I need to use Network Extension features in an app, particularly to use the Proxy features. The doc says:
Except when you use the NEHotspotHelper class, you do not need to obtain entitlements from Apple to use Network Extension classes. However, you still need to enable the Network Extension entitlement via the Developer portal. To request an entitlement to use the NEHotspotHelper class, visit https://developer.apple.com/contact/network-extension.
I went to the Developer portal, but I couldn't find how to enable the Network Extension entitlement. Is it because my role is "admin" rather than "team agent"? Or someone can tell me how to enable that entitlement?
Due to the confused document and function missing of xcode 8.1, this cost me one whole week to find the solution.
Make sure you enrolled apple developer program (it's not free, you need to pay $100 per year)
Go to https://developer.apple.com/account/ios/identifier/bundle
Select Identifiers => App IDs
Click your app on the right(if there is no, you could create one with xcode),
Click edit button, check the network-extension checkbox
NOTE1: Since November 10th 2016, you dont need entitlement from apple to use network-extension
NOTE2: If you are using Hotspot Helper, go to https://developer.apple.com/contact/network-extension/
If you are using VPN Manager, simply use capability menu of xcode project config.
With Xcode 9 there is an easier way to add network extension entitlements inside Xcode.
Add your developer account to Xcode from Preferences -> Account if you didn't add before.
Select General tab from your app target and then set your developer account details.
From your app target select Capabilities tab and select the switch right of the Network Extensions. Then select the capabilties you are going to use.
Then check your YOUR_PROJECT_NAME.entitlements plist file. Capabilities you selected should be on the Network Extensions list.
As a last step check your AppId from developer portal if everything is fine.
Edit your App ID on Apple's dev portal and look for the Network Extensions capability/service. You also need Personal VPN to create and manage configurations in your app.
The Network Extensions option is new. I'm not sure when it appeared, maybe in the last six months?. It used to be you had to request permission for it and it'd show up under the provisioning profile entitlements, but now Apple's opened it up to everyone.
You might also need to add this to your entitlements file(s). At least you used to - I'm not positive about needing this with the new approach:
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
</array>
Related
I am trying to use the NFC capabilities with swift, and the apple docs say to enable the aforementioned "Near Field Communication Tag Reading" capability, but when I look in the capabilities menu, it is not there. Does anybody know what the issue is here? I believe I have a fairly recent version of xcode. I saw someone else say that it was because I needed to purchase the apple developer license, and so I did. Do I need to do something to get xcode to recognize that I have the developer license other than restart xcode?
Thanks
You need to add the capability in Xcode first. And Same capability you need to enable for the app bundle id in the Apple Developer portal -> Certificates, Identifiers & Profiles -> Identifiers - > Select your app -> Enable NFC Tag Reading -> Save.
Next, edit your app profile in the "Profiles" section and download the updated provisioning profile and install it. This will set up your NFC in Xcode.
Note: If you have recently added an account in Xcode make sure you have development certificates installed in your system.
I looked at this page and can't tell which entitlements are special.
I couldn't find any docs on how to figure out which ones require a dedicated request to Apple. Are there any docs for it?
HKVerifiableClinicalRecordQuery
Request URL: https://developer.apple.com/contact/request/verifiable-health-records/
Entitlements Key: com.apple.developer.healthkit. Must contain the health-records from within its array.
WWDC: https://developer.apple.com/videos/play/wwdc2021/10089/
networking-multicast
Request URL: https://developer.apple.com/contact/request/networking-multicast
Entitlements Key: com.apple.developer.networking.multicast
usernotifications.filtering
Request URL: https://developer.apple.com/contact/request/notification-service
Entitlements Key: com.apple.developer.usernotifications.filtering
critical-alerts
Request URL: https://developer.apple.com/contact/request/notifications-critical-alerts-entitlement
Entitlements key: com.apple.developer.usernotifications.critical-alerts
Local Push Connectivity
Request URL: https://developer.apple.com/contact/request/local-push-connectivity
Entitlements Key: Not sure!
I think the com.apple.developer.networking.networkextension key must exist. The key's value must contain app-push-provider within its array
hotspot-helper
Request URL: https://developer.apple.com/contact/request/hotspot-helper/
Entitlements key: com.apple.developer.networking.HotspotHelper
Do NOT mistake this for NEHotspotConfigurationManager. NEHotspotHelper and NEHotspotConfigurationManager are different and require distinct entitlements.
