I am seeking clarification on whether the various driverkit entitlement families (com.apple.developer.driverkit.family.*) are available for development on my local Mac without requesting entitlements from Apple. My experience is inconsistent with public statements made by Apple, and I am wondering if there have been changes to development entitlements as of 2026. I am hoping there is something obvious that I have missed. At WWDC2022 Apple stated that "In MacOS... In fact, all DriverKit family entitlements are now available to use for development." On these very forums, Eskimo himself also suggested this was the case in 2024. However, my own experience has been that in my provisioning profile on my paid developer account, I am not able to obtain com.apple.developer.driverkit.family.networking for the purpose of developing a driver for unsupported hardware. As you can see, I do not have the networking entitlement: { .. "Entitlements" => { ... "com.apple.developer.driverkit" => true "com.apple.developer.driverkit.transport.usb" => [ 0 => { "idVendor" => "*" } ] And there appears to be no mechanism to add these entitlement:

Hello, We recently resubmitted our Family Controls (Distribution) request with a much more detailed explanation after our previous declined. Our entire app (including an extension) depends on this capability, and right now we’re completely blocked from launching. Months of work are stuck at this final step and it’s honestly becoming very stressful with no visibility on the timeline. If anyone has experience with the approval timeline after resubmitting, or if someone from Apple could help look into it, it would truly mean a lot. 4C6XLQWZQY Y5JJ7GT6BP 3ZBSC333WU Thank you

We were recently approved for the "User Assigned Device Name" for a specific app Identifier. The "Additional Capabilities" tab isn't present on that App ID. I am an admin in the developer portal, and this does not appear for the account holder as well. Any help would be appreciated.

This is .entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> Code signing: codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements -s "Developer ID Application: XXXX Ltd. (XXXXXX)" ./UES.app When I run it on macOS 13.x, it works fine. If I run the system on macOS 11.x, it reports a "killed" error (if codesign remove --entitlements ./UES.entitlements, Then the startup will not report an error, but the endpoint security rights cannot be used) System log: 2025-04-21 13:58:27.039638+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:27.039762+0800 0xd5bbf Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:27.039815+0800 0xd5bbf Default 0x0 0 0 kernel: proc 29354: load code signature error 4 for file "UES" 2025-04-21 13:58:27.040720+0800 0xd5bc0 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:27.045974+0800 0xd58be Error 0x0 66405 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n Action = oapp;\n AppMimimumSystemVersion = "10.13";\n AppPath = "/Applications/UES.app";\n ErrorCode = "-10826";\n} 2025-04-21 13:58:39.121619+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:39.121832+0800 0xd5e0f Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:39.121861+0800 0xd5e0f Default 0x0 0 0 kernel: proc 29415: load code signature error 4 for file "UES" 2025-04-21 13:58:39.122571+0800 0xd5e10 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES 2025-04-21 13:58:46.297915+0800 0xd5941 Default 0x0 149 0 amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050 2025-04-21 13:58:46.298031+0800 0xd5f85 Default 0x0 0 0 kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES: 2025-04-21 13:58:46.298072+0800 0xd5f85 Default 0x0 0 0 kernel: proc 29485: load code signature error 4 for file "UES" 2025-04-21 13:58:46.300248+0800 0xd5f86 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES May I ask what the reason is?

