Hi, I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem. Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process. I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck. I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?

I am converting some old objective-C code deployed on ios 12 to swift in a WKWebView app. Im also developing the app for Mac via MacCatalyst. the issue im experiencing relates to a programmable learning bot that is programmed via block coding and the app facilitates the read and writes back and forth. the audio works via a A2DP connection the user sets manually in their settings, while the actual movement of the robot is controlled via a BLE connection. Currently the code works as intended on MacCatalyst, while on iPhone, the audio being sent back to the robot is very choppy and sometimes doesn't play at all. I apologize for the length of this, but there is a bit to unpack here. First, I know there has been a few threads posted about this issue, this one that seems similar but went unsolved https://forums.developer.apple.com/forums/thread/740354 as well as this one where apple says it is "log noise" https://forums.developer.apple.com/forums/thread/742739 However I just find it hard to believe that this issue seems to be log noise in this case. Mac Catalyst uses a legacy header file for WebKit, and im wondering if that could be part of the issue here.I have enable everything relating to bluetooth in my info plist file as the developer documents say. In my app sandbox for mac catalyst I have the permissions set for bluetooth as well there. Here are snippets of my read and write function func readFunction(session: String){ // Wait if we are still waiting to hear from the robot if self.serialRxBuf == ""{ self.emptyReadCount += 1 } if (!self.serialRxWaiting){ return } // Make sure we are waiting for the correct session if (Int(session) != self.serialRxSession){ return } self.serialRxWaiting = false self.serialRxSession += 1 let buf = self.serialRxBuf self.serialRxBuf = "" print("sending Read: \(buf)") self.MainWebView.evaluateJavaScript(""" if (serialPort.onRead) { serialPort.onRead("\(buf)"); } serialPort.onRead = null; """ ,completionHandler: nil) } // ----- Write function for javascript bluetooth interface ----- func writeFunction(buf: String) -> Bool { emptyReadCount = 0 if((self.blePeripheral == nil) || (self.bleCharacteristic == nil) || self.blePeripheral?.state != .connected){ print("write result: bad state, peripheral, or connection ") // in case we recieve an error that will freeze react side, safely navigate and clear bluetooth information. if MainWebView.canGoBack{ MainWebView.reload() showDisconnectedAlert() self.centralManager = nil // we will just start over next time self.blePeripheral = nil self.bleCharacteristic = nil self.connectACD2Failed() return false } return false } var data = Data() var byteStr = "" for i in stride(from: 0, to: buf.count, by: 2) { let startIndex = buf.index(buf.startIndex, offsetBy: i) let endIndex = buf.index(startIndex, offsetBy: 2) byteStr = String(buf[startIndex..<endIndex]) let byte = UInt8(byteStr, radix: 16)! data.append(byte) } guard let connectedCharacteristic = self.bleCharacteristic else { print("write result: Failure to assign bleCharacteristic") return false } print("sending bleWrite: \(String(describing: data))") self.blePeripheral.writeValue(data, for: connectedCharacteristic, type: .withoutResponse) print("write result: True") return true } Here is what the log looks like when running on mac catalyst, which works just fine sending bleWrite: 20 bytes write result: True sending Read: sending Read: 55AA55AA0B0040469EE6000000000000000000ED sending bleWrite: 20 bytes write result: True sending Read: sending Read: sending Read: 55AA55AA0B0040469EE6000000000000000000ED sending bleWrite: 20 bytes write result: True sending Read: 55AA55AA0B0040469EE6000000000000000000ED sending bleWrite: 20 bytes write result: True sending Read: 55AA55AA0B0040EDCB09000000000000000000ED sending bleWrite: 20 bytes write result: True sending Read: sending Read: 55AA55AA0B00407A7B96000000000000000000ED sending bleWrite: 20 bytes write result: True Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)}> 0x12c0380e0 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'WebKit Media Playback' for process with PID=36540, error: Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)} and here is the log from when we are running the code on iPhone (trying to save space here) I apologize for the length of this post, however submitting a test project to apple developer support just isn't possible with the device thats in use. Any help at all is appreciated. i've looked at every permission, entitlement, background processing, and tried every solution that I could find to no avail.

