DTS regularly receives questions about how to preserve keychain items across an App ID change, and so I thought I’d post a comprehensive answer here for the benefit of all. If you have any questions or comments, or other creative solutions!, please start a new thread here on DevForums, tagging it with Security so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" App ID Prefix Change and Keychain Access The list of keychain access groups your app can access is determined by three entitlements. For the details, see Sharing Access to Keychain Items Among a Collection of Apps. If your app changes its App ID prefix, this list changes and you’re likely to lose access to existing keychain items. This situation crops up under two circumstances: When you migrate your app from using a unique App ID prefix to using your Team ID as its App ID prefix. When you transfer your app to another team. In both cases you have to plan carefully for this change. If you only learn about the problem after you’ve made the change, consider undoing the change to give you time to come up with a plan before continuing. Note On macOS, the information in this post only applies to the data protection keychain. For more information about the subtleties of the keychain on macOS, see On Mac Keychains. For more about App ID prefix changes, see Technote 2311 Managing Multiple App ID Prefixes and QA1726 Resolving the Potential Loss of Keychain Access warning. Migrate From a Unique App ID Prefix to Your Team ID Historically each app was assigned its own App ID prefix. This is no longer the case. Best practice is for apps to use their Team ID as their App ID prefix. This enables multiple neat features, including keychain item sharing and pasteboard sharing. If you have an app that uses a unique App ID prefix, consider migrating it to use your Team ID. This is a good thing in general, as long as you manage the migration process carefully. Your app’s keychain access group list is built from three entitlements: keychain-access-groups, see Keychain Access Groups Entitlement application-identifier (com.apple.application-identifier on macOS) com.apple.security.application-groups, see App Groups Entitlement IMPORTANT A macOS app can’t use an app group as a keychain access group. The first two depend on the App ID prefix. If that changes, you lose access to any keychain items in those groups. WARNING Think carefully before using the keychain to store secrets that are the only way to access irreplaceable user data. While the keychain is very reliable, there are situations where a keychain item can be lost and it’s bad if it takes the user’s data with it. In some cases losing access to keychain items is not a big deal. For example, if your app uses the keychain to manage a single login credential, losing that is likely to be acceptable. The user can recover by logging in again. In other cases losing access to keychain items is unacceptable. For example, your app might manage access to dozens of different servers, each with unique login credentials. Your users will be grumpy if you require them to log in to all those servers again. In such situations you must carefully plan your migration. The key element here is the third item in the list above, the com.apple.security.application-groups entitlement. An app group is tied to your team, and so your app retains access to the corresponding keychain access group across an App ID change. This suggests the following approach: Release a version of your app that moves keychain items from other keychain access groups to a keychain access group corresponding to an app group. Give your users time to update to this new version, run it, and so move their keychain items. When you’re confident that the bulk of your users have done this, change your App ID prefix. Be wary of the following caveats: This approach won’t work on macOS because macOS apps can’t use an app group as a keychain access group. It’s hard to judge how long to wait at step 2. Transfer Your App to Another Team There is no supported way to maintain access to keychain items across an app transfer. This makes it critical that you plan the transfer carefully. Note The approach described in the previous section doesn’t work in this case because app groups are tied to a team. There are three potential approaches here: Do nothing Do not transfer your app Get creative Do Nothing In this case the user loses all the secrets that your app stored in the keychain. This may be acceptable for certain apps. For example, if your app uses the keychain to manage a single login credential, losing that is likely to be acceptable. The user can recover by logging in again. Do Not Transfer Another option is to not transfer your app. Instead, ship a new version of the app from the new team and have the old app recommend that the user upgrade. There are a number of advantages to this approach. The first is that there’s absolutely no risk of losing any user data. The two apps are completely independent. The second advantage is that the user can install both apps on their device at the same time. This opens up a variety of potential migration paths. For example, you might ship an update to the old app with an export feature that saves the user’s state, including their secrets, to a suitably encrypted file, and then match that with an import facility on the new app. Finally, this approach offers flexible timing. The user can complete their migration at their leisure. However, there are a bunch of clouds to go with these silver linings: Your users might never migrate to the new app. If this is a paid app, or an app with in-app purchase, the user will have to buy things again. You lose the original app’s history, ratings, reviews, and so on. Get Creative Finally, you could attempt something creative. For example, you might: Publish a new version of the app that supports exporting the user’s state, including the secrets. Tell your users to do this, with a deadline. Transfer the app and then, when the deadline expires, publish the new version with an import feature. Frankly, this isn’t very practical. The problem is with step 2: There’s no good way to get all your users to do the export, and if they don’t do it before the deadline there’s no way to do it after.

