In my sandboxed MacOS app I want to access OSLogStore programmatically to fetch logs for multi-component application (app, libraries, deriver) for further analysis. According to the documentation, - https://developer.apple.com/documentation/oslog/oslogstore/3366102-local the app should have com.apple.logging.local-storeentitlement.
I have added this entitlement "by hand" to the entitlement file as I I can't find a correspondent entry in the Xcode -> Sign & Capabilities interface.
When I run the app, I get Unsatisfied entitlements: com.apple.logging.local-store error and the app doesn't start.
If I remove the entitlement, the app can't get access to the logd subsystem.
How can I add com.apple.logging.local-store to my app?
Should I request this not visible via Xcode configuration UI from apple?
Thanks!
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
The documentation for CarPlay (https://developer.apple.com/documentation/carplay/requesting_carplay_entitlements) tells you to disable automatic signing in the section titled "Import the CarPlay Provisioning Profile":
Click All in the scope bar, and then deselect “Automatically manage signing”.
There have also been other posts in the past about the inability to use automatic signing with CarPlay: https://developer.apple.com/forums/thread/63468
However in a recent post of mine (https://developer.apple.com/forums/thread/717429?login=true&page=1#732392022) I was instructed how to set it up so that I could use automatic signing for the new user-assigned-device-name entitlement and it worked so I thought "Can I do the same thing for CarPlay?" and it seems to be working so far.
Is automatic signing with CarPlay now possible? We have been able to use automatic signing to archive successfully and run to real devices and verify that CarPlay is working. I'm crossing my fingers that we'll be able to submit and get the build approved and never have to touch manual signing again.
Hopefully it works and the documentation is just out of date.
It seems as though requesting External Link Account Entitlement via the form is a bit of a black box. Is there a way to check on the status of our request? The app review team has informed me that they don't have any connection to the Account Entitlement teams so they unfortunately cannot help.
Is there a way to check on our apps status or what we might need to change to have External Link Account Entitlement granted? Thanks
Hello,
I am currently facing an issue with my iOS app and its associated Preview extension. I am trying to save a file to a shared container using App Groups, so that my main app can read the file. The code works perfectly on the iOS simulator, but when I run the app on a physical device I encounter a "You don't have permission to save the file" error.
Here's the relevant code snippet:
let appGroupIdentifier = "group.com.yourcompany.yourapp"
func saveDataToSharedContainer(fileName: String, data: Data) -> Bool {
guard let containerURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroupIdentifier) else {
print("Error: Unable to access the shared container.")
return false
}
let fileURL = containerURL.appendingPathComponent(fileName)
do {
try data.write(to: fileURL, options: .atomic)
print("Data saved to shared container successfully.")
return true
} catch {
print("Error: Unable to save data to shared container. \(error)")
return false
}
}
I have already verified the following:
App Groups capability is enabled for both the main app target and the extension target.
The App Group identifier is consistent in both the main app target and the extension target, as well as in the Swift code.
Provisioning profiles and signing certificates are up-to-date, and the issue persists after cleaning the project and resetting the provisioning profiles.
Despite trying these steps, the issue remains unresolved. This error is reproducible in a new project with a Preview extension.
I would greatly appreciate any insights or suggestions from the community to help me resolve this issue.
Thank you in advance!
I've heard family controls request forms can take up to weeks and even months...
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
If I have to wait weeks or even months for both then that's a bit painful tbh. Is there a way to distribute to testflight without getting approved for the family controls entitlement? Thanks
Hi!
I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):
func installDriver()
{
guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else {
return
}
let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main)
activationReq.delegate = self
OSSystemExtensionManager.shared.submitRequest(activationReq)
}
I'm getting an error:
OSSystemExtensionErrorDomain error 8: Code Signature Invalid
which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?
I'm posting here entitlements and codesign output for my extension and containing application for further information.
Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
[Dict]
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..