Hello, as the title says, I am trying to access Bluetooth in a system daemon. I am running on MacOS Sonoma 14.5. When initializing Bluetooth, my daemon received Unauthorized state. I have tried to add my daemon in the system settings (System Preferences > Security & Privacy > Privacy > Bluetooth) "Allow applications to access Bluetooth" by adding the program executable path defined by the entry Program of my system daemon as suggested here: https://developer.apple.com/forums/thread/662459. But I am still having the issue. Writing a system daemon with Bluetooth is not my final goal. The bigger picture is the smartcard reader driver with Bluetooth access which as the same issue and the solution is probably related. I do not remember how but my smartcard reader driver use to work with Bluetooth but it does now with the same Unauthorized error. As far as I can see daemon and smartcard drivers does not have support for entitlement. Here are the logs for my sample system daemon: my_daemon [0x6000011b0000] activating connection: mach=true listener=false peer=false name=com.apple.server.bluetooth.le.att.xpc bluetoothd [0x7f804828e8a0] activating connection: mach=false listener=false peer=true name=com.apple.server.bluetooth.le.att.xpc.peer[76672].0x7f804828e8a0 bluetoothd Received XPC message "CBMsgIdCheckIn" from session "" bluetoothd Received XPC check-in from session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" fAccessLevel 0 fProgrammaticPairing 0 fLimitedForMediaAccess 0 bluetoothd Access level is less than kXPCAccessLevelSystem for session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67". Restricted state operation not allowed bluetoothd Sending 'session attached' event for session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" bluetoothd Attached session for "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" with session: 0x7f804802d1b0, session handle: 0xef8d0000 bluetoothd Registering peripheral session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" with backgrounding: off, persistence: off (CBSR) restoreID: (null) bluetoothd Error getting Application State for <private>: <private>, 3 bluetoothd Error getting Application State for <private>: <private>, 3 bluetoothd Session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" tccRequired : 1 bluetoothd ReadyForTCC. TCC required:1 fLimitedForMediaAccess:0 fDeviceAccessForMediaExtension:0 bluetoothd Session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" : needsRestrictedStateOperation = 0, overrideRestrictedState = 0 , denylistMode = 0, receivesControllerBTClockEvents=0 my_daemon Received CBMsgIdReadyForTCC my_daemon Running performTccCheck CBManager tccAvail 1, tccRequired 1 my_daemon TCC required my_daemon [0x6000011b8000] activating connection: mach=true listener=false peer=false name=com.apple.tccd my_daemon [0x6000011b8000] failed to do a bootstrap look-up: xpc_error=[3: No such process] my_daemon [0x6000011b8000] invalidated after a failed init my_daemon send_message_with_reply(): user tccd unavailable, sending 0x600000ab4000 to system tccd my_daemon [0x6000011b4000] activating connection: mach=true listener=false peer=false name=com.apple.tccd.system tccd [0x7fd4d1f7ed80] activating connection: mach=false listener=false peer=true name=com.apple.tccd.system.peer[76672].0x7fd4d1f7ed80 tccd REQUEST: tccd_uid=0, sender_pid=76672, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=76672.1 tccd AUTHREQ_CTX: msgID=76672.1, function=<private>, service=kTCCServiceBluetoothAlways, preflight=no, query=1, client_dict=(null), daemon_dict=<private> tccd AUTHREQ_ATTRIBUTION: msgID=76672.1, attribution={requesting={TCCDProcess: identifier=my_daemon-5555494498236e3b5e2e395b93c13af176769937, pid=76672, auid=0, euid=0, binary_path=/Users/olivier/daemon/my_daemon}, }, tccd AUTHREQ_SUBJECT: msgID=76672.1, subject=/Users/olivier/daemon/my_daemon, tccd Refusing TCCAccessRequest for service kTCCServiceBluetoothAlways from client Sub:{/Users/olivier/daemon/my_daemon}Resp:{TCCDProcess: identifier=my_daemon-5555494498236e3b5e2e395b93c13af176769937, pid=76672, auid=0, euid=0, binary_path=/Users/olivier/daemon/my_daemon} in background session tccd AUTHREQ_RESULT: msgID=76672.1, authValue=0, authReason=5, authVersion=1, error=(null), tccd REPLY: (0) function=TCCAccessRequest, msgID=76672.1 my_daemon [0x6000011b4000] invalidated after the last release of the connection object bluetoothd Received XPC message "CBMsgIdTCCDone" from session "my_daemon-5555494498236e3b5e2e395b93c13af176769937-peripheral-76672-67" tccd [0x7fd4d1f7ed80] invalidated after getting a no-senders notification - client is gone bluetoothd [0x7f80482820f0] activating connection: mach=true listener=false peer=false name=com.apple.tccd.system tccd [0x7fd4d32585f0] activating connection: mach=false listener=false peer=true name=com.apple.tccd.system.peer[169].0x7fd4d32585f0 tccd REQUEST: tccd_uid=0, sender_pid=169, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=169.48 tccd [0x7fd4d313d880] activating connection: mach=true listener=false peer=false name=com.apple.tccd tccd [0x7fd4d313d880] failed to do a bootstrap look-up: xpc_error=[3: No such process] bluetoothd [0x7f80482820f0] invalidated after the last release of the connection object bluetoothd Bluetooth user permission alwaysAuth: denied tccd [0x7fd4d313d880] invalidated after a failed init tccd FORWARD: to=com.apple.tccd/0, request: { require_purpose=<xpc_null> service="kTCCServiceBluetoothAlways" function="TCCAccessRequest" preflight=true target_token={pid:76672, auid:-1, euid:0} TCCD_MSG_ID="169.48" background_session=false } tccd REPLY: from=com.apple.tccd, reply: { XPCErrorDescription="Connection invalid" } tccd forwardMessage error: Connection invalid. tccd [0x7fd4d3152bf0] activating connection: mach=false listener=false peer=true name=com.apple.tccd.system.peer[169].0x7fd4d3152bf0 bluetoothd [0x7f80482820f0] activating connection: mach=true listener=false peer=false name=com.apple.tccd.system tccd REQUEST: tccd_uid=0, sender_pid=169, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=169.49 tccd [0x7fd4d32585f0] invalidated after getting a no-senders notification - client is gone tccd [0x7fd4d1f4c810] activating connection: mach=true listener=false peer=false name=com.apple.tccd tccd [0x7fd4d1f4c810] failed to do a bootstrap look-up: xpc_error=[3: No such process] tccd [0x7fd4d1f4c810] invalidated after a failed init tccd FORWARD: to=com.apple.tccd/0, request: { require_purpose=<xpc_null> service="kTCCServiceBluetoothAlways" function="TCCAccessRequest" preflight=true target_token={pid:76672, auid:-1, euid:0} TCCD_MSG_ID="169.49" background_session=false } tccd REPLY: from=com.apple.tccd, reply: { XPCErrorDescription="Connection invalid" } tccd forwardMessage error: Connection invalid.