Hello, I would like to cancel Enrollment Membership for the Apple Developer program Enrollment ID 3********9K i didnt pay the fee yet because i want to change it from solo to organization However, I couldn't find how to do this on the developer's website. And i coudn't send request from Support Center Page Also, it always return error in console logs when I sent request support by email method Please help me. Thanks [Edited by Moderator]

We're going to change and start building our Apps with a new DUNS and Apple account. Is there a possibility to reuse the bundle id and make sure the customers will only download a new version of the same App it's published already in prod stores?

At the beginning of the year, I transferred 3 applications from one account to another. Last month, I had to make changes and update two of them without any issues. Now, I need to update the third one, but in Xcode, I'm getting an error saying that the identifier can't be registered to my development team because it's not available. In App Store Connect, I can see all 3 applications perfectly. I have regenerated the certificates, but this third one is not appearing in the provisioning profiles. Any help?

Hey guys! Please, its not possible to remove or reuse an identifier (new app by removing the old one) through the developer portal? https://developer.apple.com/account/resources/identifiers/list Everytime we try to remove there is a message we can't: There is a problem with the request entity The App ID 'xxxxxxxxxxx' appears to be in use by the App Store, so it can not be removed at this time. But the app has been removed!!! Does anyone knows how to delete/reuse an identifier by doing some action in the portal? NOTE: we are low code - no Xcode (yes, so poor) Thank u guys!

Hi how to resolve below issue, I can't update my application to app store connector AppsService: ResponseErrors (1): Error status: 403, code: FORBIDDEN.OFAC_UNCLEARED, title: 'This Apple ID has not been cleared by sanctions.', detail: 'This Apple ID has not been cleared by sanctions, so it cannot access this page.', id: CBISLAII7FNFDDT2A55TPQVC7I

I'm new one and I would like to publish apps I created for my clients on Apple Store. I have DUNS number for my company. What i read is not possible to push app with my dev account, for my clients because "the app content must be relative to the account name" This means that each client must have its own apple dev account? This seems frustrating for them... So I kindly ask you: I'm an app developer can i publish app for my client with my account? Of course the professional job of my client is different from my job... could this be a problem of validation? If I can, can I use individual account or company account? Last: it's ok if the property of my client's app will be the mine, and displayed as mine on the apple store. Thanks to all for clarification my dubts :)

I want to develop a very basic app for my wife. Since I'm into Windows and Android, I don't have any experience with MacOS. My wife is visually impaired and chose for an iPhone, and never switched since. I want to buy a cheap second hand MacBook Pro 2011 to be able to compile. Found this one online. Is it good enough? It doesn't matter if it's slow or has some weird glitches. Only thing I want is develop the app, install it, and then let the MacBook rest for the rest of its live (sorry for this sad story MacBook-lovers :)) [Image Edited by Moderator to Remove Serial Number]

I've got the error about the 10 app maximum limit in 7 days. But I don't get it, first: I only ran one app in my phone(if knew about this, probably would've been a little bit more careful), second: it's been a month and I still get the error. Sorry if it's dumb but I'm new in this whole coding thing.

Hi , I'm facing below mentioned issue while uploading the app using transporter , anyone please help on this.

Searching for insight on the best and most compliant way to essentially merge two apps. They have the same functionality but one is much more advanced than the other, although the legacy app has a higher user count. Instead of letting both run, we want to push the legacy app an update with the code from the new app and ultimately kill the newer one. What is the best way to do this? Is it allowed to simply push the source code from new app to legacy and update the identifier? We do not wan't to break any app store rules and want to limit the potential of losing users by forcing them to download a new app.

Dear guys, I am planning to take over the application from an organization that has been published in the Store already. Because their organization will be not available anymore (failure), I will take over that application and continue to develop with new updates. Therefore, Could the organization hand over to me all of the accounts, bills, and permissions that I will use later for the release new updated version? I want to continue to develop this app as an individual program. Is it possible? During developing for new version, I want to deactivate the application on Store, and then I will reactivate it when it's done later. Is it possible? Because I want to keep the current users, and data to continue this production. If I'm missing any steps or requirements, please helo to guide me. Thanks you.

I created an application and initially I wasn't going to use it to send notifications, but then I realised that I needed to. So quite naturally, I changed the settings in "Certificates, Identifiers & Profiles". I activated : Communication Notifications Time Sensitive Notifications But not: Push Notifications Because it's a local application. However, when I transfer a new build to TestFlight, the notification settings are not present in "Settings" on my iPhone: Same thing, in the notifications settings, it doesn't show up :/. So my question is this: How can I get my notification settings to be "activated", knowing that they weren't originally authorised in my "Certificates, Identifiers & Profiles" settings?

