General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

tl;dr: The title and/or can I even add a keychain entitlement to a cli app? I'm trying to store a generated private key and certificate properly in a CLI app. The call to SecItemAdd always results in an error with message A required entitlement isn't present. I assume this is errSecMissingEntitlement, and its docs say it happens "when you specify an access group to which your app doesn’t belong". But I'm not even specifying one. Here's a small excerpt (I know it's not a MVCE but the question is pretty general anyway): func storeCert(_ cert: Data) throws { let addQuery = [ kSecClass: kSecClassCertificate, kSecValueRef: cert, kSecAttrLabel: CERT_USER_LABEL, kSecAttrApplicationLabel: CERT_APP_LABEL ] as [String: Any] let status = SecItemAdd(addQuery as CFDictionary, nil) guard status == errSecSuccess else { let msg = SecCopyErrorMessageString(status, nil) as String? ?? "" throw MyErr.generic(message: "Unable to store cert: \(msg)") } } I can't add the keychain entitlement to my CLI target, it doesn't show as an option in the add capability window. Disclaimer: I'm quite new to macOS / Apple development, so if there's something obvious I'm missing, my bad.

I'm developing a watchOS nap app that detects when the user falls asleep by monitoring heart rate changes. == Technical Implementation == HKWorkoutSession (.mindAndBody) for background execution HKAnchoredObjectQuery for real-time heart rate data CoreMotion for movement detection == Battery Considerations == Heart rate monitoring ONLY active when user explicitly starts a session Monitoring continues until user is awakened OR 60-minute limit is reached If no sleep detected within 60 minutes, session auto-ends (user may have abandoned or forgotten to stop) App displays clear UI indicating monitoring is active Typical session: 15-30 minutes, keeping battery usage minimal == The Problem == HKWorkoutSession affects Activity Rings during the session. Users receive "Exercise goal reached" notifications while resting — confusing. == What I've Tried == Not using HKLiveWorkoutBuilder → Activity Rings still affected Using builder but not calling finishWorkout() (per https://aninterestingwebsite.com/forums/thread/780220) → Activity Rings still affected WKExtendedRuntimeSession (self-care type) (per https://aninterestingwebsite.com/forums/thread/721077) → Only ~10 min runtime, need up to 60 min HKObserverQuery + enableBackgroundDelivery (per https://aninterestingwebsite.com/forums/thread/779101) → ~4 updates/hour, too slow for real-time detection Audio background session for continuous processing (suggested in https://aninterestingwebsite.com/forums/thread/130287) → Concerned about App Store rejection for non-audio app; if official approves this technical route, I can implement in this direction Some online resources mention "Health Monitoring Entitlement" from WWDC 2019 Session 251, but I could not find any official documentation for this entitlement. Apple Developer Support also confirmed they cannot locate it? == My Question == Is there any supported way to: Monitor heart rate in background for up to 60 minutes WITHOUT affecting Activity Rings or creating workout records? If this requires a special entitlement or API access, please advise on the application process. Or allow me to submit a code-level support request. Any guidance would be greatly appreciated. Thank you!

Hello, I submitted a request for Family Controls (Distribution) approval, and it has now been over 4 days without any update on the status. I understand that review times can vary, but I wanted to check if this delay is expected or if there’s anything I might need to do on my end to help move the process forward. Could anyone from the Apple team or the community provide insight into: Typical processing times for Family Controls distribution requests Whether delays beyond a few days are common Any steps I should take to follow up or expedite the review For reference: Status: Submitted Submission time: April 21, 2026 Any guidance would be greatly appreciated. Thank you!

Hi, I have an approved com.apple.developer.family-controls entitlement for my main app bundle (com.maxflame.prove-it) and submitted a request on April 18, 2026 to extend it to an embedded extension: com.maxflame.prove-it.DeviceActivityMonitorExtension Request ID: 65CKJZ7DQ4 — status still shows "Submitted" with no further response. The extension uses DeviceActivity callbacks and needs to decode FamilyActivitySelection, which requires the entitlement on the extension bundle as well. In my experience, Family Controls entitlement approvals for the main app bundle have come through within 24 hours. It's now been 5 days with no response for this extension request, which seems unusual. Has anyone else gone through this for extension bundle IDs? Did you need to submit a separate request per bundle, or did Apple extend the approval to your extensions automatically once the main app was approved? And has anyone else experienced longer wait times specifically for extension bundles? Any guidance appreciated.

