Hi! I am having a strange issue when I try to build my react native project in an eas managed workflow (including dependencies just in case). The error I get is: Provisioning profile "[profile]" doesn't include the com.apple.developer.proximity-reader.payment.acceptance entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. (in target '[project_name]' from project '[project]') I find this weird because I have enabled the entitlement in my identifier and my provisioning profile reflects this fact. I have set up an entitlements file where I have set up the kv pair for the entitlement. Any help would be much appreciated!

Hello I work for a company which is not itself a carrier, however we develop applications on behalf of carriers (the relationship between us and several large household name US carriers has existed for many years). The applications that we develop typically need carrier and/or special entitlements, for example: com.apple.CommCenter.fine-grained/public-subscriber-info com.apple.developer.coretelephony.sim-inserted com.apple.developer.pushkit.unrestricted-voip com.apple.developer.usernotifications.filtering com.apple.developer.associated-domains Obtaining those entitlements for the carrier applications that are released to the App Store is itself not a problem as the customers apply for them and they are duly granted and applied to the applications. However, what is a problem is working around the strict Apple development and distribution requirements and limitations, and the consequences that has given that the apps don't belong to our Apple account but the customers. Typically, a customer would provide us a developer certificate and set of provisioning profiles, but they would keep the distribution certificate and do the TestFlight/App Store release themselves. There's two limitations that come into play here, the first is that we can't distribute the app to TestFlight and secondly, we can only install the customer's apps on hardware registered with their Apple account. Given how the limitation for that is 100 in total, and these are large companies, they just don't have slots available and hence we might have a single device on which their app can run. These are very severe limitations given the complex nature of the applications and the need to have several developers/testers involved, which isn't possible. To mitigate those limitations we have "mirror" versions of customers' apps, these are apps which are identical to the customer apps except they have bundle ids registered to our Apple account. This enables the apps to be developed by any number of developers and distributed via Testfight and hence to any number of testers. But the problem is, the functionality of the mirror apps is severely reduced due to the fact they don't have the entitlements of the customers' apps. To get to the point of the post - I would like to know if there any potential solutions to this? For example: could it be possible for our mirror applications to be granted required entitlements (given the relationships we have with the customers. I'm sure the customers could vouch for us as a company and the need for this) could the entitlements be granted if we switched the mirror apps over to an Enterprise account (as enterprise apps can't be released to the App Store)? any other technical options or suggestions? Thank you

Its my understanding that to use the CameraFrameProvider, which provides access to the Apple Vision Pro front facing camera feed the enterprise main camera access "com.apple.developer.arkit.main-camera-access.allow" entitlement is required. Is there a method to prototype apps on a that use the CameraFrameProvider running on an apple vision pro that has developer mode enable without having the "com.apple.developer.arkit.main-camera-access.allow" entitlement?

We have an iPad app which can write to user-specified locations on USB-connected storage devices. On unmanaged devices, this works just fine. However, when the device is under MDM, although the Files app can see the external USB storage device, it does not show up in the file browser in our own app. There's a restriction called "allowFilesUSBDriveAccess" which is set to true (the default), but there's no restriction called "allowOtherAppsUSBDriveAccess". Are MDM-managed iPads simply not allowed to access USB drives (except through the Files app)?

In Xcode I have created UI-less application. I tried to add following code: import CloudKit let container = CKContainer.default() And it is failing with: In order to use CloudKit, your process must have a com.apple.developer.icloud-services entitlement. The value of this entitlement must be an array that includes the string "CloudKit" or "CloudKit-Anonymous". If I go to project and select my Command Line Tool target I don't see CloudKit capability that I usually see in UI based applications. So, is it impossible to use CloudKit from Command Line tools?

A client asked why we can't detect other apps installed on a device without an MDM profile, we explained this isn't possible due to privacy and security restrictions on iOS. A regular app cannot find other apps that are installed unless part of the same group. The client then told us to download SpyBuster (on the App Store) which somehow is collecting a list of Bundle IDs or names of all installed apps somehow. We were skeptical, but sure enough, the app showed us a list of apps we had installed. How is it doing this?!?! No MDM profile associated with the app. No special permissions requested. No access to anything shown in privacy & security in settings. Is there a special entitlement we're not aware of? Just seems like they must be using a private API call to get this info but that would of course mean it should be pulled from the App Store. We'd love to have this capability in our apps if it's legit and accepted by App Store review. Thanks!

