimes I was not sure how to apply them in this python interpreter context: Signing a daemon with a restricted entitlement Embedding a command-line tool in a sandboxed app XPC Rendezvous, com.apple.security.inherit and LaunchAgent Placing content in a bundle There are a lot of details that I will try to explain in the next lines. Once archived the app, it looks like this: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/Info.plist SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/Python.bundle And this is how Python.bundle looks like: Python.bundle/Contents Python.bundle/Contents/Info.plist Python.bundle/Contents/Resources Python.bundle/Contents/Resources/bin Python.bundle/Contents/Resources/bin/python3.11 <- Python executable Python.bundle/Contents/Resources/lib Python.bundle/Contents/Resources/lib/python3.11 <- Folder with python libraries This is the Info.plist associated with Python.bundle: <dict> <key>CFBundleIdentifier</key> <string>com.sampleapp.app.Python</string> <key>CFBundleName</key> <string>Python</string> <key>CFBundleVersion</key> <string>1.0</string> <key>CFBundlePackageType</key> <string>BNDL</string> </dict> For some reason Bundle Identifier is ignored. Created a Python target and added to the main app, I selected the Bundle template. In Python target I made the next customizations: Enabled the Skip Install (SKIP_INSTALL) build setting. Disabled the Code Signing Inject Base Entitlements Added entitlements com.apple.security.inherit to it, with a Boolean value of true. Tried to set Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS) build setting to: $(inherited) -i $(PRODUCT_BUNDLE_IDENTIFIER) But I had to remove it because I could not get rid of this error "-i com.sampleapp.app.Python: No such file or directory" Created a python.plist and set it in the Packaging Build Settings section. I set Generate Info.plist File to No In this document: Embedding a command-line tool in a sandboxed app Says: "Add the ToolX executable to that build phase, making sure Code Sign On Copy is checked." But I could not do it to avoid duplicates, since the bundle itself contains the executable too. I'm not sure how to handle this case. Tried to add python3.11 executable in the bundle MacOS folder, but bundle executableURL returned nil and I could not use python from the code. This is how I get Python bundle from code: static var pythonBundle: Bundle? { if let bundlePath = Bundle.main.path(forResource: "Python", ofType: "bundle"), let bundle = Bundle(path: bundlePath) { return bundle } return nil } Created Python.entitlements with the next key-values: <key>com.apple.security.app-sandbox</key> <true/> and it is used in an Archive Post-action of SampleApp, in order to sign the python executable of Python.bundle as follows: codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$DEVELOPER_ID_APPLICATION" "$ARCHIVE_PATH" The reason of using an Archive Post-action is becauses signing from a Python.bundle Build phase was generating errors related to Sandboxing. These are the entitlements to codesign SampleApp: <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> Most probably I was mixing concepts and it seems created some confusion. We would really love to get some advice, Thanks!
16
1
407
Oct ’24
[Automaker App] Signing failed
Hi. I'm an iOS developer, We are creating a Automaker Carplay app for an Automaker provider, but we are facing some troubles: Xcode error: Provisioning profile "iOS Team Provisioning Profile: BundleIdentifier" doesn't match the entitlements file's value for the com.apple.developer.carplay-protocols entitlement. We have the entitlements requested and approved by apple, but we cannot deploy the app in real devices. We don't know if we need to do an extra step. Thank you very much.
2
0
228
Oct ’24
user-assigned-device-name appstoreconnect permission
We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?
1
0
242
Oct ’24
user-assigned-device-name appstoreconnect permission
We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?