I'm writing this post out of genuine desperation after exhausting every official support channel available to me. The situation: I've built a screen time / focus app for students called SınavKilidi, specifically designed for Turkish high school students preparing for the YKS university entrance exam — one of the most high-stakes exams in Turkey, taken by hundreds of thousands of students every year. The exam window is approximately 2 months away. This app is inherently seasonal: if it doesn't reach users before the exam season, an entire year of development becomes irrelevant. The main app binary was approved and is live. Everything on the App Store Connect side is fully ready — metadata, screenshots, pricing, in-app purchases, the works. The blocker: My app uses App Extensions that require the com.apple.developer.family-controls entitlement. The main app target received distribution entitlement approval. However, the extensions — which are architecturally inseparable from the core functionality — have not received the same entitlement. Without this, I cannot submit a working build. The app is literally unshippable in its current state despite the main entitlement being granted. This is not a configuration issue on my end. The entitlement is correctly set up in my provisioning profiles. The gap is purely on Apple's approval side for the extension targets. The support experience: I opened Case #102855522321 on March 29, 2026. Since then: I had a call with Apple Developer Support on April 1 I sent follow-up emails on April 1, April 2, April 3, and April 7 Not a single substantive response. Only automated acknowledgements. That is 10+ days, 4 follow-up emails, 1 phone call, and complete silence on an issue that is actively costing me my launch window. What I'm asking: I'm not asking for special treatment. I understand Apple receives thousands of requests. But this entitlement request is for a legitimate, already-partially-approved app, with a documented real-world deadline, in an educational category that Apple actively promotes. Can anyone from the App Review or Developer Relations team look into Case #102855522321 and provide an actual update? Or can anyone here share whether there's a known delay affecting FamilyControls entitlement approvals for extensions specifically? Any guidance would be deeply appreciated. Every day that passes without a resolution is a day closer to this app missing its entire reason for existing.

Hi, I have an approved com.apple.developer.family-controls entitlement for my main app bundle (com.maxflame.prove-it) and submitted a request on April 18, 2026 to extend it to an embedded extension: com.maxflame.prove-it.DeviceActivityMonitorExtension Request ID: 65CKJZ7DQ4 — status still shows "Submitted" with no further response. The extension uses DeviceActivity callbacks and needs to decode FamilyActivitySelection, which requires the entitlement on the extension bundle as well. In my experience, Family Controls entitlement approvals for the main app bundle have come through within 24 hours. It's now been 5 days with no response for this extension request, which seems unusual. Has anyone else gone through this for extension bundle IDs? Did you need to submit a separate request per bundle, or did Apple extend the approval to your extensions automatically once the main app was approved? And has anyone else experienced longer wait times specifically for extension bundles? Any guidance appreciated.

I've already submitted multiple cases about this issue. My Family Controls Distribution request was apparently approved (or I was told via Developer Support) for my Shield Action & Shield Configuration extensions, but the Distribution option still does not appear in the identifiers. This is blocking my ability to distribute via TestFlight. I need someone who can update the identifier capabilities or explain why the approved capability is not showing.

Hello, I am hoping someone from Apple or the community can help escalate or advise on my situation. I submitted a Live Caller ID Lookup entitlement request for my app Zinfo (com.parastashvili.Mobile), Team ID: CNH4KYRW44. A support case was opened on February 17, 2026 (Case ID: 102823550184). Apple's documentation states entitlement review takes up to 2 weeks. It has now been over 3 weeks with no substantive response despite multiple follow-ups. Timeline: Feb 17: Case opened Feb 26: I provided all requested technical details in full — OHTTP endpoints, Privacy Pass token system, DNS TXT record, Apple test number (+1 408 555 1212 returning "Johnny Appleseed"), all fully deployed and ready for validation Feb 27: Apple replied with a generic "appropriate team will be in contact" message Feb 28, Mar 6, Mar 10: Follow-up emails sent — no meaningful response All technical requirements are fully implemented and operational. We are ready for Apple's validation at any time. Has anyone else experienced long delays with Live Caller ID Lookup entitlement reviews? Is there a better escalation path? I have also submitted a new escalation ticket (Case ID: 102840874265) under Development and Technical > Entitlements today. Any advice or visibility from Apple staff would be greatly appreciated. App: Zinfo (com.parastashvili.Mobile) Extension Bundle ID: com.parastashvili.Mobile.LiveCallerID Team ID: CNH4KYRW44