This is a continuation of my own old post that became inactive to regain traction. I am trying to resolve issues that arise when distributing a macOS app with a SysExt Network Extension (Packet Tunnel) outside the App Store using a Developer ID Certificate. To directly distribute the app, I start with exporting the .app via Archive in Xcode. After that, I create a new Developer ID provisioning profile for both the app and sysext and replace the embedded ones in the .app package. After I have replaced the provisioning profiles and the have the entitlements files ready, I start signing the frameworks, sysext and parent app. codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>"<app>.app/Contents/Library/SystemExtensions/<sysext>.systemextension/Contents/Frameworks/<fw>.framework/Versions/A/<fw> codesign --force --options runtime --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Frameworks/<fw>.framework/ codesign --force --options runtime --entitlements dist-vpn.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app/Contents/Library/SystemExtensions/<sysext>.systemextension/Contents/MacOS/<sysext> codesign --force --options runtime --entitlements dist.entitlements --timestamp --sign "Developer ID Application: <name>" <app>.app After validation is successful with codesign --verify --deep --strict --verbose=4 <app>.app I zip the package, notarize and staple it ditto -c -k --keepParent "<app>.app" "<app>..zip" xcrun notarytool submit <app>.zip --keychain-profile “”<credents> --wait xcrun stapler staple <app>.app After that I finish creating signed and notarized .dmg/.pkg. hdiutil create -volname “<app>” -srcfolder “<app>.app/" -ov -format UDZO ./<app>.dmg codesign --force --sign "Developer ID Application: <name>" <app>.dmg xcrun notarytool submit <app>.dmg --keychain-profile "<credentials>" --wait xcrun stapler staple <app>.dmg Then when I move the .dmg to a clean system, open the .dmg, move the .app to the Applications folder, the attempt to run it fails with “The application “” can’t be opened.”. When I look into the console, the gatekeeper disallows the launch job with the message:
 86127 debug ProvisioningProfiles taskgated-helper ConfigurationProfiles entitlements: { "com.apple.developer.networking.networkextension" = ( "packet-tunnel-provider-systemextension" ); "com.apple.developer.system-extension.install" = 1; "com.apple.developer.team-identifier" = <teamid>; "keychain-access-groups" = ( “<teamid>.<app>.AppGroup" ); } com.apple.ManagedClient
<app>: Unsatisfied entitlements: com.apple.developer.networking.networkextension, keychain-access-groups, com.apple.developer.system-extension.install, com.apple.developer.team-identifier LAUNCH: Runningboard launch of <app> <private> returned RBSRequestErrorFailed, error Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600001a25830 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}, so returning -10810

 I went through all possible formats (macOS-Style and iOS-Style App Group IDs) and combinations of appgroups according to the post “App Groups: macOS vs iOS: Working Towards Harmony”. But none of those work for me. The weird part is that when I try the same steps on different developer account, I am able to get the app running. What can be wrong?

Hi everyone, I’ve been struggling for days with a recurring issue in my iOS app build. The build fails with the following error: Provisioning profile "iOS Team Provisioning Profile: com.myapp.bundleid" doesn't include the com.apple.InAppPurchase entitlement. Here’s what I’ve already tried: Created a new Bundle ID with correct capabilities (In-App Purchase, Push Notifications, Sign in with Apple). Created a new provisioning profile manually from Apple Developer Console. Used EAS CLI (Expo) and Xcode to regenerate all certificates and provisioning profiles. Ensured that the In-App Purchase capability is enabled in the App ID (it's greyed out but enabled). Made sure all subscriptions and products in App Store Connect are “Ready to Submit”. Followed all steps from RevenueCat and Apple documentation. Cleaned entitlements in .entitlements file and tried both and variations. Tried building both locally and with EAS – same error every time. Sent multiple tickets to Apple Developer Support, but no helpful reply yet. Extra Notes: I'm using react-native-purchases and RevenueCat, already integrated and working before this started. The error began randomly; before that, I was able to build successfully with in-app purchases. Even creating a completely fresh app from scratch results in the same entitlement missing error. Has anyone faced this exact problem where the provisioning profile fails to include com.apple.InAppPurchase, even though everything is correctly set up? Any help or insights would be greatly appreciated. Thanks in advance!

I added a extension called Call Directory to an IOS app as we want to call blocking and caller id. I was able to add App Groups to both runner and CallDirectory. I cannot see of add Call Directory capability. Am I missing something. I added the extension through the Call Directory Target template. If I try to add this to CallDirectory.enitlements manually com.apple.developer.callkit.call-directory call-blocking caller-identification i recieve this signing error. Provisioning profile "iOS Team Provisioning Profile: "" doesn't include the com.apple.developer.callkit.call-directory entitlement. I cannot add Call Directory to an identifier in Apple Developer either.

I am receiving an entitlement error from stripe terminal SDK when integrating Tap to Pay from apple in the info.plist. Im hoping that someone can give me their input on my error output rather than diving into the stripe sdk to point me in the right direction of something I may have missed with entitlements. I have been approved for tap to pay entitlement and am following the instructions here from apple: https://developer.apple.com/documentation/proximityreader/setting-up-the-entitlement-for-tap-to-pay-on-iphone com.apple.developer.proximity-reader.tap-to-pay

Hello, I am trying to publish a simple app to the App Store for the first time, and I am getting these 2 errors. Please note the knowledge base URLs shown in the screenshot are not clickable. I think this should be addressed. Any guidance on how to correct these issues will be greatly appreciated. Sincerely, Anis

I requested the Family Controls (distribution) capability but am not sure if I did it correct. I applied, answered the questions why i needed it and submitted. Its been about 2 weeks since applying. In the app configurations, it on apple dev site, it shows in the request history that I submitted it on March 17, but I can click the request (+) button and request it again. Just want to make sure I didn't mess anything up--it seems like they would prevent me from sendin another request if I had already requested it. It hasn't taken them this long to get back to me in the past which is why I am confused. If anyone knows how to speed up the process, please let me know! Thanks.

