General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

Bonjour, Je viens ici afin d'exposer mon problème en espérant trouver une solution. En Août 2025 j'ai publié une demande afin de pouvoir développer une application Carplay de type navigation. Ma demande n'a jamais été traitée, j'ai soumis une autre demande en février, puis en avril. Toujours sans réponse. Depuis environ 3 semaines, j'appelle Apple toutes les semaines afin de demander à ce que ma demande soit traitée. J'ai bien évidemment une réponse m'indiquant que la demande était remontée, mais sans retour par la suite. Je commence à sérieusement perdre patience, et ne trouve aucune solution. Quelles seraient vos propositions ? Merci par avance pour vos retours

Hi all, I'm building an iOS app extension using ExtensionKit that works exclusively with its containing host app, presenting UI via EXHostViewController. I'd like the extension to have read-only access to the host's task for process introspection purposes. I'm aware this would almost certainly require a special entitlement. I know get-task-allow and the debugger entitlement exist, but those aren't shippable to the App Store. I'm looking for something that could realistically be distributed to end users. My questions: Does an entitlement exist (or is one planned) that would grant an extension limited, read-only access to its host's task—given the extension is already tightly coupled to the host? If not, is this something Apple would consider adding? The use case is an extension that needs to inspect host process state without the ability to modify it. Is there a path to request such an entitlement through the provisioning profile process, or is this fundamentally off the table for App Store distribution? It seems like a reasonable trust boundary given the extension already lives inside the host's app bundle, but I understand the security implications. Any insight appreciated. Thanks!

I have enabled Game Center in App Store Connect, as well as the entitlements in Xcode for both my parent (stub) target and extension target. I call the Game Center authentication function which returns a "Signed in as: [my username]" banner during testing. However, when it is tapped on by the user, it opens the Game Center view where "Now Playing _" shows a blank title and app icon. I have a full size app icon that App Store Connect and even GameKit recognizes (https://games.apple.com/us/game/6757935828) but not when I actually run my iMessage app. When I call the authentication function, it completes (hence the banner), but then says later on Game Center does not recognize my app and that my achievements cannot be reported to Game Center. Is Game Center fully disabled for iMessage apps? Or is there a solution I am missing? My goal is to have achievement banners show up for winning iMessage games and certain gameplay combos.

This is my first driver and I have had the devil of a time trying to find any information to help me with this. I beg help with this, since I cannot find any tutorials that will get me over this problem. I am attempting to write a bridging driver for an older UPS that only communicates via RPC-over-USB rather than the HID Power Device class the OS requires. I have written the basic framework for the driver (details below) and am calling OSSystemExtensionRequest.submitRequest with a request object created by OSSystemExtensionRequest.activationRequest, but the didFailWithError callback is called with OSSystemExtensionErrorDomain of a value of 9, which appears to be a general failure to activate the driver. I can find no other information on how to address this issue, but I presume the issue is one of entitlements in either the entitlements file or Info.plist. I will have more code-based details below. For testing context, I am testing this on a 2021 iMac (M1) running Sequoia 15.7, and this iMac is on MDM, specifically Jamf. I have disabled SIP and set systemextensionsctl developer on, per the instructions here, and I have compiled and am attempting to debug the app using xcode 26.2. The driver itself targets DriverKit 25, as 26 does not appear to be available in xcode despite hints on google that it's out. For the software, I have a two-target structure in my xcode project, the main Manager app, which is a swift-ui app that both handles installation/activation of the driver and (if that finally manages to work) handles communication from the driver via its UserClient, and the driver which compiles as a dext. Both apps compile and use automated signing attached to our Apple Development team. I won't delve into the Manager app much, as it runs even though activation fails, except to include its entitlements file in case it proves relevant <dict> <key>com.apple.developer.driverkit.communicates-with-drivers</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> and the relevant activation code: func request(_ request: OSSystemExtensionRequest, didFailWithError error: any Error) { // handling the error, which is always code value 9 } func activateDriver() { let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.mycompany.driver.bundle.identifier", queue: .main) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) //... } And finally the Manager app has the following capabilities requested for its matching identifier in our Apple Developer Account: DriverKit Communicates with Drivers System Extension On the Driver side, I have two major pieces, the main driver class MyDriver, and UserClient class, StatusUserClient. MyDriver derives from IDriverKit/IOService.iig but (in case this is somehow important) does not have the same name as the project/target name MyBatteryDriver. StatusUserClient derives from DriverKit/IOUserClient.iig. I have os_log(OS_LOG_DEFAULT, "trace messages") code in every method of both classes, including the initializers and Start implementations, and the log entries never seem to show up in Console, so I presume that means the OS never tried to load the driver. Unless I'm looking in the wrong place? Because I don't think the driver code is the current issue, I won't go into it unless it becomes necessary. As I mentioned above, I think this is a code signing / entitlements issue, but I don't know how to resolve it. In our Apple Developer account, the Driver's matching identifier has the following capabilities requested: DriverKit (development) DriverKit Allow Any UserClient (development) DriverKit Family HID Device (development) -- NOTE: this is planned for future use, but not yet implemented by my driver code. Could that be part of the problem? DriverKit Transport HID (development) DriverKit USB Transport (development) DriverKit USB Transport - VendorID -- submitted, no response from Apple yet HID Virtual Device -- submitted, no response from Apple. yet. This is vestigial from an early plan to build the bridge via shared memory funneling to a virtual HID device. I think I've found a way to do it with one Service, but... not sure yet. Still, that's a problem for tomorrow. Apparently I've gone over the 7000 character maximum so I will add my entitlements and info.plist contents in a reply.