Hi all, and particularly @Eskimo if you spot this — I believe I'm reproducing the backend issuance bug reported in thread 816377 (https://aninterestingwebsite.com/forums/thread/816377) on a different Team ID and would like a second pair of eyes before I burn a TSI. Feedback Assistant filed as FB22582333. Team ID: MCN4U9B2K4 · Bundle ID: com.michaeltocco.Sanbox · Xcode 17 · iOS 18.5 · Automatic signing Setup App ID com.michaeltocco.Sanbox has ShazamKit ticked in App Services; persists through portal reloads. Local entitlements file declares com.apple.developer.shazamkit = YES only (no MusicKit client entitlement, per DTS guidance in thread 799000: https://aninterestingwebsite.com/forums/thread/799000). CODE_SIGN_ENTITLEMENTS set in both Debug and Release XCBuildConfiguration buildSettings. NSMicrophoneUsageDescription and NSAppleMusicUsageDescription are both present in the generated Info.plist. What Xcode reports After wiping DerivedData and any Sanbox-matching profiles and running xcodebuild … -allowProvisioningUpdates -destination 'generic/platform=iOS': error: Entitlement com.apple.developer.shazamkit not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. (in target 'Sanbox' from project 'Sanbox') What I verified on the profile Apple just issued $ security cms -D -i 0596f302-….mobileprovision | plutil -extract Entitlements xml1 -o - - shows only the baseline four entitlements — application-identifier, keychain-access-groups, get-task-allow, com.apple.developer.team-identifier. com.apple.developer.shazamkit is absent, which is exactly what thread 816377 describes. What I've already tried Deleted and recreated the App ID from scratch — same symptom. Performed the capability-toggle trick (uncheck ShazamKit → Save → wait 60s → re-check → Save → delete local profiles → rebuild) documented in the "Capability & entitlement updates" help page (https://aninterestingwebsite.com/help/account/reference/capability-entitlement-updates/) for the Game Center precedent — same symptom. Confirmed I am building for device, not Simulator. Confirmed the entitlement key name matches DTS guidance in thread 799000 and the live profile dumps in thread 816377. Runtime confirmation When I force a build with only the team wildcard profile, SHManagedSession().result() returns com.apple.ShazamKit Code=202 "Missing entitlements", wrapping an AMS 306 wrapping HTTP 401 from api.shazam.apple.com/v1/catalog/US/match. AMS server correlation key: E5VYL5YSUT4L55KQDDP4MJQAZE. So the server side is consistent: the token the client presents lacks ShazamKit scope because the binary doesn't carry the entitlement, and the binary doesn't carry it because Apple isn't issuing it into the profile. Question Is there a configuration step beyond "tick ShazamKit in App Services" that I've missed for Individual-program accounts, or is this the same backend issuance pathology as thread 816377? Happy to share the security cms output, the decoded plist, the build log, or anything else useful. Thanks.