Hi, I’m requesting the Family Controls distribution capability for my app and its extensions. The main app bundle ID was approved within 1 day. However, I later realized the associated extensions (Shield Configuration, Device Activity Monitor, Device Activity Report) also require separate approval. I submitted those extension requests 4 days ago, and they are still in "Submitted" with no updates. This is currently blocking me from proceeding with TestFlight/App Store submission, since the extensions require the approved capability. Is this delay expected for extension bundle IDs? Thanks for your help.

We have an app with the default email entitlement that was granted several years ago. During our latest deployment, we received an error from our pipeline. When testing a manual submission in Xcode, we saw this error: Entitlement com.apple.developer.mail-client not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. We checked the provisioning profile, and the default email entitlement is still present. It is visible on the certificate portal and also in the embedded.mobileprovision file. Can you suggest what we can do to release a new version of our app?

I do have background Modes added to Xcode. How can I fix this? Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "iOS Team Provisioning Profile: com.designoverhaul.bladerunner" doesn't include the com.apple.developer.background-modes entitlement. I emailed Dev Support but they said they cant help. Thank you.

Hello community, I'm new here, so please excuse my blunt question. I'm trying to understand how everything works and the logic behind it. I have an idea for an app which requires the FamilyControl entitlement. Now I am not sure if the idea even works, so I wanted to test it on my own device. Am I correct, that I cannot even test an App with such entitlements without paying for the ADP? Not even on my own device? I completely understand I need to be a member in the ADP if I want to distribute my app, but I'm not there, yet, and I just want to do a proof-of-concept. I thought I can't be the first one with that question, but couldn't find a past topic on this, so I'm posting it. Regards, Niklas

Hi, I have a .NET MAUI app which I've added subscriptions to using the Plugin.InAppBilling nuget package. When I tested on TestFlight I got an almost immediate crash. After doing some research I followed advice to add an Entitlements.plist file to Platforms &gt; iOS with the following entry: com.apple.developer.in-app-purchase The distribution provisioning profile I'm using to sign my app has the App ID set to an Identifier which has "In-App Purchase" ticked, but greyed out in it's "Capabilities" section on https://developer.apple.com/. I'm not sure why it's ticked and greyed out, but I assume that means that "In-App Purchase" is enabled. The app runs file locally but when I create an IPA file and add it to Transporter for upload to App Store Connect I get the following error: "Validation failed (409) Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, key 'com.apple.developer.in-app-purchase' in 'Payload/[Removed].app/[Removed]' is not supported. (ID: [Removed])". Here is the structure of my csproj code for creating a IPA file for iOS: The command I use: dotnet publish [Removed]/app.csproj -f:net9.0-ios -c:Release ^ /p:PlatformTarget=Arm64 ^ /p:RuntimeIdentifier=ios-arm64 ^ /p:ServerAddress=[Removed] ^ /p:ServerUser=[Removed] ^ /p:ServerPassword=[Removed] ^ /p:ArchiveOnBuild=true ^ /p:BuildIpa=true I'm stuck trying to figure this out. If you could please point out any issues with what I'm doing or if you have any suggestions to resolve the problem I would very much appreciate it. Thanks, Ben

