private key generation issue

As a part of our macOS solution, we have an auxiliary launch agent that generates a private key with a custom access control attribute (kSecAttrAccessControl) to request user presence, using SecAccessControlCreateWithFlags (or using Security Enclave). Generation fails with

errSecMissingEntitlement

without Keychain Access Groups Entitlement. To make it working, we packed the daemon into an app like structure and added the entitlement, but required for a provision profile. That works well for development, but how are we supposed to distribute our daemon now? There are only two types of distribution provision profiles: App Store Distribution Profile and Ad Hoc Distribution profile. Both doesn't suit for our case. The first one is for applications, but we have a daemon, I don't think Apple will allow auxilary daemons or agents there, the second one is for testers. That looks really ridiculous, the code works, but we cannot distribute it.

Are there any ways to generate the keys with access control, preferably with Security Enclave, and distribute the code for our case?

We used the guide: https://forums.developer.apple.com/message/408009#408009

With App Store Distribution profile the agent crashes on the client's devices with:

Exception Type: EXC_CRASH (Code Signature Invalid)

Exception Codes: 0x0000000000000000, 0x0000000000000000

Exception Note: EXC_CORPSE_NOTIFY

But it's still unclear how to distribute our launch agent as a part of our solution, since we cannot user Apple Store?