[Key] com.apple.security.device.camera
[Value]
[Bool] true
Executable=**********/Contents/MacOS/*****
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] 893K7MTL2H.com..RoomDevice
[Key] com.apple.developer.system-extension.install
[Value]
[Bool] true
[Key] com.apple.developer.team-identifier
[Value]
[String] 893K7MTL2H
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..********
Executable=***/Contents/MacOS/****
Identifier=com..RoomDevice
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace
CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
Hash choices=sha256
CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
CMSDigestType=2
Launch Constraints:
None
CDHash=3584714367d59119b462d0f830247d27ff1fbace
Signature size=4688
Authority=Developer ID Application: ****************(893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:09 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=6
Internal requirements count=1 size=216
Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
Identifier=com.******.RoomDevice.Extension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1
CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
Hash choices=sha256
CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
CMSDigestType=2
Launch Constraints:
None
CDHash=70580825016b7e262fb15c280ba380ad4e871bc1
Signature size=4688
Authority=Developer ID Application: ************ Ltd. (893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:05 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=224
Please anyone help. Thanks in advance!
Hi,
We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development.
We can build and debug Tap to Pay on development, but unable to build release.
We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.
I am using Godot 4.2.1 and C# (.NET 8.0.1) to create an app. In Godot the app is exported to an XCode project so it can then be built to run on IOS devices. Access WiFi is checked in the Godot presets I have the multicast entitlement from Apple. Communication over UDP using Unicast to send and receive packets works correctly on iOS, macOS and Android devices.
To set the multicast entitlement, the project name is selected in XCode, to open a big dialog box with multiple tabs. Click on the tab Signing and Capabilities. To add the multicast to the project "+ Capability" is clicked, search for "multi" which brings up multicast networking. Click on multicast networking to add it to the project.
Then in the same dialog box, click the tab build settings and under "Signing" code signing identity is changed to iOS developer for all Debug and release items.
The project is then built and run on the iOS device. The symptom is that no multicast packets are received.
The multicast receiving code below works on macOS and Android devices so there must be something going on with the iOS devices that I'm missing.
The UDP server is configured in C# code as a _listener:
private const string MULTICAST_ADDRESS = "239.255.1.1";
private const int BCON_PORT = 49707;
_listener = new UdpClient();
_listener.ExclusiveAddressUse = false;
_listener.JoinMulticastGroup(IPAddress.Parse(MULTICAST_ADDRESS));
_listener.Client.Bind(new IPEndPoint(IPAddress.Any, BCON_PORT));
I encountered a problem while implementing DNS Proxy for Network Extension.
It consists of MyMyExt, a System Extension that implements DNS Proxy, and MyMyService, a container.
The system extension consists of classes that inherit the NEDNSProxyProvider.
Class has overrided "override init(), override func startProxy(...), override func stopProxy(...) override func handleNewFlow(...)"
Since the manager.loadFromPreferences(...) and manager.saveToPreferences(...) calls, system extensions and DNS Proxy have been added.
However, contrary to expectations, init(), startProxy(...), etc. are not being called.
(In System Settings → Network → Filter, DNS Proxy has been added, but is displayed as "Activated" and a yellow circle)
Here is the information that appears on the console.
... Omitted ...
MyMyService.MyMyExt [Info] DNSProxyManager.swift: 51 [-] DNSProxy: saved
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Adding a connection for client mDNSResponder[167]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: handleNetworkDetectionNotification <MyMyService.MyMyExt>
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Received a restart command from nesessionmanager[1011]
nesessionmanager Registering session NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Resetting VPN On Demand
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: update configuration
nesessionmanager <NESMServer: 0x13ae0ac90>: <MyMyService.MyMyExt> Register DNS Proxy Session: NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Successfully registered
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: status changed to connecting
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: received start message
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStateIdle
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Failed to create an NEAgent
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
... Omitted ...
Perhaps the key is the "Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement" recorded in the log.
But I can't find out what this message is about or how to resolve it.
and, here is my code, more info at my previous post.
I ask for your help.
Thank you, for your attention.
Do I need an entitlement to use the ARWorldTrackingConfiguration and get that data in RoomPlan enhancements being done?
I got approved for ProximityReader APIs for Apple Tap to Tay on iPhone.
The Setting up the entitlement for Tap to Pay on iPhone guide says to look for "Additional Capabilities."
I do not see it under my Certificates, Identifiers & Profiles.
Where should I look?
Hello! Firstly, I am submitting an entitlement request to access the E-sim configuration for the iOS application. While filling out the form, I encountered an issue with providing carrier information. The form is designed for a single carrier, but I have five carriers. Should I list all of them?
Secondly, I have come across numerous discussions online regarding the time it takes to process such requests. Could you please provide me with an estimated timeframe for completion? Our customer is interested in completing the feature within a month.