Hello macOS gurus, I am writing an AUv3 plug-in and wanted to add support for additional formats such as CLAP and VST3. These plug-ins must reside in an appropriate folder /Library/Audio/Plug-Ins/ or ~/Library/Audio/Plug-Ins/. The typical way these are delivered is with old school installers. I have been experimenting with delivering theses formats in a sandboxed app. I was using the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement to place a symlink in the system folder that points to my CLAP and VST3 plug-ins in the bundle. Everything was working very nicely until I realize that on my Mac I had changed the permissions on these folders from to The problem is that when the folder has the original system permissions, my attempt to place the symlink fails, even with the temporary exception entitlement. Here's the code I'm using with systemPath = "/Library/Audio/Plug-Ins/VST3/" static func symlinkToBundle(fileName: String, fileExt: String, from systemPath: String) throws { guard let bundlePath = Bundle.main.resourcePath?.appending("/\(fileName).\(fileExt)") else { print("File not in bundle") } let fileManager = FileManager.default do { try fileManager.createSymbolicLink(atPath: systemPath, withDestinationPath: bundlePath) } catch { print(error.localizedDescription) } } So the question is ... Is there a way to reliably place this symlink in /Library/... from a sandboxed app using the temporary exception entitlements? I understand there will probably be issues with App Review but for now I am just trying to explore my options. Thanks.

Hi. I'm planning of creating a system for in-office access control that allows putting employee ID card in Apple Wallet to unlock the door without unlocking iPhone, something like HID Global's Employee Badge in Apple Wallet. I searched and it seems that Apple Access is suitable for unlocking the office door, but I couldn't find any relevant development documentation. What kind of enrollment or application is required to put my employee ID card in Apple Wallet with Apple Access and use Express mode? Also, could one share any related development documents please? Thank you in advance.

I am applying for the NEHotspot API Entitlement with the details below, but Apple has rejected it multiple times. Can you help me understand what I am doing wrong? Q. In how many countries are your hotspots located? A - 1 Q. What is the approximate total number of hotspots you manage? A - 1000 Q. Which of the following best explains the relationship between you, the app publisher, and the users of these hotspots? A - These hotspots are free for anyone to use. Hotspot Helper API usage Q. A hotspot helper must claim the hotspot networks that it supports by setting a confidence value of either .low or .high when responding to the .evaluate command. See Figure 1-1 in Hotspot Network Subsystem Programming Guide for more background on this. When the helper claims a network, its display name (kNEHotspotHelperOptionDisplayName) is shown in Settings > Wi-Fi. What value do you intend to use for this? A - BSSID(MAC) Q. When responding to the .authenticate command, you system must interact with your hotspot to instruct it to pass traffic from the device to the wider internet. What network protocols does it use? A - DNS , HTTP Q. Provide any additional details about your usage to help us understand your planned implementation. A - We are implementing the following functionalities in our project: Connect to a Wi-Fi hotspot with a specified SSID. Remove Wi-Fi configurations for specific SSIDs. Initialize a new hotspot configuration with the specified SSID.

We have a pair of apps that are used to monitor the location of a person and allow them to reach out for help when needed. The apps are designed to be used with persons with special needs. A large portion of our target audience is people that have cognitive disabilities. One app is used by people that monitor and help the person with needs, and the other is used by the person with needs who is not with them all the time. The issue we have is that our users have trouble understanding what to do when this verification popup appears. This popup continues to appear over and over and over. This is a severe health and safety issue for us. We find that the user is often times confused by the popup and is disabling the background location tracking preventing the needs provider from being able to track the location of the user. It would be great if there was a special Entitlement that could be granted that would prevent this 'feature' of iOS. Or possibly simply a setting that the user's provider can setup on their phone to stop the annoying and dangerous constant popups. If anybody knows of a way to prevent this popup, please let us know. Otherwise, if someone at Apple could suggest how we can make this happen in the future.

Dear Apple Developer Forum community, I have a Multiplatform SwiftUI app that runs on both iOS and macOS. The app is available in the Mac App Store, and I aim to maintain backward compatibility. I use App Groups to synchronize data between the main app, where users configure content, and the widget, which displays this content. The data is stored using SwiftData. With macOS Sequoia now in beta testing, I have encountered a breaking change that affects my app. In macOS Sequoia, apps must use the team identifier number $(TeamIdentifierPrefix) as the prefix for App Groups on macOS. I cannot properly test future versions of my app without instructing my beta testers to turn off System Integrity Protection (SIP). This presents a significant issue for my Multiplatform SwiftUI app. On iOS, the app group identifier must start with group.identifier. Before macOS Sequoia, you could name your app group freely, and testing with TestFlight and publishing to the App Store was straightforward. Now, however, testing an app intended for the App Store is complicated by this rule. On macOS, you must use $(TeamIdentifierPrefix) to bypass this rule and allow for widgets to be tested and allow for synchronization between SwiftData. While on iOS, this approach is not allowed as the App Group becomes considered invalid. Additionally, this annoying popup appears every time a beta tester tries to open the app if they have SIP turned on: Instead of prompting for the app extensions, it rejects it. Rejecting this popup also prevents the main SwiftData app from opening. I am unsure how to proceed. If I want to test widgets (which is a primary focus of the app), I must use macOS Sequoia. I am particularly concerned about the implications if I decide to stop supporting macOS Sonoma in the future. Thank you in advance, LocalWE