We have B2B LMS app used my around 4K users in total including IOS and Android users. We applied for approval through "Automatic Assessment Configuration Entitlement Request" form from account holders apple ID. Even after 75 days we didn't receive any response. We couldn't conduct secure exams in apple devices. Not sure how to proceed further. https://apps.apple.com/us/app/methodder-lms/id6754560905

I’m prototyping a personal-use system that lets an iPhone with a physically attached controller act as an input device for a Mac. End goal: Use the iPhone as the transport and sensor host Use the attached physical controller for buttons/sticks Map the iPhone gyroscope to the controller’s right stick to get gyro aim in Mac games / cloud-streamed games such as GeForce NOW that don't support the gyro. What I’m trying to understand is whether Apple supports any path for this on macOS that does NOT require restricted entitlements or paid-program-only capabilities. What I’ve already found: CoreHID virtual HID device creation appears to require com.apple.developer.hid.virtual.device HIDDriverKit / system extensions appear to require Apple-granted entitlements as well GCVirtualController does not seem to solve the problem because I need a controller-visible device that other apps can see, not just controls inside my own app So my concrete question is: Is there any supported, entitlement-free way for a personal macOS app to expose a game-controller-like input device that other apps can consume system-wide? If not, is the official answer that this class of solution necessarily requires one of: CoreHID with restricted entitlement HIDDriverKit/system extension entitlement some other Apple-approved framework or program I’m missing I’m not asking about App Store distribution. This is primarily for local/personal use during development. I’m trying to understand the supported platform boundary before investing further. Any guidance on the recommended architecture for this use case would be appreciated.

I'm a contributor to Trio, an open-source automated insulin delivery (AID) app for iOS/watchOS maintained by the Nightscout Foundation. I'm posting at the recommendation of the engineering team via Feedback Assistant FB22619409 (Developer Support case 102865854185). The goal We're prototyping direct BLE connectivity between the Trio watchOS extension and the Dexcom G7 CGM sensor — eliminating dependence on iPhone-to-Watch relay via WatchConnectivity. For an AID app, stale CGM data affects insulin dosing decisions; this is a patient safety concern. The entitlements needed To maintain a BLE connection to the G7 while backgrounded and with the display off/wrist lowered, the WatchKit extension requires: com.apple.developer.bluetooth-central-background com.apple.developer.bluetooth-central-screen-off-scanning What I've confirmed Both entitlements are present on Dexcom's shipping G7 WatchKit extension (com.dexcom.g7app.watchkitapp.watchkitextension), verifiable via: codesign -d --entitlements :- \ "Dexcom G7.app/Watch/G7Watch.app/PlugIns/G7Watch Extension.appex" Output includes: com.apple.developer.bluetooth-central-background = true com.apple.developer.bluetooth-central-screen-off-scanning = true These are not self-service capabilities exposed through Xcode or the developer portal for our account: Xcode → Trio Watch App target → Signing & Capabilities → + Capability → searching com.apple.developer.bluetooth-central-background returns No Matches Certificates, Identifiers & Profiles → WatchKit Extension App ID (org.nightscout.5QE6TMMEH2.trio.watchkitapp.watchkitextension) → the entitlement does not appear under Capability Requests A screen recording demonstrating both is attached to FB22619409. The May 16 Apple Feedback response noted that the entitlement was visible in an internal Xcode project — consistent with it being a restricted/managed entitlement not exposed through standard developer accounts. My questions What is the correct process to request com.apple.developer.bluetooth-central-background for a watchOS extension App ID where it does not appear in Capability Requests? Is com.apple.developer.bluetooth-central-screen-off-scanning available through a private/managed entitlement process, and how do we enter that process? Is there a formal Apple program (e.g., MFi, HealthKit entitlements, or similar) applicable to CGM-connected medical apps that covers these entitlements? Full account details, screen recording, and entitlement output are attached to FB22619409 / Developer Support case 102865854185. Happy to provide a test build, full entitlement output, or additional context if needed. Thank you

