I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)
Having trouble getting the endpoint-security entitlement working
Although how did that get there?
I presume you’re referring to the In-App Purchase capability. If so, that’s expected. It’s shown for all non-wildcard App IDs.
But when I download it... it doesn't have it.
I presume that the first two instances of “it” mean “the provisioning profile” and the last one means “the Endpoint Security entitlement in its allow list”. How are you checking for that?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Ok, sorry for the confusing use of pronouns. I should have paid them more.
I added the com.apple.developer.endpoint-security.client
entitlement to the entitlements file for the app. I created a profile, using the portal, that had Endpoint Security as an additional entitlement; it was signed with our Developer ID certificate. I downloaded the newly-created profile, and examined it using emacs: it did not have the com.apple.developer.endpoint-security.client
entitlement in it. For the executable (which kept getting killed, of course), I saw that there was a complaint about signature and profile mismatch in system.log, so I used codesign
and cms
to look at the entitlements and profile for the executable, and the com.apple.developer.endpoint-security.client
entitlement was not in the cms
output.
Thanks for the clarification. That does, indeed, seem weird.
When you click on the info button next to the ES capability in your App ID, what do you see? See the screen shot below for what I’d expect to see.
Oh, one more thing:
I added the
com.apple.developer.endpoint-security.client
entitlement to the entitlements file for the app.
What do you mean by “app” here? There’s two ways to use ES:
-
System extension
-
launchd
daemon
In the first case this entitlement belongs on the sysex itself, not an the app. And these have different bundle IDs, and hence different App IDs, and hence different provisioning profiles. You need to make sure if you’re checking the credentials for the sysex’s bundle ID.
If you’re building a launchd
daemon, following the approach suggested in Signing a Daemon with a Restricted Entitlement, there’s only one bundle ID in place and so it’s hard to get mixed up (-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
- It's a launchd-driven app
- Two screenshots attached here, one showing an edited version of the downloaded provisioning profile, and the other showing the app id from the developer portal
The first screen shot is missing the specific info I was looking for. Click on the info button next to the ES capability and post a screen shot that includes that. See how, in my example, there’s a popup showing the supported platforms and distribution models.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I thought ES was only available on macOS. Here it is:
I thought ES was only available on macOS.
That’s correct. My goal was to confirm the Distribution Support value was correct, and it seems to be.
It's a
launchd
-driven app
Everything on our platforms is driven by launchd
one way or another. I’m interpreting this to mean that it’s a launchd
daemon in an app wrapper, per Signing a Daemon with a Restricted Entitlement. Let me know if that’s wrong.
Earlier you wrote:
I created a profile, using the portal, that had Endpoint Security as an additional entitlement; it was signed with our Developer ID certificate. I downloaded the newly-created profile … it did not have the
com.apple.developer.endpoint-security.client
entitlement in it.
I just walked through that process and it’s working for me. Here’s what I did specifically:
-
In Certificates, Identifiers and Profiles, I selected Identifiers on the left.
-
I clicked the add button and registered a new, explicit App ID, making sure to enable Endpoint Security under Additional Capabilities.
-
Back in Certificates, Identifiers and Profiles, I selected Profiles on the left.
-
I clicked the add button, selected Distribution > Developer ID, and clicked Continue.
-
I choose the App ID from step 2 and clicked continue.
-
I walked through the rest of the profile generation process.
-
I clicked Download to download the profile.
As you can see, the profile has the ES entitlement in its allowlist:
% security cms -D -i Test698942D_DevID.provisionprofile | plutil -convert xml1 -o - -
…
<key>Entitlements</key>
<dict>
…
<key>com.apple.developer.endpoint-security.client</key>
<true/>
…
</dict>
…
</dict>
</plist>
Please run through this process and let me know what results you get.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I just did all that, and got the same results I have been getting. I have tried creating a brand new one, and deleting the old one(s) and recreating, I have tried having App Groups + System Extension, I have tried with only Endpoint Security. I have looked at the downloaded file using vi, and with 'security cms'.
I am, at this point, going to make a screen recording, and file a TSI. I really hope it'll be obvious what I'm doing wrong 😩.
Quinn discovered it! I only got permission for it for development, while I was creating the profile with distribution.
Now to figure out how to get it for distribution...
(Since Quinn and I are 8 hours apart, temporally, this took back&forth a couple of days communicating via TSI.)
Since Quinn and I are 8 hours apart, temporally, this took back & forth a couple of days
Yep )-:
For those reading along at home, when you receive approval to use a special entitlement, like this Endpoint Security additional capability, make sure to read the accompanying email from the approval folks. It might look like boilerplate but often it contains critical tidbits. In this case the capability was approved for development signing only, and hence the problem discussed in this thread.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
In my defense, I missed the word "only" in "approved for development only" -- the one I need it for is a "Developer ID" and that shares many of the same letters.
Why I can't find Addtional Capabilities
| Endpoint Security
when create Identifiers? Is there a problem or a missing step?
I can’t see your second screen shot )-: but below is an example of what you should be seeing.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
oh, sorry! here it is!
Did you apply for access to the capability? There’s a link to form on the docs page.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"