Hello everyone, I’ve been stuck for weeks on an issue with Family Controls + Device Activity entitlements in my iOS app, and Apple Developer Support has not provided a solution so far. I’m hoping someone here who has successfully implemented Family Controls + Device Activity can point me in the right direction. About the App • The app is a Digital Wellbeing app called Breakloop. • It lets users select apps they want to block, requires them to complete a positive affirmation before opening those apps, and can re-block apps after a set time (e.g., 10 minutes). • This functionality exactly matches the purpose of Family Controls and Device Activity APIs. What Works So Far • Family Controls capability is enabled in the main app target in Xcode. • We have valid Apple Developer certificates (Apple Development) and a team account. • The main app builds and runs fine when using Family Controls alone. • We have App IDs for: • bl.Breakloop (main app) • bl.Breakloop.BreakloopMonitorExtension • bl.Breakloop.BreakloopShieldConfigurationExtension The Problem The provisioning profiles for the extension targets (BreakloopMonitorExtension and BreakloopShieldConfigurationExtension) do not include the com.apple.developer.device-activity entitlement even though: • The App IDs in the Developer Portal have Family Controls (Development) enabled. • The extensions have the correct entitlements file with both: com.apple.developer.family-controls com.apple.developer.device-activity • Xcode Signing & Capabilities points to the correct provisioning profile + certificate. Because the provisioning profiles don’t include the entitlement, the build fails with: Provisioning profile doesn't include the com.apple.developer.device-activity entitlement. What Apple Support Said Apple Support told me: • “Family Controls grants access to Device Activity.” • They cannot enable it manually or guarantee that profiles will include the entitlement. • They sent links to the documentation but no further assistance. What I Need Help With 1. Has anyone successfully built extensions using Family Controls + Device Activity? 2. Do I need to request any additional approval for Device Activity, or should it appear automatically once Family Controls is enabled? 3. Is there a known Xcode or Apple Developer Portal configuration issue that causes the entitlement to be missing in provisioning profiles? 4. Any working example of a project setup that uses Family Controls + Device Activity in extensions would be extremely helpful. Extra Info • We use the latest Xcode + iOS SDK. • Tried recreating certificates, profiles, and App IDs multiple times. • Followed Apple’s docs for Family Controls + Device Activity exactly. I would greatly appreciate any guidance, especially from someone who has this working with iOS app extensions. Thank you!

Hi everyone, I recently submitted the Family Controls request form and received the following request IDs: 429MKWT5VX
 KNL6T2DC7A
 N62KV78DKC However, I haven’t received any updates yet and I’m not sure how these requests are tracked or when we’ll know if they’re approved. Our app is almost ready to launch and this capability is critical for us. Both the main app and an extension depend on Family Controls, so we’re currently blocked from moving forward. I also raised a support ticket with Apple Developer Support (Case ID: 102838723073), but I haven’t received any response there either. To be honest, this is becoming really stressful. Months of work are stuck at the final step and we’re unable to move forward without this approval. This isn’t just a small personal project and we’re building a production app and were hoping to launch very soon. If anyone has been through this process or has any guidance on the approval timeline, or if someone from Apple could help look into these request IDs, it would genuinely mean a lot to us.

 Thank you

Hello everyone can you help me, i have requested main camera access API Enterprise and have got the license to, and i have setting up the project main camera access demo from apple with my new license and have create app bundle and identifier for it but when i tried to deploy it test flight i got some error say "Profile doesn't support Main Camera Access" and "Profile doesn't include the com.apple.developer.arkit.main-camera-access.alow entitlement, even have do it it app Certificates, Identifiers &amp; Profiles and add the additional capability Main Camera Access. can you help me fixing this so that i can use Main Camera Access Entitlement

How can I disable Hardened Runtime in Xcode only when signing ad hoc? If I make a new project, Xcode will say Disabling hardened runtime with ad-hoc codesigning. at the beginning of the build logs. However, somehow my project isn't doing this -- it's still hardening the runtime when ad-hoc signing. What should I do to debug this?

So I just updated Xcode to 16.3 and updated a project to its recommended build settings which includes "Register App Groups". So I have an outside Mac App Store app that uses app groups. Here we have an action extension. I can't debug it, can't get it to run. Nothing useful in Xcode is displayed when I try... but it looks like a code signing issue when I run and have Console open. So I try to make a provisioning profile manually and set it...didn't work. I noticed now though in signing & capabilities the group id is in red...like it's invalid, or something? This was a "macOS styled" group without the "group." prefix. So am I supposed to switch it to have the group. prefix? It makes the red text go away (no warnings or anything about app groups here, just red text). So if I change it to group. prefix..does that make an entire new container?What happens on app update for installs that don't have group. prefix? Does the system transparently migrate the group? Or Am I supposed to migrate the entire group container to the identifier with group. prefix? Also how does this affect running on older version of macOS? If I go with the "group." prefix to make the red text go away,.. what happens on macOS 11.0? Got a little more than I bargained for here after midnight.