NetworkExtension used to need it but doesn't need it any more. See Dev Forums - Quinn
To use these facilities you previously had to be granted special
entitlements by Apple. This policy has now changed for
NetworkExtension providers. Any developer can now enable the
NetworkExtension provider entitlement like they would any other
entitlement.
com.apple.managed.vpn.shared keychain access group
Request URL: https://developer.apple.com/support/technical/
Entitlements key: com.apple.managed.vpn.shared
However there's a catch with Network Extensions. From the same Dev Forums, Quinn says:
#9 — After moving to the new entitlement process, my app no longer has access to the com.apple.managed.vpn.shared
keychain access group. How can I regain that access?
Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.
IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.
If I understand this correct, basically if you need to use com.apple.managed.vpn.shared keychain access group entitlement for VPN Credential Storage then you need two entitlements:
Network Extension entitlement which can be done through Apple Developer Portal
Another Special entitlement as mentioned above.
It's also worth noting that every dev team gets to create two DTS tickets a year for free. Beyond that you have to pay.
Included with each enrollment are two Technical Support Incidents, which will expire at the end of your membership year. You will receive two new TSIs when you renew your membership. View your available TSIs, their expiration dates, and your request history in the Code-level Support section in your account. Your TSIs are grouped by expiration date, and the ones that expire soonest will be used first.
Additional TSIs are available for purchase in either a 2-pack for $99 USD or 5-Pack for $249 USD in the Code-level Support section in your account. TSIs purchased separately expire one year from the date of activation.
I'm not sure if any other entitlement needs a special request or not, but these were the ones that I found
How do I add the special entitlement into my app?
Special entitlements are not associated with your App ID, they're added at the very last step of creating your provisioning profile.
When you create an «iOS, macOS, tvOS» «Development / Distribution / In-House (Enterprise)» provisioning profile for the Team ID «Team ID», after selecting the devices to be included in the profile, you should see a new page entitled “Do you need additional entitlements?”. Select “«hotspot helper template name»” from the Entitlements popup to include this special entitlement in your new profile.
Once you’ve finished generating the profile, you can use it in Xcode like any other manually-generated profile.
source: Apple Forums
I have the special Entitlements but Xcode isn't building it correctly for me
Xcode can’t give a special entitlement to you by itself. Hence I don't think Automatic Code Signing would work for special entitlments. It’s something that Apple embeds into your provisioning profile — only at Apple Developer portal. So you have to generate the provisioning profile from Apple Developer portal and then download it from Xcode
Sample email you get from Apple upon approval:
Hello,
This Developer Team has already been assigned the HotspotHelper capability as part of the NetworkExtension entitlement.
To use this special entitlement you must create a new provisioning profile in the Certificates, Identifiers & Profiles section of your Developer account and select the entitlement after the "Do you need additional entitlements?" page.
Please note, it may take 1-3 business days for this entitlement to be visible. Once you've finished generating the profile, you can use it in Xcode like any other manually-generated profile.
IMPORTANT: If you have problems getting this to work, read Technote 2415 "Entitlements Troubleshooting" for troubleshooting steps.
If you have questions about adding or using this entitlement that are not answered by this Technote, please visit the Apple Developer Forums or contact Apple Developer Support.
Thank you,
Apple
How do you add multiple special entitlements?
This is not possible out of the box. The long-term solution for this
would be for Apple to change the developer web site to allow you to
select multiple templates. Please file a bug report requesting that,
then post your bug number, just for the record.
I’m not sure whether there’s a good short-term option. My advice is
that you talk to Apple Developer Programs Support to see whether they
can help you (start [here][ref] and then go Membership and Account >
Other Membership or Account Questions). Make sure to:
Reference this thread
Include your bug number
Tell them to reach out to me if they need clarifications
source: Dev Forums
Do I need the special entitlement only for my main app target?
Check each page's doc.
But I think it depends. e.g. the doc for Local Push Connectivity say:
After you receive the entitlement, apply it to both your app target and your provider extension target.
Source: Docs
What are extended entitlements?
They're exactly the same thing as special entitlements. Just a different name for it.
How long does it actually take to get approved?
Apple will respond within a week. But then usually it's not a straightforward approval. They'd ask for a bunch of changes or justifications and then approve/deny. Sometimes it takes 1 month overall.
According to your answer, i think it would be better share the link content which you shared which needs to login Developer Account. If I find new ones i will add here.
Multicast Networking Entitlement Request
This entitlement allows advanced networking apps to interact with their local network by sending multicast and broadcast IP packets and browsing for arbitrary Bonjour service types. Your app may need to access this level of networking in order to communicate with custom or non-standard devices or to act as a network utility.
Hotspot Helper Request
The NEHotspotHelper interface allows Wi-Fi network implementers to facilitate connections to the large-scale wireless networks that they manage. For a complete explanation of all Wi-Fi management APIs available on iOS, see Technical Q&A QA1942: iOS Wi-Fi Management APIs.
Request a Critical Alert Notifications Entitlement
When a user enables critical alert notifications, your app can send push notifications that play a sound at an app-specified volume when the device is locked, muted, or has Do Not Disturb enabled.
