Where did Keychain Access Groups entitlements go

I understand that this entitlement is now rolled into App Groups

No, that’s not true. App Groups and keychain access groups are very different things. On iOS-based platforms you can use an App Group as a keychain access group but that only make sense in some situations. A lot of the time a keychain access group is the right choice.

As to what’s going on with the developer web site, I just ran a test and it seems to automatically add the keychain access group entitlement (keychain-access-groups) to every profile I create. Is that not happening for you?

Keep in mind that the profile is just an allow list. The actual entitlements are formed when you sign the code.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I haven't tried that. Originally, I created the shared ID for the Access Group online, in the Identifiers section where you register App Groups and Application signatures. Now I don't see where to do that. I did this originally on my personal account, but need to duplicate it on the company's developer account, and don't see where to do it. In getting this to work, it seemed critical that the registered ID matched my Xcode project and code settings with the Provisioning Profile when it was code signed.

I also cannot find the keychain access groups entitlement on the website. I am trying to build the SimpleTunnel example (Network Extensions). I have gone through the usual steps of creating a new appID/bundle identifier and creating a new provisioning certificate. Also creating a new app group, etc. I am down to one last error on the FilterDataProvider, FilterControlProvider and the AppProxy targets. Each has the same error: "Provisioning profile "Simple Tunnel" doesn't match the entitlements file's value for the keychain-access-groups entitlement."

In the Developer Portal, I cannot find anywhere to enable this entitlement, either in the AppID section or the Profile section.

The reason why there’s no keychain access group capability in the App ID editor on the developer web site is that any explicit App ID automatically causes the keychain access group entitlement to be added to any profile created from that App ID. The entitlement looks like this:

Code Block  
% security cms -D -i ea8943a0-387a-4f57-9150-cb051c0e7751.mobileprovision 
…
<dict>
  <key>Entitlements</key>
  <dict>
    …
    <key>keychain-access-groups</key>
    <array>
        <string>SKMME9E2Y8.*</string>
        <string>com.apple.token</string>
    </array>
    …
  </dict>
  …
</dict>
</plist>

That is, it allows you to use any keychain access group starting with your App ID prefix (which is usually your Team ID) and the com.apple.token special group (this is the string value of kSecAttrAccessGroupToken).

The problem you’re having with SimpleTunnel is likely caused by it specifying com.apple.managed.vpn.shared in its entitlements. Access to this keychain access group requires a special entitlement granted by Apple. See FAQ#9 in Network Extension Framework Entitlements for more on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"