This issue keeps cropping up on the forums and so I decided to write up a single post with all the details. If you have questions or comments: If you were referred here from an existing thread, reply on that thread. If not, feel free to start a new thread. Use whatever topic and subtopic is appropriate for your question, but also add the Entitlements tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Determining if an entitlement is real In recent months there’s been a spate of forums threads involving ‘hallucinated’ entitlements. This typically pans out as follows: The developer, or an agent working on behalf of the developer, changes their .entitlements file to claim an entitlement that’s not real. That is, the entitlement key is a value that is not, and never has been, supported in any way. Xcode’s code signing machinery tries to find or create a provisioning profile to authorise this claim. That’s impossible, because the entitlement isn’t a real entitlement. Xcode reports this as a code signing error. The developer misinterprets that error [1] in one of two ways: As a generic Xcode code signing failure, and so they start a forums thread asking about how to fix that problem. As an indication that the entitlement is managed — that is, requires authorisation from Apple to use — and so they start a forums thread asking how to request such authorisation. The fundamental problem is step 1. Once you start claiming entitlements that aren’t real, you’re on a path to confusion. Note If you’re curious about how provisioning profiles authorise entitlement claims, read TN3125 Inside Code Signing: Provisioning Profiles. There are a couple of ways to check whether an entitlement is real. My preferred option is to create a new test project and use Xcode’s Signing & Capabilities editor to add the corresponding capability to it. Then look at what Xcode did. You might find that Xcode claimed a different entitlement, or added an Info.plist key, or did nothing at all. IMPORTANT If you can’t find the correct capability in the Signing & Capabilities editor, it’s likely that this feature is available to all apps, that is, it’s not gated by an entitlement or anything else. Another thing you can do is search the documentation. The vast majority of real entitlements are documented in Bundle Resources > Entitlements. IMPORTANT When you search for documentation, focus on the Apple documentation. If, for example, you search the Apple Developer Forums, you might be mislead by other folks who are similarly confused. If you find that you’re mistakenly trying to claim a hallucinated entitlement, the fix is trivial: Remove it from your .entitlements file so that your app starts to build again. Then add the capability using Xcode’s Signing & Capabilities editor. This will do the right thing. If you continue to have problems, feel free to ask for help here on the forums. See the top of this post for advice on how to do that. [1] Xcode 26.2, currently being seeded as Release Candidate, is much better about this (r. 155327166). Give it a whirl! Commonly Hallucinated Entitlements This section lists some of the more commonly hallucinated entitlements: com.apple.developer.push-notifications — The correct entitlement is aps-environment (com.apple.developer.aps-environment on macOS), documented here. There’s also the remote-notification value in the UIBackgroundModes property. com.apple.developer.in-app-purchase — There’s no entitlement for in-app purchase. Rather, in-app purchase is available to all apps with an explicit App ID (as opposed to a wildcard App ID). com.apple.InAppPurchase — Likewise. com.apple.developer.storekit — Likewise. com.apple.developer.in-app-purchase.non-consumable — Likewise. com.apple.developer.in-app-purchase.subscription — Likewise. com.apple.developer.app-groups — The correct entitlement is com.apple.security.application-groups, documented here. And if you’re working on the Mac, see App Groups: macOS vs iOS: Working Towards Harmony. com.apple.developer.background-modes — Background modes are controlled by the UIBackgroundModes key in your Info.plist, documented here. UIBackgroundModes — See the previous point. com.apple.developer.voip-push-notification — There’s no entitlement for this. VoIP is gated by the voip value in the UIBackgroundModes property. com.apple.developer.family-controls.user-authorization — The correct entitlement is com.apple.developer.family-controls, documented here. IMPORTANT As explained in the docs, this entitlement is available to all developers during development but you must request authorisation for distribution. com.apple.developer.device-activity — The DeviceActivity framework has the same restrictions as Family Controls. com.apple.developer.managed-settings — If you’re trying to use the ManagedSettings framework, that has the same restrictions as Family Controls. If you’re trying to use the ManagedApp framework, that’s not gated by an entitlement. com.apple.developer.callkit.call-directory — There’s no entitlement for the Call Directory app extension feature. com.apple.developer.nearby-interaction — There’s no entitlement for the Nearby interaction framework. com.apple.developer.secure-enclave — On iOS and its child platforms, there’s no entitlement required to use the Secure Enclave. For macOS specifically, any program that has access to the data protection keychain also has access to the Secure Enclave [1]. See TN3137 On Mac keychain APIs and implementations for more about the data protection keychain. com.apple.developer.networking.configuration — If you’re trying to configure the Wi-Fi network on iOS, the correct entitlement is com.apple.developer.networking.HotspotConfiguration, documented here. com.apple.developer.musickit — There is no MusicKit capability. Rather, enable MusicKit via the App Services column in the App ID editor, accessible from Developer > Certificates, Identifiers, and Profiles > Identifiers. These app services are tied to your App ID on the server side, meaning that they have no presence in your code signature. com.apple.developer.shazamkit — There is no ShazamKit capability. Like MusicKit, this is an app service. com.apple.mail.extension — Creating an app extension based on the MailKit framework does not require any specific entitlement. com.apple.security.accessibility — There’s no entitlement that gates access to the Accessibility APIs on macOS. Rather, this is controlled by the user in System Settings > Privacy & Security. Note that sandboxed apps can’t use these APIs. See the Review functionality that is incompatible with App Sandbox section of Protecting user data with App Sandbox. com.apple.developer.adservices — Using the AdServices framework does not require any specific entitlement. [1] While technically these are different features, they are closely associated and it turns out that, if you have access to the data protection keychain, you also have access to the SE. Revision History 2026-04-23 Added com.apple.developer.shazamkit to the common hallucinations list. Added a little more info about app services. 2025-12-09 Updated the Xcode footnote to mention the improvements in Xcode 26.2rc. 2025-11-03 Added com.apple.developer.adservices to the common hallucinations list. 2025-10-30 Added com.apple.security.accessibility to the common hallucinations list. 2025-10-22 Added com.apple.mail.extension to the common hallucinations list. Also added two new in-app purchase hallucinations. 2025-09-26 Added com.apple.developer.musickit to the common hallucinations list. 2025-09-22 Added com.apple.developer.storekit to the common hallucinations list. 2025-09-05 Added com.apple.developer.device-activity to the common hallucinations list. 2025-09-02 First posted.