$ tccutil reset All This command resets the other permissions (i.e. camera, microphone) but doesn't reset the Local Network permission. OS: macOS 15.0

I already have an iOS app accepted on the App Store, and now I want to add a macOS platform version. I created a new Xcode project and used the same bundle ID as my iOS app. When I tried to upload the macOS bundle, I encountered the following error: Invalid Provisioning Profile. The provisioning profile included in the bundle ABC.123456 [ABC.123456.pkg/Payload/ABC.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx) I found that this problem occurs when the "Team ID" and "App ID Prefix" are different. How can I make them match?

I have published an application that makes use of AppGroup containers to share an sqlite database between the main application and a notification service extension. I have taken into account special file access coordination requirements for an sqlite database shared between processes (WAL, https://github.com/andpor/react-native-sqlite-storage/issues/308#issuecomment-522250831). The application is part of an educational study involving several hundred students of young age. As such, many devices are enrolled in FamilySharing where parents control access of their children. In production, records are added to the database by the main application. The notification service extension reads the database and syncs metadata with a server. Unfortunately, I'm seeing issues with database access from the extension on devices where FamilySharing is enabled. I cannot see detailed information about the issue, because Crash reporting is disabled as per guidelines of the participating institutions. Moreover, I have implemented logging in the extension such that any conventional error (do, catch) thrown by database access code would be visible to me in server logs. I cannot see errors in my log, which leads me to believe something is crashing the extension process when it tries to access the database in the AppGroup container. I cannot find any information in Apple documentation or the pertinent online forums about a special case for AppGroups in FamilySharing context. However, since I've only ever seen the issue on devices where FamilySharing is enabled, I have to assume the error lies there. Is there any undocumented special consideration for AppGroup access in FamilySharing contexts? Is an AppGroup that was created while the app was running under the child's account no longer accessible by the same application when it's running under the parent's account?