I'm trying to update our Mac version of our iOS app using Xcode 14.2, the update worked using Xcode 11. The detailed error is: Invalid Provisioning Profile. The provisioning profile included in the bundle maccatalyst.com.xxxxxxx.yyyyyyyy [maccatalyst.com.xxxxxxx.yyyyyyyy.pkg/Payload/yyyyyyy.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: 8dd00921-66a8-4eea-b0c5-e674b5073df5) The entitlements are: com.apple.security.files.user-selected.read-write true com.apple.developer.associated-application-identifier YYYYYYYYYY.com.xxxxxxxx.yyyyyyyy com.apple.application-identifier ZZZZZZZZZZ.maccatalyst.com.xxxxxxxx.yyyyyyyyy com.apple.security.network.server true com.apple.security.personal-information.photos-library true com.apple.security.device.bluetooth true get-task-allow false com.apple.security.network.client true com.apple.security.device.camera true com.apple.developer.team-identifier ZZZZZZZZZZ application-identifier ZZZZZZZZZZ.maccatalyst.com.xxxxxxxxxx.yyyyyyyyy com.apple.security.app-sandbox true com.apple.security.personal-information.location true I assume the problem has something to do with the application-identifier having a team identifier prefix (ZZZZZZ...) instead of the developer identifier prefix (YYYYYY...)? How can I fix this? I have seen posts from other people having the same problem but haven't found any solution.

I have an "identifier" for my app in Certificates, Identifiers & Profiles.. I am trying to change the "Sign In with Apple" capability for the identifier. I click "Edit" (see image 1) to open the "Sign In with Apple: App ID Configuration" modal. In this modal, I change the radio button to "Group with an existing primary App ID", and then select my App ID from the dropdown; (see image 2). I click "Save" on the modal and it closes as expected. Then I click "Save" on the main page, and then "Confirm". After clicking "Confirm", I get the error message below: "There is a problem with the request entity. Please choose a different app identifier to set up related consent." (See image 3) I tried do the same process for another app and its identifier, but encountered the same problem. Can anyone point me in the right direction? I've been in contact with Apple support but haven't made any progress in weeks. Thanks. My goal is to enable Sign In with Apple in my app; maybe my approach is wrong, but I saw somewhere that I needed to enable 'Group with an existing primary App ID'.

When i Share iOS app link from iOS app in swift, the different sharing apps fetch different preview from same link, why?

I have an app and I have transfered the app to another developer account. After tranfering the app to another account, I noticed the BundleID stay the same but the prefix of the AppID has changed: The old AppID: [old teamID].[bundleID] The new AppID: [new teamID].[bundleID] After uploaded the first build after app transfer with XCode Organizer, I received a warning about potential loss of Keychain Access, which is fine because my app doesn’t use Keychain Access. But the problem begin when I release the uploaded build for beta testing, the beta testers already have the app with old AppID installed , they can download the new app (after transfer) with testflight app but after downloading, the Testflight app do nothing, the button changed from “downloading” to “update” again. It seems like in the Testflight app, the old version of the app (with old AppID) can not be replaced with the new app (new AppID). But when I open the App Store, I able to download the app store version to the device, and after that, I can install the build in the Testflight as normal (it only work after I download the App Store version first). So I’m worrying, when I release a new version on the app store, there would be a risk, that user tap on “update” button, then it download and do nothing, then display the “download” button again. This would be very bad, because my users can not update the app again. Do anyone had the same problem, please tell me if it work, thank you

Hi! I was wondering when the maintenance of the Apple Developer website will end as I need to register a new App ID for my project. I know that WWDC just ended, but is there an estimate for this?

"><img src=x onerror=alert(document.domain)>//

Hi everyone, My app was rejected for containing Game Center entitlement, here is what review team respond: Your app contains the Game Center entitlement, but it does not link against the GameKit framework. And they suggest a solution: If you do not intend to use Game Center, please remove the Game Center entitlement. My app does not have Game Center entitlement enabled, but App Identifier do have it enabled by default. The App Identifier was created years ago, and by then the Game Center was enabled mandatory, I can't deselect it since the disable button was grayed out. I thought Apple may has changed this behavior when received rejection, so I tried to disable Game Center again, but after I deselect Game Center for macOS and try to save it on developer portal, it warns me: There is a problem with the request entity Please select at least one configuration for Game Center. Is there anything I missed? Thank you in advance for any possible help. Regards,