I have the CarPlay Entitlement "Driving Task" and two of my apps use it. Now, in both apps, I have implemented Navigation. I requested the Navigation CarPlay Entitlement when the feature was mature and builds were available in Test Flight, since I wanted to release the new versions of the apps with navigation available both on the iPhone and in CarPlay. I got no answer to my request, so I decided to release the apps with only navigation in the iPhone and the Driving Task functionality in CarPlay, thinking that maybe being live with navigation in the App Store was a requirement. I have asked permission again, and so far, the request is being ignored again. What are the requirements to get the Navigation CarPlay Entitlement? If the app is approved for navigation, is there something else the app must do to get the entitlement? Requirements for CarPlay Entitlements seem quite obscure, are they listed anywhere? Is there a technical problem to move from an existing CarPlay Entitlement to another? Can that be the reason the entitlement has not been granted? Some of my competitors have the CarPlay Navigation entitlement. My use case is the same (in a better app in my opinion, of course). But I am only getting bad reviews because "the app does not include the map in CarPlay" after the big investment in implementing navigation in the apps. Any help or insight would be appreciated.

I have two MAUI Mac Catalyst apps. According to this guide https://learn.microsoft.com/en-us/dotnet/maui/mac-catalyst/deployment/publish-outside-app-store?view=net-maui-8.0#publish-using-the-command-line I created certificates, signed Release versions of applications, packed them with pkgbuild and productbuild which I also signed with created certificate They are both signed with same Code Signing key, have same team id. I had set up NSUpdateSecurityPolicy https://developer.apple.com/documentation/bundleresources/information_property_list/nsupdatesecuritypolicy like this: Using codesign -dv I cheked that updater, old and new versions of app share same Team Id and have correct bundle identifiers After update, updater wants to overwrite old app contents, but it always receives UnathorizedAccessException when touching any file located in application If my updater app has "App Managment" or "Full disk access" permission in System settings, everything works fine, but user needs to set up it manualy, that is not comfortable, so how can I request this permission? Also according to what I know, application don't need this permission if it's Team ID set up in NSUpdateSecurityPolicy Maybe I incorrectly set up NSUpdateSecurityPolicy, but I can't notice anything wrong. Also, can it be because I overwrite application using MAUI and C#? Thanks a lot for any answer!

Certain entitlements require special permission from Apple like DriverKit or Screentime API/Family controls. Those entitlements are tied to the bundle IDs of the app. If those entitlements have been granted for an app from developer A (personal account) and we transfer that app to developer B (organization account), including the bundle IDs, will those bundle IDs keep the entitlement? Or will we need to re-request from the developer account B? Any insights or experiences regarding this process would be greatly appreciated.

I'm setting up Auth0 to work with my app according to their instructions. I need to add an associated domain, but it doesn't work. When I try to use Auth0, it returns a message that says "Application with identifier (my-bundle-id) is not associated with domain (my-auth0-domain)". In Signing & Capabilities, I have the Associated Domains capability set up with this domain: "webcredentials:(my-auth0-domain)". I also added another version with ?mode=developer on the end of it, but neither works. I am sure that the domain I'm using is correct because I'm able to use it in Postman to authenticate with Auth0. I checked everything else against their documentation and samples several times.

I have an XPC service that embeds Python. It executes a python script on behalf of the main app. The app and xpc service are sandboxed. All seems to work just fine in the development environment but the script fails in the released version. I disabled writing pycache by setting the PYTHONDONTWRITEBYTECODE environment variable because pycache tries to write inside my app bundle which fails (I believe I can redirect the pycache directory with PYTHONPYCACHEPREFIX and may experiment with that later). Specifically this line fails in the release version only (not from Xcode): PyObject *pModule = PyImport_Import(moduleNameHere); if (pModuleOwnedRef == NULL) { // this is null in release mode only. } Any ideas what can be going wrong? Thanks in advance.

Hi, I'm developing a app that can install eSIM profile to device within the app, check currently esim or device is support eSIM feature, but for the Core Telephony API that required eSIM entitlement... I trying to request the entitlement from apple, but for the "Carrier team ID", my partner (carrier) does not know about this part... anyone can help? how can i get the "carrier team id" and request to apple get the entitlement to my app, implement Core Telephony...