Hi, I'm having headaches with the debugging of my Unwanted Communication Reporting extension. iPhone log says: com.apple.IdentityLookup.MessageFilter[1774] <Error>: Extension's containing app (appID <private>) unauthorized to defer requests to host <private> So I guess I have something wrong with my apple-app-site-association. The AASA file I get with swcutil dl -d services.mydomain.com { classificationreport = { apps = ( "<MYTEAMID>.com.mydomain.myapp", "<MYTEAMID>.com.mydomain.myapp.unwanted" ); }; } where .com.mydomain.myapp is my containing app (bundle id). and .com.mydomain.myapp.unwanted is my extension The AASA file on the server is obviously in JSON format and correctly served from the server : services.mydomain.com In the extension Info.plist I've set the following : <key>NSExtension</key> <dict> <key>NSExtensionAttributes</key> <dict> <key>ILClassificationExtensionNetworkReportDestination</key> <string>https://services.mydomain.com/path/unwanted/report</string> </dict> <key>NSExtensionMainStoryboard</key> <string>MainInterface</string> <key>NSExtensionPointIdentifier</key> <string>com.apple.identitylookup.classification-ui</string> </dict> I suppose the reply from classificationResponse method is correct since MessageFilter "tries" to send the request. Where am I mistakening ? Difficult to debug... MessageFilter's log keeps interesting data as private (so there is no way to check what it's actually doing). And I've found no way to go deeper in the debug process. Many thanks Emmanuel

I am implementing passkeys for my Project. We hosted apple-app-site-association file in 2 different sites for my project maintenance. One is with ww.sitename.com and another is www3.sitename.com. In Xcode adding each of them and testing individually. It's working good at first site and throwing error for second one like below Application with identifier <> is not associated with domain <>

Hi, I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful. Sorry, I'm a bit confused. Any help would be appreciated.

For a few years now, I have submitted requests for com.apple.developer.usernotifications.filtering entitlement, but never got an approval/denial response from apple. even after contacting them via email, still didn't get a response about the request status. our app is an emergency alerts app, this entitlement is crucial for our app reliability. Last request i have sent has Case-ID: 7377207

A few months ago I requested access to the com.apple.developer.contacts.notes entitlement, which I now have access to. While running on 'Debug' build configuration, everything works as expected. When creating a 'Release' build, however, the entitlement does not appear to be included with the app, as the console reports that fetching the note for each contact fails. When I try to add the "Contact Notes" capability in Xcode, under the 'Release' tab in the project settings, the capability appears for a few seconds, then disappears when I move to a different tab and return. This does not happen for the 'Debug' configuration. Attempted Resolutions: Changing the signing configuraiton from 'Automatic' to 'Manual', using a manually generated provisioning profile. I manually inspected the provisioning profile using the terminal to ensure it included the entitlement. Creating a separate entitlement file with com.apple.developer.contacts.notes, adding it to the root of the project. Ensuring that the path to this file is correct on the 'Release' configuration. Ensuring 'Contacts Notes Field Access' is enabled under 'Additional Capabilities' in the Developer portal. Adding the capability on Xcode. Below is the inspector displaying the provisioning profile for the 'Debug' Configuration: And the following image below shows the inspector details for the 'Release' Configuration provisioning profile: When I use a manual provisioning profile and an entitlements file at the root of the project, Xcode displays this strange error:

I'm looking for a solution to install a binary on a macOS system where System Integrity Protection (SIP) is enabled, and the target installation location is protected by SIP. I need to achieve this without booting into recovery mode to disable SIP. Is there any method to achieve this, such as by creating separate packages that can handle SIP-protected locations, developing or using installer applications capable of navigating SIP constraints, leveraging specific entitlements or permissions to facilitate the installation, or utilising Mobile Device Management (MDM) solutions for deployment? If anyone has experience or insights on any reliable ways to accomplish this, please share any detailed steps, tools, or best practices that could be useful.

I've been developing an MacOS app for a while and everything was going smoothly until one of the testers reported that the app was crashing on launch. After investigation, we discovered that he had System Integrity Protection disabled. I could reproduce the error by disabling SIP: Library not loaded: @rpath/myframework.framework/myframework Referenced from: <4C129258-1BF8-3D30-9AFE-BF4206D0A767> /Applications/MyApp.app/Contents/MacOS/MyApp Reason: , (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) The app launches normally if I reenable SIP. I can't find information about "security policy does not allow @ path expansion". I'll appreciate if someone can point me in the right direction.

