Sandboxed Mac app denied mach-lookup com.apple.cloudd when signed with Mac Team Store Provisioning Profile on macOS 26

App & System Services iCloud
MandoMike45 OP
Created 1w
Replies 1
Boosts 0
Views 107
Participants 2

A sandboxed Mac app with correct CloudKit entitlements fails to connect to com.apple.cloudd (the CloudKit daemon) when distributed via TestFlight (Mac Team Store Provisioning Profile). The identical binary works correctly when launched from Xcode (Mac Team Provisioning Profile also present). All entitlements are correctly embedded and the App ID is properly configured in Apple Developer Portal.

Environment

macOS 26.5.1 (25F80) Xcode 26.5 (17F42) SwiftData with NSPersistentCloudKitContainer / ModelConfiguration(cloudKitDatabase: .private(...)) Steps to Reproduce

Create a sandboxed Mac app using SwiftData with CloudKit sync Enable iCloud + CloudKit in Signing & Capabilities Archive and distribute to TestFlight (Mac Team Store Provisioning Profile) Install via TestFlight on macOS 26 and launch Check Console for kernel sandbox messages Expected Result

CloudKit connects to com.apple.cloudd and syncs data, matching behavior of the iOS version using the same container.

Actual Result

Console shows repeated kernel sandbox denials followed by CloudKit setup failure:

kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.cloudd kernel Sandbox: CheatSheet Mac(82347) deny(1) mach-lookup com.apple.duetactivityscheduler CheatSheet Mac CoreData+CloudKit: Failed to set up CloudKit integration for store Error Domain=CKErrorDomain Code=6 "Error connecting to CloudKit daemon."

Key Diagnostic Finding

When launched from Xcode, taskgated-helper validates both the Mac Team Store Provisioning Profile AND the Mac Team Provisioning Profile, and CloudKit succeeds:

cloudd: TCC approved access for container containerID=iCloud.com.michaelendres.CheatSheet:Production When launched from TestFlight, only the Mac Team Store Provisioning Profile is present, and the sandbox denies com.apple.cloudd despite identical entitlements in the binary:

codesign -d --entitlements shows: com.apple.developer.icloud-services: [CloudKit] com.apple.developer.icloud-container-identifiers: [iCloud.com.michaelendres.CheatSheet] com.apple.developer.icloud-container-environment: Production com.apple.security.app-sandbox: true

Conclusion

The Mac Team Store Provisioning Profile on macOS 26 does not appear to grant the sandbox exception for mach-lookup com.apple.cloudd, while the Mac Team Provisioning Profile (development) does. This prevents any Mac App Store / TestFlight app using CloudKit from syncing on macOS 26.

Replies  1
Boosts  0
Views  107
Participants  2
DTS Engineer OP
Apple
5d

I’d like to clarify what you mean by this:

The identical binary works correctly when launched from Xcode

Are you actually talking about an identical binary? Or identical source code?

Consider this sequence:

  1. Choose Product > Archive.
  2. In the Xcode organiser, upload to TestFlight.
  3. Install the app via TestFlight.
  4. Confirm that this app has the problem.
  5. Delete the app.
  6. In the Xcode organiser, click Distribute App and then follow the Debugging workflow.
  7. Test that.

Does it have the same problem?

That’s my definition of identical binary, and it’s an important test here because it lets you isolate code signing problems from build problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sandboxed Mac app denied mach-lookup com.apple.cloudd when signed with Mac Team Store Provisioning Profile on macOS 26
First post date Last post date
 
 
Q