AppGroups - com.apple.security.application-groups

App Groups are one of those things that vary by platform. Are you targeting the Mac? Or an iOS-based platform? Or both?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Hi, thank you for your quick reply. I'm targeting iOS for now. But I would like to know differences in this topic for macOS or iOS.

On iOS App Groups are mediated by the developer web site. To use an App Group you must add it to the developer web site and then add it to your app’s provisioning profile. An app can’t use an App Group unless its profile includes the group ID in its com.apple.security.application-groups allowlist. Such a group ID always starts with group..

On macOS App Groups are not mediated by the developer web site. They also don’t need to be allowed listed by a provisioning profile. For this reason, group IDS must be prefixed by your Team ID. If you ship via the Mac App Store, the app ingestion system checks that prefix.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

So iOS app can use multiple AppGroups which must be defined inside the entitlements file. If i don't provide security key inside iOS entitlement file, I'm not allowed to use AppGroups? Or what happens if i don't use com.apple.security.application-groups key?

So iOS app can use multiple AppGroups

Yes.

which must be defined inside the entitlements file.

Not quite. The .entitlements file is one input to the code signing process. For an iOS app to be able to use an App Group it must:

• Have the App Group listed in the entitlements in its code signature (this is the output of the code signing process)

• Have that group allowlisted by its provisioning profile

It’s this last point that prevents random apps from ‘stealing’ your App Group. The profile is created by the developer web site and it will only include an App Group in that profile’s allowlist if that App Group is associated with your team.

If you want to see this in action, using this command to dump the entitlements in your app’s code signature:

Code Block  
% codesign -d --entitlements :- /path/to/your.app

and this command to dump the contents of your profile, which includes teh entilements allowlist:

Code Block  
% security cms -D -i /path/to/your.app/embedded.mobileprovision

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Thank you very much for the detailed information. I tested it, and indeed, it appears that the command security cms -D -i /path/to/your.app/embedded.mobileprovision shows the app group is empty in the provisioning profile:

"com.apple.security.application-groups" => [ ]

However, I haven’t found a way to update the profile to include the group. The profile is Xcode-managed, but I also manually created a development profile through the Developer Portal, and the group still wasn’t added, even though it’s activated for the identifier.

Could this be a bug, or is there any other option available?

Thank you so much for your thorough and competent help. I’m really pleased to have the chance to connect with you.

@DTS Engineer Do you have any ideas how to solve the problem?

First up, I wanted to drop a link to App Groups: macOS vs iOS: Fight! This explains, in gory detail, the difference between apps groups on the two platforms.

I also manually created a development profile through the Developer Portal, and the group still wasn’t added, even though it’s activated for the identifier.

Hmmm, that’s weird. Let me run through the manual process and you can try replicating that:

1. In the Certificates, Identifiers, and Profiles section of the Developer website, switch to Identifiers.

2. Click the add (+) button to create a new App ID.

3. Select App and click Continue.

4. Enter the name and the App ID. In my case these were Test660802 and com.example.apple-samplecode.Test660802, respectively.

5. In the Capabilities tab, enable App Groups.

6. Click Continue.

7. Click Register.

8. Back in the Identifiers section, search for the new App ID.

9. Click on it.

10. In the Capabilities tab, click Configure.

11. Enable a specific App Group. In my case it was group.eskimo1.test.

12. Click Save and confirm the change.

Next create a profile from that App ID:

1. Back in Certificates, Identifiers, and Profiles, switch to Profiles.

2. Click the add (+) button to create a new profile.

3. Select iOS App Development and click Continue.

4. Select the new App ID and click Continue.

5. Go through the rest of the workflow until you hit the Review, Name and Generate step.

6. Enter a name, in my case that was Test660802 Dev, and click Generate.

7. Click Download.

8. In Finder, dump that profile:

% security cms -D -i Test660802.mobileprovision | plutil -p -
{
  …
  "Entitlements" => {
    "application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.Test660802"
    …
    "com.apple.security.application-groups" => [
      0 => "group.eskimo1.test"
    ]
    …
  }
  …
}

As you can see, the profile authorises this App ID to use the group.eskimo1.test app group.

I recommend that you work through this process to confirm that it’s working as described above. After that, you can use your experience to check the behaviour of your real App ID.

IMPORTANT When you test this, use a different App ID and group. The App ID of com.example.apple-samplecode.Test660802 and app group ID of group.eskimo1.test are allocated to my individual work account.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"