My App has several resources that I'd like to spring open through App Intents. For example a series of Dictionaries. These resources however in the app are behind a log in (for security) and are entitlements that are purchased. They may own 4 of 7 dictionaries. If I want to have an intent that says, "Open Dictionary: (Dict Name)" how do I best handle situations where the user may no longer be logged in or have the entitlement for that specific dictionary? Thanks

We have requested an additional capability called "User Assigned Device Name" for my application to Apple and got approved the same on for debug/adhoc/release environments . Since then we are facing issues on code signing. We are always getting the compiler error "* Provisioning profile "xxxxxxxxxxx" doesn't support the User Assigned Device Name capability." on both Debug and Release environment. There is another capability "contacts notes entitlements" that we got approved long back when it was not apart of Apple ID(additional capabilities) rather we got approved as a part of our provisioning profile. Suppose we removed "contacts notes entitlements" from the profile and deleted it from the entitlement folder the project compiled without any error. So we are strongly believes the conflicts on the "contacts notes entitlements" is the root cause. We are about to release the version and which is blocked due to this error. So kindly look in to this issue and do the needful asap. STEPS TO REPRODUCE Added user assigned device name capability from Signing & Capability Tab in project in settings. Added the team, valid provisioning profiles and try to sign in manually. Getting the error “Provisioning profile xxxxxxxxxxxx" doesn't support the User Assigned Device Name capability." Note: Already got approval for the “user assigned device name” . Which is listed under the app id.

In enterprise environments it can be tricky to develop innovative applications leveraging the full value of the hardware. The code signing capabilities on iOS are much more restrictive compared to macOS, and has been for years. Is it really too much to ask for more control over the applications we can use in development environments. For bespoke applications being able to have control over hardware is something that has been missing for a long time. The ability to sign with com.apple.security.iokit-user-client-class and com.apple.security.temporary-exception.sbpl in development and enterprise solutions would allow for far greater integration with the devices. What reasons are there to avoid allowing this on iOS when macOS has much less restrictive control, the lack of continuity between the systems does not help the "level playing field".

Hi there, My app detects connected BlackMagic devices on a user's machine and this is done using the DeckLink SDK which first tries to load /Library/Frameworks/DeckLinkAPI.framework using CFBundleCreate. I have not been able to create a notarized app which successfully detects the devices. Either the DeckLinkAPI works or the app starts up without showing "the developer cannot be verified" on my test computer but never both. This is what I've tried so far: signed app: DeckLinkAPI available hardened runtime: DeckLinkAPI not available hardened runtime + com.apple.security.cs.disable-library-validation: DeckLinkAPI available, notarization succeeds yet the "the developer cannot be verified" I've also tried to use weak linking to DeckLinkAPI.framework instead of including the SDK's CFBundleCreate code but that made no difference: I still needed the com.apple.security.cs.disable-library-validation entitlement for that to work which caused "the developer cannot be verified". DeckLinkAPI.framework is notarized: > codesign --test-requirement="=notarized" --verify --verbose /Library/Frameworks/DeckLinkAPI.framework /Library/Frameworks/DeckLinkAPI.framework: valid on disk /Library/Frameworks/DeckLinkAPI.framework: satisfies its Designated Requirement /Library/Frameworks/DeckLinkAPI.framework: explicit requirement satisfied Is there any way to successfully notarize an app to use the DeckLink SDK or any other thirdparty notarized framework which is distributed seperately?

Hello, For educational purpose, I try to use a POSIX semaphore sem_t instead of a dispatch_semaphore_t in a sandbox macOS Obj-C app. When using sandbox, the semaphore code creation : sem_t * _unixSemaphore; char nameSemaphore[64] = {0}; snprintf(nameSemaphore, 22, "/UnixSemaphore_sample"); _unixSemaphore = sem_open(nameSemaphore, O_CREAT, 0644, 0); fails, receiving SEM_FAILED and the errno is 78 (not implemented) However, the sem_t _unixSemaphore is created and works fine when I disable sandbox I my entitlements. Is there a way to fix this? Thank you in advance Jean Marie

Is there a simple way to get the value of the APS Environment setting in the Entitlements file from within a SwiftUI app? As others have noted, when the app is run from Xcode, this value is set to "development" but when run from Archive'd TestFlight version, it is set to something else (presumably "production"). I need to know which environment the app should use for registering its device token for notifications.

Is there possible to record audio during application in kill/terminate state? I am working with application where I have to record microphone voice for some process so I can it during application in foreground and background state, I have no idea about application kill state.