Hi, I’m a paid Apple Developer Program member and I’m seeing an entitlement issuance issue with ShazamKit. ShazamKit is enabled for my App ID (com.tomharris.dnbidfinder) in Certificates, Identifiers & Profiles. However, every iOS Development provisioning profile I generate does not include the entitlement: com.apple.developer.shazamkit verified this by decoding the downloaded .mobileprovision file: security cms -D -i .mobileprovision | /usr/libexec/PlistBuddy -c "Print :Entitlements" /dev/stdin The entitlement dictionary does not contain the ShazamKit key. Because of this: • The signed .app does not contain the Shazam entitlement • SHSession.match(signature) fails on device • I receive ShazamKit runtime error 201 / 212 I’ve already: • Toggled ShazamKit off and back on for the App ID • Created new provisioning profiles • Created a brand new App ID to test • Refreshed profiles in Xcode The portal UI shows ShazamKit as enabled, but the entitlement is not being issued into provisioning profiles. Has anyone experienced this before? Is there an additional approval step required for ShazamKit, or could this be a backend entitlement propagation issue? Thanks.

My Family Controls (Distribution) capability request (C4N7962252) was approved March 15, 2026 for bundle ID com.jedsiegel.unplugtogether. All three Family Controls capabilities are enabled on the App ID. When I generate a provisioning profile (manual or automatic), Xcode reports: "Provisioning profile doesn't match the entitlements file's value for the com.apple.developer.family-controls entitlement." I decoded the profile using security cms -D and found: com.apple.developer.family-controls.app-and-website-usage → present com.apple.developer.family-controls → missing entirely My entitlements file requires com.apple.developer.family-controls with value ["individual"] for AuthorizationCenter. I've tried toggling capabilities off/on, deleting and recreating profiles, switching between automatic and manual signing, and clearing provisioning profile caches. Nothing works because the profile generation itself is not including the entitlement. Team ID: Q4RA4WMD6K Xcode 26.3, targeting iOS 26.2 Has anyone encountered this? Is there a way to get the provisioning system to include this entitlement?