Thanks
Hello everyone!
Since iOS 17.4, it's now easier to set up an eSIM from a browser/email or with a link. We can now longpress the QR code to get the option to add an eSIM. Is it still required to have that private entitlement to enable the same functionality in-app but not in a browser? Seems odd. I can store QR codes on Imgur to install eSIM but can't do the same with my native app by CTCellularPlanProvisioning.addPlan method. Redirecting users to the browser seems like a workaround, but it creates a noticeable discrepancy in usability.
I might have overlooked some SDK updates or new methods. Are there any new approaches to enable in-app eSIM setup with the latest update?
Secondly, in the "Other eSIM activation methods" section of this page, a special link is mentioned, but I couldn't find any examples or resources for that.
Thanks
I have a macOS app which contains a dext. I'd like to distribute it to external testers using TestFlight, so it has to pass Mac App Store review. It failed, because the App Sandbox entitlement was missing.
I checked the app, it has the entitlement, but the dext does not. However, the .entitlements file used by the dext does contain App Sandbox set to true.
I tried adding a "fake-entitlement" value to the .entitlements file, and that made it into the dext's code signature, but the App Sandbox entitlement appears to be stripped out by the build process?
For a dext target, it isn't possible to add the App Sandbox capability in Xcode's Signing and Capability section. I have to add the entitlement manually in the .entitlement file (or it was put there by the Xcode driver template, I don't remember).
I've tried clean building several times, I've tried Xcode 15.0.1, 15.2 and 15.3, but the result is always the same. I'm inspecting the entitlements using
codesign -dvvv --entitlements -
Does anyone know what I can do to put the App Sandbox entitlement into my dext's signature? Is this happening to anyone else?
I requested the com.apple.developer.device-information.user-assigned-device-name entitlement on Feb 11 and received an email reply stating "We’ll contact you within a few weeks with your request status." However, it's been more than a month without any updates.
Can anyone chime in with their experience RE: how long it took for Apple to review their request for this entitlement?
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_device-information_user-assigned-device-name
After updating to Xcode 15.3 and Sonoma, I started getting an error when packaging my app:
Provisioning profile failed qualification
Profile doesn't include the com.apple.developer.mail-client entitlement.
There is no indication in the documentation that this has anything to do with the provisioning profile, and there is no capacility that needs to be added.
I was given the "com.apple.developer.mail-client" entitlement from Apple over a year ago as documented in: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_mail-client, and it worked fine until now.
Hi All,
I submitted a Family Controls Request Form but haven't heard back. I didn't get any case id when I submitted the request, so how do you track it and know when It is approved?
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
This is really worrying for us as our project is almost ready and we are unable to launch it :( . Would appreciate any responses.
Thanks,
Hey, I am trying to use Family Controls in Mac Catalyst. On the iOS app it works fine. On macOs using Mac Catalyst it builds fine but I get following console output.
Failed to get service proxy: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction." UserInfo={NSDebugDescription=The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction.}`
When i try to open the FamilyActivityPicker on the macOs app following error is displayed in the GUI.
The operation could not be completed. (FamilyControls.ActivityPickerRemoteView Error error 2.)
Do I need a familyControls capability for macOs? If yes, I only find it for iOS.
Thanks for hints and help :)
Hello,
I am writing a Desktop application for macOS with XCode.
This application will be available on app store. So, i have to put sandbox entitlement.
So, this application won't be able to access Desktop folder. It will be jailed into a specific directory to store datas.
I have installed a macOS application from appstore. When I launched this application, I got a TCC prompt, asking me to allow this application to access Desktop (or Downloads I don't remember). How can this be possible ?
I have tried to write a sandboxed application which tries to access to Desktop folder. I didn't get any TCC prompt: My access was rejected.
How can I ask to access Desktop folder from I sandboxed application ?
Thanks a lot
**Why does using CameraPicker require user authorization through a pop-up? **
Why don't ImagePicker or PhotoPicker require additional pop-up authorizations for accessing the photo library? All of these are implemented using UIImagePickerController, so why does one require a pop-up and the others do not?
Additionally, I thought that by configuring the picker, I would theoretically not need any permissions. If permissions are still required, wouldn’t it make more sense to directly request camera permissions and utilize the native camera functionality? What then are the advantages of using the picker?