<Provisioning profile does not allow this device.> in Big Sur

Hi all,

According to the reference link,
Packaging a Daemon with a Provisioning Profile
I changed our launchd daemon to run as an .app.

When generating a Provisioning Profile, I added our Development computer (including UUID) into 'Devices'.
But when I ran .app/Contents/MacOS/FamRTServicebig on our macOS Big Sur test environment, this error occurred:
embedded provisioning profile not valid: file:///Library/Application%20Support/test/bin/FamRTServicebig.app/Contents/embedded.provisionprofile
error: Error Domain=CPProfileManager Code=-212 "Provisioning profile does not allow this device." UserInfo={NSLocalizedDescription=Provisioning profile does not allow this device.}

Questions:
Could you let me know how to resolve this error?
Is it necessary to install the Provisioning profile in the test device as well?

Thanks in advance for your help.

Up vote post of ithurricane Down vote post of ithurricane
3.3k views
Posted by
ithurricane
Reply
Add a Comment

Accepted Reply

There’s at least two problems here:

  • Your ‘app’ is signed with the App Sandbox entitlement (com.apple.security.app-sandbox). This is not necessary for ES clients and will actively cause problems. Remove that and the associated temporary exception entitlements.

  • A ES client must have the hardened runtime enabled and can’t use any hardened runtime exception entitlements. That means you must remove com.apple.security.cs.allow-jit.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

First things first, dump your profile to make sure that the Mac’s UUID actually made it into your profile. You can do this with:

Code Block  
% security cms -D -i /test/bin/FamRTServicebig.app/Contents/embedded.provisionprofile


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thanks The Eskimo,

The output is:

% security cms -D -i /test/bin/FamRTServicebig.app/Contents/embedded.provisionprofile

<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>for EX</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string><id></string>
</array>
<key>CreationDate</key>
<date>2020-11-12T04:46:55Z</date>
<key>Platform</key>
<array>
<string>OSX</string>
</array>
<key>IsXcodeManaged</key>
<false/>
<key>DeveloperCertificates</key>
<array>
<data><DeveloperCertificates></data>
</array>


<key>Entitlements</key>
<dict>
<key>com.apple.developer.endpoint-security.client</key>
<true/>

<key>com.apple.developer.system-extension.install</key>
<true/>

<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
</array>

<key>com.apple.application-identifier</key>
<string><identifier></string>

<key>keychain-access-groups</key>
<array>
<string><id>.*</string>
</array>

<key>com.apple.developer.team-identifier</key>
<string><id></string>

<key>com.apple.developer.aps-environment</key>
<string>development</string>

<key>com.apple.developer.ClassKit-environment</key>
<array>
<string>production</string>
<string>development</string>
</array>

</dict>
<key>ExpirationDate</key>
<date>2021-11-12T04:46:55Z</date>
<key>Name</key>
<string>ES_Client</string>
<key>ProvisionedDevices</key>
<array>
<string>94462E57-8752-5BFA-8192-84117C4F7DDB</string>
</array>
<key>TeamIdentifier</key>
<array>
<string><id></string>
</array>
<key>TeamName</key>
<string><team></string>
<key>TimeToLive</key>
<integer>365</integer>
<key>UUID</key>
<string>de4b308b-7378-48ce-9fd8-d8daa8cfcdee</string>
<key>Version</key>
<integer>1</integer>
</dict>

codesign -d --entitlements :- /Library/Application\ Support/test/bin/FamRTServicebig.app/Contents/MacOS/FamRTServicebig

<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string><identifier></string>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string><id></string>
<key>com.apple.security.app-sandbox</key>
<false/>
<key>com.apple.security.application-groups</key>
<array>
<string><id></string>
</array>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/</string>
</array>
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array>
<string>/</string>
</array>
</dict>
</plist>


<key>ProvisionedDevices</key>
<array>
<string>94462E57-8752-5BFA-8192-84117C4F7DDB</string>
</array>
94462E57-8752-5BFA-8192-84117C4F7DDB is our Development computer UUID.

Could you let us know if this setting is correct?

Thanks in advance for your help.
Posted by
ithurricane
Up vote reply of ithurricane Down vote reply of ithurricane
Add a Comment
There’s at least two problems here:

  • Your ‘app’ is signed with the App Sandbox entitlement (com.apple.security.app-sandbox). This is not necessary for ES clients and will actively cause problems. Remove that and the associated temporary exception entitlements.

  • A ES client must have the hardened runtime enabled and can’t use any hardened runtime exception entitlements. That means you must remove com.apple.security.cs.allow-jit.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Thanks The Eskimo,

I solved this problem by creating a new Provisioning Profile with the type Developer ID Application.

Thanks in advance for your help.
Posted by
ithurricane
Up vote reply of ithurricane Down vote reply of ithurricane

  • I have a question about this post

    I have 2 Developer ID Certification certificates right now and I had the same problem as you

    Currently as of 2022.2.10, when I try to create a provisioning file with Developer ID it says no certificate unconditionally How to solve this problem?

    DevO96

  • I responded on your specific thread.

    eskimo
Add a Comment