I’m trying to request an NFC PassKit Certificate through https://developer.apple.com/contact/passkit/. After clicking Send, the completed form is POSTed successfully and receives 200 OK, but the server returns the original form instead of a confirmation page. The page’s passkit.js then clears all fields, and Developer Support confirmed that my earlier submission was never received. Has anyone else encountered this behavior or found another way to submit the NFC PassKit Certificate request?

A sandboxed Mac app with correct CloudKit entitlements fails to connect to com.apple.cloudd (the CloudKit daemon) when distributed via TestFlight (Mac Team Store Provisioning Profile). The identical binary works correctly when launched from Xcode (Mac Team Provisioning Profile also present). All entitlements are correctly embedded and the App ID is properly configured in Apple Developer Portal. Environment macOS 26.5.1 (25F80) Xcode 26.5 (17F42) SwiftData with NSPersistentCloudKitContainer / ModelConfiguration(cloudKitDatabase: .private(...)) Steps to Reproduce Create a sandboxed Mac app using SwiftData with CloudKit sync Enable iCloud + CloudKit in Signing & Capabilities Archive and distribute to TestFlight (Mac Team Store Provisioning Profile) Install via TestFlight on macOS 26 and launch Check Console for kernel sandbox messages Expected Result CloudKit connects to com.apple.cloudd and syncs data, matching behavior of the iOS version using the same container. Actual Result Console shows repeated kernel sandbox denials followed by CloudKit setup failure: kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.cloudd kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.duetactivityscheduler CheatSheet Mac CoreData+CloudKit: Failed to set up CloudKit integration for store Error Domain=CKErrorDomain Code=6 "Error connecting to CloudKit daemon." Key Diagnostic Finding When launched from Xcode, taskgated-helper validates both the Mac Team Store Provisioning Profile AND the Mac Team Provisioning Profile, and CloudKit succeeds: cloudd: TCC approved access for container containerID=iCloud.com.michaelendres.CheatSheet:Production When launched from TestFlight, only the Mac Team Store Provisioning Profile is present, and the sandbox denies com.apple.cloudd despite identical entitlements in the binary: codesign -d --entitlements shows: com.apple.developer.icloud-services: [CloudKit] com.apple.developer.icloud-container-identifiers: [iCloud.com.michaelendres.CheatSheet] com.apple.developer.icloud-container-environment: Production com.apple.security.app-sandbox: true Conclusion The Mac Team Store Provisioning Profile on macOS 26 does not appear to grant the sandbox exception for mach-lookup com.apple.cloudd, while the Mac Team Provisioning Profile (development) does. This prevents any Mac App Store / TestFlight app using CloudKit from syncing on macOS 26.

Waiting on in-app provisioning approval. First time submitting the app. The process changed after we submitted initially but its been three months now. Every time I reach out I either get a generic response or nothing at all. What is going on? This has been a horrible experience.

Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content. PowerPoint extensions Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/ The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location: ~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg These locations can be access by non-sandboxed app on macOS 14 and earlier. Slido integration Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database. This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text: "Slido" would like to access data from other apps. This will allow Slido to integrate with Microsoft PowerPoint app. [Don't Allow] [Allow] We understand this is a security feature, yet we would like to make the experience for customers much better. As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context. Slido installs its files to this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/ Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID? Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts? By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint. We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform. I am thankfully for any guidance and constructive feedback. Jozef, Tech Leader at Slido integrations team

Hi, I wanted to develop a small tool to launch Home Assistant OS in a Virtualization.framework VM. Something lean (no UI, no daemons), zero-config, and Apple Silicon only. I got that running, but I wanted to also use bridge networking and USB device pass-through which require the com.apple.vm.networking and com.apple.developer.accessory-access.usb entitlements, respectively. I was unable to use those for local development using ad-hoc signing, so I guess it requires a paid Apple Developer account and official approval so that they can be enabled in provisioning profiles. I'm open to reactivating my developer subscription which I let expire years ago, but wanted to first assess the chances of getting approval (no point in renewing the subscription if I won't get the permission in the end). I could make this an open source project, if it helps.

