Problem with Data Protection and NSFileProtectionCompleteUntilFirstUserAuthentication

Xcode is doing something strange with our app's entitlements when we have Data Protection set to anything other than Complete Protection. The App ID in the developer portal is set properly to "Protected Until First Authentication", however the entitlement we get in Xcode lists "Complete". When I manually change the value of the entitlement to the desired value, we get a warning symbol under Capabilities. Clicking on "Fix Issue" reverts it back to NSFileProtectionComplete, which isn't what we want. Is there any way to make NSFileProtectionCompleteUntilFirstUserAuthentication work properly?

Accepted Reply

Is this just a problem with the Xcode warning? Or is the resulting app built incorrectly? That is, if you dump the entitlements and embedded provisioning profile of the built app, does it have the

com.apple.developer.default-data-protection
entitlement set correctly in both places?

To can dump these as follows:

$ codesign -d --entitlements :- TestDF95757.app
…
<plist version="1.0">
<dict>
    …
    <key>com.apple.developer.default-data-protection</key>
    <string>NSFileProtectionComplete</string>
    …
</dict>
</plist>
$ security cms -D -i TestDF95757.app/embedded.mobileprovision 
…
<plist version="1.0">
<dict>
    …
    <key>Entitlements</key>
    <dict>
        …
        <key>com.apple.developer.default-data-protection</key>
        <string>NSFileProtectionComplete</string>
    </dict>
    …
</dict>
</plist>

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Is this just a problem with the Xcode warning? Or is the resulting app built incorrectly? That is, if you dump the entitlements and embedded provisioning profile of the built app, does it have the

com.apple.developer.default-data-protection
entitlement set correctly in both places?

To can dump these as follows:

$ codesign -d --entitlements :- TestDF95757.app
…
<plist version="1.0">
<dict>
    …
    <key>com.apple.developer.default-data-protection</key>
    <string>NSFileProtectionComplete</string>
    …
</dict>
</plist>
$ security cms -D -i TestDF95757.app/embedded.mobileprovision 
…
<plist version="1.0">
<dict>
    …
    <key>Entitlements</key>
    <dict>
        …
        <key>com.apple.developer.default-data-protection</key>
        <string>NSFileProtectionComplete</string>
    </dict>
    …
</dict>
</plist>

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I was so focused on getting Xcode to not have that angry red checkbox that I didn't get to uploading. After ignoring it the app appears to have the correct entitlements. I'll file a radar on Xcode's behavior. Thanks for straightening me out!

After ignoring it the app appears to have the correct entitlements.

Excellent news.

I'll file a radar on Xcode's behavior.

Thanks in advance. And please do post the bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Please step by step - how to ignoring this alert and launch app?

I have some problem with entitlement and can not do anything ((((

looks like it is not able to update the entitlement file properly. You can update the entitlements file manually.

Check for your .entitlements file and locate Data protection key value pair. Update the value as needed.

possible values can be found.

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_default-data-protection


We have encountered the same problem at xcode10.3.

Can this problem be solved?