Hello everyone! I'm developing framework and app for macOS for PCI devices. For communication with driverkit, I'm verifying by giving userclient access entities of system extension to app. However, the app is just a sample program, and our customer is trying to develop the app using a framework with PCI communication part. Is there a way to build a framework with my company's signature, and to build and execute it without acquiring userclient access elements by any chance by a customer developer? Moreover, userclient access is only available to developers who have subscribed to the Apple Developer Program, so I hope that client/developers do not need to obtain separate entries.

I have a simple little Mac app that embeds a Python interpreter. I wrote this app almost ten years ago and completely forgot about it. Anyway I submitted an update to it with a new version of Python but it's being rejected by App review for the following reason: Your app uses or references the following non-public or deprecated APIs: Symbols: • _Tcl_NewByteArrayObj • _Tcl_ResetResult • _Tcl_MutexLock • _Tcl_GetBooleanFromObj • _Tcl_SetObjResult • _Tcl_CreateInterp • _Tcl_ThreadQueueEvent • _Tcl_UnsetVar2 • _Tcl_GetBignumFromObj • _TclBN_mp_to_unsigned_bin_n • _Tcl_ListObjLength • _Tcl_ConditionWait • _Tcl_GetDouble • _Tcl_GetDouble • _Tcl_DeleteFileHandler • _Tcl_SetVar • _Tcl_SetVar • _Tcl_SetVar • _Tcl_DoOneEvent • _TclFreeObj • _Tcl_Eval • _Tcl_Eval • _Tcl_Eval • _Tcl_FindExecutable • _Tcl_NewLongObj • _Tcl_CreateTimerHandler • _Tcl_Init • _Tcl_ConditionFinalize • _Tcl_GetByteArrayFromObj • _Tcl_ListObjIndex • _Tcl_ExprLong • _Tcl_NewDoubleObj • _Tcl_GetDoubleFromObj • _Tcl_ExprString • _TclBN_mp_read_radix • _Tcl_DeleteTimerHandler • _Tcl_CreateFileHandler • _Tcl_GetVar • _Tcl_GetVar • _Tcl_CreateObjCommand • _Tcl_SetVar2Ex • _Tcl_GetStringFromObj • _Tcl_NewStringObj • _Tcl_GetObjType • _Tcl_MutexUnlock • _Tcl_DeleteCommand • _TclBN_mp_init • _Tcl_GetCurrentThread • _Tcl_ExprDouble • _Tcl_AddErrorInfo • _Tcl_Free • _Tcl_GetStringResult • _Tcl_SetVar2 • _Tcl_SetVar2 • _Tcl_GetBoolean • _Tcl_GetBoolean • _Tcl_RecordAndEval • _Tcl_EvalFile • _Tcl_GetLongFromObj • _TclBN_mp_clear • _Tcl_ThreadAlert • _Tcl_ExprBoolean • _Tcl_DeleteInterp • _TclBN_mp_unsigned_bin_size • _Tcl_AttemptAlloc • _Tcl_GetObjResult • _Tcl_GetWideIntFromObj • _Tcl_NewListObj • _Tcl_ConditionNotify • _Tcl_NewBooleanObj • _Tcl_SplitList • _Tcl_EvalObjv • _Tcl_GetThreadData • _Tcl_GetVar2Ex • _Tcl_NewWideIntObj • _Tcl_NewBignumObj • _Tcl_ListObjGetElements • _Tcl_GetString • _Tcl_GetString • _Tcl_GetString The use of non-public or deprecated APIs is not permitted on the App Store, as they can lead to a poor user experience should these APIs change and are otherwise not supported on Apple platforms. I read online that this is a sort of a widespread issue right now with apps that embed Python (would share links but then my post will have to be approved by a moderator). Anyone have a workaround?

i'm working on an app which shares a swiftdata database between the main app and its widgets. prior to the sequoia/xcode 16 betas this was working fine with setting the same app group for app & widget targets. however, now whenever i try to run my main app from Xcode i get a user permission requestor saying " would like to access data from other apps.". this happens every time i run it. whenever the widget is started (via trying to place it on the desktop, or the widgetkit simulator etc) it exits immediately (i assume because it can't show the permission requestor?) if i disable the app group for the widget, it runs.. however, of course, i can't access the main app's database. i'm on sequoia beta 2 (24A5279h) and Xcode 16 beta 2 (16A5171r) note: while the widgetkit simulator is now present in sequoia beta 2, i haven't actually been able to successfully use it