Hi everyone, I’m currently implementing Tap to Pay on iPhone following Apple’s official documentation. I’ve completed all the required configurations (entitlements, capabilities, merchant setup, etc.) on the Apple Developer portal. However, when I archive the app and attempt to upload it to TestFlight, I receive the following error: "Profile doesn't support Tap to Pay on iPhone. Profile doesn't include the com.apple.developer.proximity-reader.payment.acceptance entitlement." From what I understand, this seems related to the provisioning profile not including the required entitlement, even though I believe everything has been configured correctly. I have already tried: Regenerating provisioning profiles Verifying App ID capabilities Ensuring the correct entitlements are added in the project But the issue still persists. Has anyone encountered this issue before? Is there any additional approval step required from Apple to enable the Tap to Pay entitlement? I’d really appreciate any advice or experience you can share. Thanks in advance!

I’m looking for some advice regarding the usage of temporary exception entitlements in Mac App Store apps. Specifically the Apple Event Temporary Exception to communicate with other third party applications (not first-party macOS system apps): The Best Practices for Submitting Scriptable and AppleScript Apps to the Mac App Store section is a bit vague (how to 'request' a temporary entitlement?) and I couldn't find it mentioned in the Review Guidelines. Before designing, implementing and testing functionality based on the Apple Event Temporary Exception I’d like to know if these entitlements would: A. Always be rejected on the Mac App Store B. Only accepted in highly specific use cases C. Accepted if there is a clear use case and sufficient argumentation For this particular use case I’d like to send Apple Events to Adobe Illustrator and QuarkXPress. The application helps the user with some design tasks in their documents. The app requests the currently open documents and accesses document content to process used design elements. This is optional functionality that the user must explicitly enable in the app. I’m aware that the com.apple.security.scripting-targets entitlement is preferred. (Side question: are these always allowed or can they also be rejected for third party app scripting?) However, many third party applications don’t offer any scripting access groups in their definition, including Adobe Illustrator and QuarkXPress in this case. So before spending a lot of time implementing this feature I’d like to have some indication whether it is unlikely that sending Apple Events to third party apps will be allowed on the Mac App Store. Thanks for any insights!

Hi all, I'm building an iOS app extension using ExtensionKit that works exclusively with its containing host app, presenting UI via EXHostViewController. I'd like the extension to have read-only access to the host's task for process introspection purposes. I'm aware this would almost certainly require a special entitlement. I know get-task-allow and the debugger entitlement exist, but those aren't shippable to the App Store. I'm looking for something that could realistically be distributed to end users. My questions: Does an entitlement exist (or is one planned) that would grant an extension limited, read-only access to its host's task—given the extension is already tightly coupled to the host? If not, is this something Apple would consider adding? The use case is an extension that needs to inspect host process state without the ability to modify it. Is there a path to request such an entitlement through the provisioning profile process, or is this fundamentally off the table for App Store distribution? It seems like a reasonable trust boundary given the extension already lives inside the host's app bundle, but I understand the security implications. Any insight appreciated. Thanks!

Just curious if there is anyway to expedite the FamilyControl entitlement. I have seen few people stuck in this step for few days. I submit mine on the 4/18, and my Case ID: 102874096254 Just want to see if I can see any estimate time for my request. Thanks, Jing

Hello, I submitted a request for the Family Controls (Distribution) entitlement, but haven't received status update regarding approval/rejection etc. I submitted a previous contact support ticket as well. I'm wondering the timeline and also if my request went through - currently it says 'submitted' but it's remained this way for a while... I've had other developers in communities saying they were approved earlier, so curious if it's an app issue. Thank you

Hi everyone, I'm developing a standalone Matter controller app on iOS 18+ using Apple's Matter.framework directly — without integrating with Apple Home or HomeKit. We manage our own Matter fabric and handle the full commissioning flow ourselves. Current setup: BLE-based Matter device discovery and commissioning via Matter.framework Own fabric management (not adding devices to Apple Home) During development, we rely on the "Bluetooth Central Matter Client Developer Mode" profile to enable BLE access The challenge: As we approach our App Store release, we need end users to be able to commission Matter devices without installing any developer profiles. I'm trying to figure out the correct entitlement path for a non-HomeKit Matter controller app in production. Questions: Which entitlements are required for a third-party Matter controller app using Matter.framework directly (not via HomeKit) to work in production? Is there a formal entitlement request process for something like com.apple.developer.matter.allow-setup-payload? If so, where do we initiate it? Are there additional program memberships or certifications required beyond the standard Apple Developer Program membership? We've gone through the Matter framework documentation and relevant WWDC sessions but haven't found a clear answer specifically for non-HomeKit standalone Matter controller apps. Would appreciate any input from Apple staff or developers who've shipped a similar app. Happy to provide more details if needed. Tagging for visibility: @Apple or relevant team — this involves a non-HomeKit Matter.framework usage pattern and entitlement approval process.