It would be good if SensorKit was more available for non research related apps. For example I want to create an app that tracks light sensor values to create a mapping of bikelanes with poor lighting. This doesn’t fall under a research app, but seems like a reasonable use of this data. creating a way to opt the user into this (via clear warnings that the data Is being collected, and maybe a 24 or 1 hour time limit) might be a way to make this sensor data available. also clear warnings on the app store privacy page, or maybe even rules about running in the background or at app startup and an icon in the toolbar (similar to the mic) could make this more safe for users.

I previously attempted to apply for the hotspot-provider entitlement but was rejected. I no longer require this entitlement. I need to remove the hotspot-provider permission although the Network Extensions capability is checked. However, the generated provisioning profile still includes the hotspot-provider permission, which causes error 409 when I upload the IPA file. I only need the Network Extensions entitlement. Could you please advise how to remove hotspot-provider from the provisioning profile?

Hi all :) I tried to raise this in the group lab and was pointed here. I’m seeing a flat per-app memory ceiling of about 6 GB on iPhone, even on devices with more physical RAM and with com.apple.developer.kernel.increased-memory-limit. Measured with os_proc_available_memory() plus task_vm_info.phys_footprint, the total process budget stays around 6144 MB on both: iPhone 16 Pro Max, 8 GB RAM iPhone 17 Pro Max, 12 GB RAM This came up while running Gemma 4 multimodal support in mlx-swift-lm (PR #343). The model loads at about 4.4 GB resident, leaving roughly 1.7 GB for inference/prefill. Reducing a GPU buffer cache from 512 MB to 64 MB recovered enough headroom to avoid jetsam and allowed a full image + video + audio multimodal test to complete, so the measurement seems to reflect a real per-process limit rather than free system memory. I re-measured the ceiling on the 12 GB phone with these capabilities: increased-memory-limit only: ~6144 MB increased-memory-limit + extended-virtual-addressing: ~6144 MB, no change increased-memory-limit + increased-debugging-memory-limit: ~6656 MB I have also observed that 12 GB iPad devices expose more memory to an app than 12 GB iPhone devices but I didn't measure specifically and no longer have the device to hand. Is the ~6 GB per-process tier on Pro iPhones expected, even with increased-memory-limit? Is there any supported way for a shipping app to access more of the available RAM on 12 GB iPhone models? FB23183521

Hey everyone, hoping someone here has run into this before. I have a fully functional App Clip (com.didyoucatchit.app.Clip) linked to my main app (com.didyoucatchit.app). The Clip builds and runs perfectly, but I’m seeing issues trying to enable Apple Pay for it. When I try to link my Merchant ID under the “On Demand Install Capable” capability in the Apple Developer portal, I get this error: A relationship in the provided entity is not allowed for this request. The relationship 'undefined' can not be included in a 'bundleIdCapabilities' request. Here’s what I have already configured and confirmed: App Clip capabilities in Xcode include: Apple Pay Payment Processing Associated Domains (appclips:app.didyoucatchit.com) Provisioning profile includes: Apple Pay Payment Processing Associated Domains In-App Purchase On-Demand Install Capable Entitlements file for the Clip: <key>com.apple.developer.associated-domains</key> <array> <string>appclips:app.didyoucatchit.com</string> </array> <key>com.apple.developer.in-app-payments</key> <array> <string>merchant.com.didyoucatchit.app</string> </array> <key>com.apple.developer.parent-application-identifiers</key> <array> <string>$(AppIdentifierPrefix)com.didyoucatchit.app</string> </array> Merchant ID (merchant.com.didyoucatchit.app) is active and connected to Stripe Stripe Apple Pay configuration matches the same merchant ID and certificate Both provisioning profiles have been refreshed and downloaded However: The portal still throws the “relationship 'undefined'” error anytime I try to modify the Clip’s capabilities In testing, Apple Pay doesn’t show up as a payment option in the Clip (using Stripe’s Payment Element integration) Questions: Is this a known issue with the Developer portal when linking App Clips to merchant IDs? Is there a specific way to re-establish the parent–child relationship between the main app and the App Clip so the bundleIdCapabilities request includes the proper relationship JSON? Are there any additional configuration steps required when using Stripe for Apple Pay inside an App Clip? System Setup: Xcode: 16.2 (build 16C5032a) macOS: Sequoia 15.3.1 iOS: 18.5 (testing on physical device) Merchant ID: merchant.com.didyoucatchit.app Main App ID: com.didyoucatchit.app App Clip ID: com.didyoucatchit.app.Clip Any help or insight would be hugely appreciated Thanks in advance!

