App-specific password not available from Managed Apple ID

This is a solved problem, but a detail not in any docs I could find and I could only get answered from support. Figured I'd add it to the index.


App-specific passwords are not supported with Managed Apple ID created through Business Manager. You will simply not see the option to create an app-specific password even if you do have two-factor authentication turned on.

If it is solved, what is the solution? How do you bypass the requirement for having an app-specific password for notarizing apps, f.x.?
Many businesses are starting to use Managed/Federated Apple IDs.
Many businesses also develop apps for Mac.
If we can't notarize apps with a managed Apple ID, what account are developers supposed to use?
App-specific passwords should be allowed for Managed Apple IDs so that separate Apple IDs aren't required for notarizing only.


What is the solution, please?

I'm also looking for a solution to this!

Are you able to create an App Store Connect API key? You would do this in App Store Connect > Users and Access > Keys > App Store Connect API.

If so, you can configure notarytool to use that. Specifically, run notarytool as follows:

% xcrun notarytool submit --key PPP --key-id K‍KK -i III'

where PPP is the path to the key’s .p8 file, K‍KK is is the key ID (10 alphanumeric characters, visible in App Store Connect), and III is the Issuer ID (a UUID, also visible in App Store Connect).

T9GPZ92M7K

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If it's solved. Could you please help us how you solved the problem.

Hey Quinn,

The new notarytool is great, and it's nice that we can use App Store Connect API keys. But you can only generate 50 API keys, and the data should be protected... For extremely large enterprises like the one I work for, I can't generate 1 key for every team. I hit our limit.

We could build a central service to notarize, but we don't have that currently, and I don't know that we ever will.. though I'm investigating that.

There really needs to be a way for Managed Apple IDs to be used fully with the developer program. I don't want my developers using non-managed apple IDs to access our dev program. To me that's a risk.

Love that this was built to help automation, but would really like to see businesses be able to generate app password for users in ABM. Even if it means a People Manager has to enable it for the user.

[I] would really like to see businesses be able to generate app password for users in ABM.

The best way to get that feedback to the folks who have the power to enact change is to put it in a bug report against the notary service.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have the same problem. Has there been a solution in the meantime? Is there 3rd party software to create managed Apple IDs with which you can create app specific passwords?

Has there been a solution in the meantime?

Not that I’m aware of.

Unfortunately I can’t check on the state of this officially because no one on this thread posted their bug number. Without that, I’m not even sure that a bug was filed at all )-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hey @eskimo, we're currently facing the same issue. We're planing to turn on federation for Managed Apple IDs in October and planing to only have Managed Apple IDs in our developer programs.

I think the documentation even changed to be even more drastic: "Important: Command-line services—like notarization—that use app-specific passwords won’t work with Managed Apple IDs." https://support.apple.com/de-de/guide/apple-business-essentials/axm6603d9206/web

And in addition to that, we're mainly using the Apple Developer Enterprise Program, which means we don't even have the option to use an App Store Connect API Key, as these are unavailable to these accounts (for some reason...)

Do you have any idea how we could use the notarytool in the future? Adding a private Apple ID to our accounts won't be an option from security perspective.

Feedback ID: FB12796767

Thanks for your help!

Feedback ID: FB12796767

Thanks for that.

Do you have any idea how we could use the notarytool in the future?

No, sorry. I’m coming at this from the notary service side, where the requirements are clear (app-specific password or API key). How you get those with your specific Apple ID setup is not something I have a lot of insight into.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

App-specific password not available from Managed Apple ID
 
 
Q