Greetings fellow devs, After accepting the Alternative Terms Addendum for Apps in the EU and adding the Storekit External Purchases or Offers capability via App Store Connect in our app identifier, the entitlement showing up in xcode is com.apple.developer.storekit.custom-purchase-link.allowed-regions and has the value 'jp'. How can we change the value for that entitlement to 'gr'? We tried changing it in xcode, but we get the error <Provisioning profile "iOS Team Provisioning Profile: [app identifier]" doesn't match the entitlements file's value for the com.apple.developer.storekit.custom-purchase-link.allowed-regions entitlement.>. In Certificates, Identifiers and Profiles in the developer account there is no way to configure that capability. We sent a request to support and they only gave a link to documentation and to the forum here. We have a completed every business agreement requested and we have chosen Greece as the organisation region and the app's availability region wherever possible. We haven't found anywhere that Japan would be chosen to explain the entitlement given. So where can this entitlement about allowed regions be configured? Xcode version is 16.4 and iOS minimum deployments is 18

We are seeing what looks like a signing / managed-capability mismatch for Contactless Pass Provisioning. Environment Team ID: S7AUTD2C2B Bundle IDs: com.swiftpass.ios com.swiftpass.ios.dev Xcode: 26.4 macOS: 26.4 Problem Our app has had Contactless Pass Provisioning approved by Apple for a long time, and builds were working until a few days ago. Without any intentional signing/capability changes on our side, Xcode started failing with the following error: Provisioning profile "Swiftpass prod Appstore" doesn't include the Contactless Pass Provisioning capability. Contactless Pass Provisioning capability needs to be assigned to your team and bundle identifier by Apple in order to be included in a profile. Observed behavior Xcode marks the relevant provisioning profiles as "Ineligible" in the profile selector. This affects both development/debug and release/App Store builds. If we remove Contactless Pass Provisioning from the app entitlements/capabilities, the exact same profiles immediately become eligible and the signing error disappears. Important detail The downloaded provisioning profiles already contain the entitlement that Xcode claims is missing. We verified the downloaded profile with: security cms -D -i /Users/sergej/Downloads/Swiftpass_prod_Appstore\(1\).mobileprovision and it contains: <key>com.apple.developer.contactless-payment-pass-provisioning</key> <array> <string>shareablecredential</string> </array> So the issue appears to be that the profile contents look correct the capability is still present in the developer portal but Xcode's eligibility check still says the profile does not include the capability What we verified Contactless Pass Provisioning is still enabled for the App ID in the Apple Developer portal Newly recreated / redownloaded profiles still contain the entitlement Both dev and distribution profiles are affected The behavior is reproducible across profile refreshes and local cleanup What we already tried Reinstalled Xcode Updated Xcode and macOS Updated command line tools Cleaned DerivedData Deleted local provisioning profile cache Refreshed/redownloaded profiles from Xcode Recreated provisioning profiles in the developer portal Removed and re-added the capability in Xcode Expected behavior If the downloaded provisioning profile contains com.apple.developer.contactless-payment-pass-provisioning, Xcode should treat that profile as eligible. Actual behavior Xcode reports that the capability is missing and marks the profile as ineligible, even though the entitlement is present in the downloaded profile. Question Has anyone seen this specific mismatch with Contactless Pass Provisioning or other managed capabilities? This currently looks like either: an Apple backend/App ID capability-assignment sync problem, or an Xcode eligibility-validation bug for managed capabilities Feedback Assistant ID: FB22439399. It contains screenshots that showcase the issue as well.