I'm trying to let a few teammates build and run my app on their own devices, and I'd like to understand the correct approach for our situation. Setup We are a small team. Each of us uses a free personal Apple Developer team (individual Apple IDs, no paid membership yet). The app (an iOS app with a Watch app and a WidgetKit extension) uses App Groups and HealthKit. Bundle IDs: com.example.MyApp, com.example.MyApp.watchkitapp, com.example.MyApp.Widget. App Group: group.example.MyApp. It builds fine for me. When a teammate opens the project and tries to run on device, they get: Failed Registering Bundle Identifier The app identifier "com.example.MyApp" cannot be registered to your development team because it is not available. Change your bundle dentifier to a unique string to try again. What I've observed My other apps that have no entitlements build fine for every teammate. Looking at their embedded profiles, those sign with a wildcard profile (TEAMID.*). This app signs with an explicit profile (TEAMID.com.example.MyApp). If a teammate removes HealthKit and App Groups from all targets, the app builds for them under their own team using the same bundle ID. My understanding (please correct me) App Groups and HealthKit require an explicit App ID, which can only be registered to one team. Since I registered com.example.MyApp first, no other personal team can register the same explicit App ID hence the error. My questions Is that understanding correct — that an entitled (explicit) App ID can only ever belong to a single team? Is there any supported way to keep the same bundle identifier and keep App Groups + HealthKit while teammates build under their own separate personal teams? Or is moving to an Organization account (everyone as members of one shared team) the only way to share an entitled bundle ID across multiple developers? For free personal-team development, is the recommended pattern to give each developer a unique bundle ID + App Group (e.g. via per-developer .xcconfig), keeping entitlements intact? Just want to confirm I'm choosing the right approach before committing to it. Thanks!

Hello, I'm experiencing a critical issue with PassKit's shareable pass functionality. Despite having the necessary entitlements configured, I'm getting an entitlement error when calling PKAddShareablePassConfiguration.forPassMetaData. Failed to create PKAddShareablePassConfiguration: Error Domain=PKPassKitErrorDomain Code=4 "client is not entitled" UserInfo={NSDebugDescription=client is not entitled} private func createPassViewController(from response: PreparePushProvisioningResponse) { guard let passMetadata = PKShareablePassMetadata( provisioningCredentialIdentifier: response.provisioningCredentialIdentifier, cardConfigurationIdentifier: response.cardConfigurationIdentifier, sharingInstanceIdentifier: response.sharingInstanceIdentifier, passThumbnailImage: response.passThumbnailImage, ownerDisplayName: response.ownerDisplayName, localizedDescription: response.localizedDescription ) else { print("Failed to create PKShareablePassMetadata") return } print("PKShareablePassMetadata created successfully") // This is where the error occurs PKAddShareablePassConfiguration.forPassMetaData( [passMetadata], provisioningPolicyIdentifier: "", // Empty as per documentation action: .add ) { (configuration, error) in if let error = error { print("Failed to create PKAddShareablePassConfiguration: \(error)") // Error Domain=PKPassKitErrorDomain Code=4 "client is not entitled" return } guard let config = configuration else { print("PKAddShareablePassConfiguration is nil") return } // other code... } } The push provisioning preparation succeeds completely: Prepare push provisioning succeeded Credential ID: "XXXX-XXXX....." Owner: Teodora Description: Interflex NFC development PKShareablePassMetadata created successfully Then immediately fails at PKAddShareablePassConfiguration.forPassMetaData() with the entitlement error. Xcode Configuration Issues: When manually entering capabilities in Xcode's Signing & Capabilities tab, I receive this error: Provisioning profile "20250929 VIDC QA DEV" doesn't match the entitlements file's value for the com.apple.developer.contactless-payment-pass-provisioning entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. When I don't manually enter the capabilities in the Runner.entitlements file, the provisioning profile error disappears in Xcode, but the runtime entitlement error persists.

I'm posting this here after reading Quinn's post here: https://developer.apple.com/forums/thread/799000 The above entitlement is mentioned in IOUSBHostControllerInterface.h. It isn't an entitlement one can add using the + button on the Capabilities panel in Xcode. If I try to add it by hand, Xcode complains that it isn't in my profile. Is this a managed entitlement? We'd like to create a local USB "device" to represent a real device reachable over a network.

Great Morning, We would like to request the entitlement: com.apple.developer.passkit.pass-presentation-suppression Use Case: Our application provides NFC-based mobile key access for hotel guests.  When the device is presented to an NFC reader (door lock), iOS automatically  launches Apple Wallet, interrupting the in-app unlock experience. We need to suppress Wallet presentation while the app is in the foreground to allow a seamless “tap-to-unlock” experience. Please let us know if additional information or agreements are required. Thank you.