1
0
241
Oct ’24
macOS app with com.apple.developer.persistent-content-capture entitlement crashing on macOS 10.13.6
After adding com.apple.developer.persistent-content-capture entitlement the app crashes on macOS 10.13.6 with following crash report Process: Remote for Mac [20489] Path: /Applications/Remote for Mac.app/Contents/MacOS/Remote for Mac Identifier: com.cherpake.macrc.server Version: ??? Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Remote for Mac [20489] User ID: 501 Date/Time: 2024-10-09 09:28:35.482 +0300 OS Version: Mac OS X 10.13.6 (17G14042) Report Version: 12 Anonymous UUID: A2BB761B-2A18-0E9E-2470-21BD6C22E7A8 Time Awake Since Boot: 780000 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 kernel messages: VM Regions Near 0 (cr2): --> __TEXT 0000000105bdc000-0000000105cdd000 [ 1028K] r-x/r-x SM=COW Thread 0 Crashed: 0 ??? 0x00000001099bb19c _dyld_start + 0 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeea023c10 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x00000001099bb19c rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x105bdc000 - 0x105cdcff7 +??? (0) <AB898262-B28C-3B3E-881C-31A6363FF1F6> (null) 0x1099ba000 - 0x109a04adf +??? (551.5) <CB9BFB56-4511-36F1-A546-891FF770C01C> (null) External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 332075 thread_create: 0 thread_set_state: 0 VM Region Summary: ReadOnly portion of Libraries: Total=1584K resident=0K(0%) swapped_out_or_unallocated=1584K(100%) Writable regions: Total=8408K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8408K(100%) VIRTUAL REGION REGION TYPE SIZE COUNT (non-coalesced) =========== ======= ======= STACK GUARD 56.0M 2 Stack 8192K 2 __DATA 528K 5 __LINKEDIT 268K 4 __TEXT 1328K 3 shared memory 8K 3 =========== ======= ======= TOTAL 66.1M 13 Download link https://dl.cherpake.com/Remote-for-Mac-7962.pkg.zip
2
0
405
Oct ’24
Added trusted certificate without prompting the user
Hi, I need to import a trusted certificate to the system keychain without prompting the user. I’m importing the certificate with this command line: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" <certificate> that running from the post install script of my PKG. I'm running the PKG from my daemon service. The certificate is imported to the keychain but it's not trusted. This is the error that i'm getting: sectrustsettingssettrustsettings: the authorization was denied since no user interaction was possible. What is the right why for doing it? Thanks
1
0
342
Sep ’24
Family Controls Capabilities missing from capabilities menu in XCode
I am developing an app that will utilize the Family Controls capability to use the DeviceActivity API. I understand that I need to request access to the Family Controls entitlement before releasing the app, but I am nowhere near that stage. I want to be able to test the Family Controls/Device Activity APIs while developing the app in debug mode, but I don't have the ability to add the Family Controls capability to my app. When I go to add it, it doesn't show up in the available options of capabilities to add. Do I need authorization for the Family Controls entitlement to even use the APIs in testing/development? Am I missing a prerequisite checkbox somewhere that would add the capability to the available options? I'm using XCode 16.0.
1
0
346
Sep ’24
Looks like the signed app losing entitlements
We would like to codesign up for the app that uses LuaJIT to be downloadable as the app with the identified developer on Apple silicon macOS. It means no targeting to the App Store which can be problematic due to LuaJIT usage. Looks like there is no problem making the application run with the signature, but the performance is really bad. All times are for running on an M2 chip, MacOS Sonoma 14.6. Our x86_64 build works fine. Reference LuaJIT benchmark takes around 0.15 seconds (seed 2, 100 runs). Same build for arm64 with ad-hoc signature, no entitlements, and needs around 1.8 seconds (seed 2, 100 runs) to run the same benchmark code. I created luajit_app in Xcode to investigate. It simply opens a window, you select Lua script, and it runs it and prints output to the text area. Signed by my developer ID, run from Xcode immediately after build: I see the same behaviors for the x86_64 build. It needs around 0.43 seconds (seed 2, 1000 runs) to finish the benchmark code. The arm64 build without added entitlements needs around 16 seconds (seed 2, 1000 runs). Added entitlements com.apple.security.cs.disable-executable-page-protection: The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs). Added entitlements com.apple.security.cs.allow-jit which fixed LuaJIT to use MAP_JIT flag: The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs). 2nd and other app runs need around 19 seconds for benchmark. Ad-hoc signed without developer ID and team, com.apple.security.cs.allow-jit: Run from Xcode The first app runs after the build/rebuild The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs), but the first run sometimes takes around 5 seconds (seed 2, 1000 runs). 2nd and next runs of the app The arm64 build typically needs around 19 seconds (seed 2, 1000 runs). Bad signed, signature fix from the command line: Signed with codesign --force --deep --sign MYID -o runtime --entitlements entitlements.plist luajit_app_bad_sign.app or AD-HOC Behaviors are similar to Xcode runs. The first time the app runs usually takes around 5 seconds and 0.14 seconds later for benchmark script. Sometimes first benchmark runs takes 5 seconds, the second run 19 seconds and later runs take 0.14 seconds. Later app runs typically fall to 19 seconds needed to do benchmark script. End I have also tried ad-hoc and the developer signature with both entitlements for the origin app, but no difference in time needs for the benchmark was observed. Any ideas what is going on?
6
0
322
Sep ’24
Problems with multi-platform apps using app groups on macOS 15
This post is in response to the information on app groups posted here: https://developer.apple.com/forums/thread/721701 I have a multi-platform (macOS and iOS) app that uses an app group to store the Core Data database, so that extensions and widgets can also access the database. It seems to be impossible to add an app group in Xcode that doesn't start with group.. When I use the team identifier as detailed here , Xcode prepends group. to the app group identifier. So far, I've simply been using an app group identifier that looks like this: group.com.example.MyAppName. This has worked on macOS and iOS. However, I noticed that when the app launches on macOS 15, the user is shown a dialog that says " would like to access data from other apps." If the user selects "Don't Allow", the app will crash, since it can't access the Core Data database located in the app group directory. How can I work around this, considering that this is a multi-platform app, and both the iOS and macOS versions need to store the Core Data database in the app group directory? What is the proper way to configure app groups for multi-platform apps?
7
3
751
Sep ’24