I'm new in IOS development. I would like to transfer my app to my personal iPhone device for first trial run. I followed the video that I found on the internet to sign the IOS app without registering as IOS developer program.
However, everything it seems working fine until the very last part I got an error message telling me that,
"Your development account does not support domains and push
notifications."
I believe this error due to my normal apple id account does not support the push notifications.
In that case, how could disabled the push notifications in my code? How should resolve this?
Please advise
With the free apple developer account, you need to turn off the enabled capabilities.
Go to target
Select the Capabilities tab as shown in below image
Turn off all capabilities (Remote notifications in your case)
Now run the application on a device with your free account
You should create a free developer account here: https://developer.apple.com
After this Xcode will do the stuff automatically if you select Automatically manage signing in the general tab for your target (select your project in the top left in Xcode).
If you want to do it manually you need to create an appId, register your device unique identifier and create a certificate (will need: keychain - request a certificate..) and then a provisioning profile with all of the above, all this in the developer.apple.com platform. Then you must select your provisioning profile in the signing part of the general tab of your target.
Also make sure under capabilities, all are turned off.
I want to run my cordova iOS Application on my iOS Device for testing.
Following are my build settings:
Clicking Enable Development Signing sets the Team to None.
My build is successful. On installing, XCode shows the following error:
Does it require a developer account to run the Cordova iOS build on a device for testing? The Cordova Android version is already on Play Store.
How to set a Signing Certificate without a developer account? How to fix the invalid signature error. I haven't set any signature yet.
I am completely new to iOS.
Yes, you must have a developer account to get a signing certificate. The signing certificate pairs with your provisioning profile, which also requires a developer account to create. You need both to run on a physical device. Your device must also be registered with your account and included in your provisioning profile device list to be allowed to run the app, outside of the App Store environment.
Xcode handles much of this for you automatically, if you have a developer account set up under Xcode Preferences > Accounts > Apple IDs. On the right-hand side of that screen you have a list of "Teams" along with buttons that say "Download Manual Profiles" and "Manage Certificates..." Is anything listed in there?
Your screenshot shows a Team with your name, which should mean that you have a developer account already?
You also have a button in your screenshot that says "Enable Development Signing." Have you tried running that? Does it not take care of things automatically for you? "Automatically manage signing" enabled should be helping you get through these issues with simple clicks of those buttons.
Otherwise, you will need to go to the Developer portal and register a signing certificate manually. That's a process that many have written blogs and manuals about already. I don't think it is necessary to re-write what has been said by many others already. Here's a YouTube video that does a nice job of explaining things: https://youtu.be/OwXIJchrDdA
I'm using Xcode 6.3.2, and I'd like to let another people to build and create the .ipa files of my projects, but I don't want neither to expose my Apple Developer account information, nor create users for them in my team... is that possible? Either by using Xcode, either by commands line.
Thanks in advance
EDIT: The goal is to prevent those external people from being able to submit apps to the App Store by means of my Apple Developer account and from being able to see the other apps managed in the account.
EDIT2: Does providing the distribution certificate to external people make possible to them to submit binaries to the App Store?
After reading your edits, I think I understand more clearly what you are trying to do. Basically, you will simply need to provide the other members of your team with the following:
The private key used to generate your app store distribution
certificate.
The distribution certificate
The app store distribution
provisioning profile
This will allow those team members to work on, and build the app for the app store. Without your Apple developer ID password, they will not be able to log into iTunes Connect to see the other apps you have. While they will be able to build the app for app store distribution, you (as the only one with the apple ID password) will have to be the one to submit the compiled app to the store.
So basically, your development team will create the apps. When you're ready for release, they can do an "Archive" in Xcode to create the .app that has been signed for the app store (using the provisioning profile and signing identity that you provided them in the three files I mention above. They will zip up the .app and the .dSym files into a .zip and send it to you. You will then log into iTunes Connect and set upt the app to be ready for the new binary, and then use the Application loader to upload the .zip to apple for review. Once you have gotten a successful review, you will again log into iTunes Connect to release the app. So at no point will the developers have access to submit apps or see other apps you have in the store.
Also, the development team will not need the provisioning profile, cert, and key until they need to build for the app store. During the development phase, there is no problem with them using their own developer accounts to build and test the app.
One additional thing to note is that Apple is changing the roles that are available in iTunes connect. You may want to review those new roles to see if some combination of those roles my work for your team setup.
From http://9to5mac.com/2015/06/12/wwdc-itunes-connect-testflight-limits-account-switching/
After several apps are added to an account by its admin, developers
can now assign user roles to individuals on their team— app manager,
developer, or marketer— with each allowing varying access to iTunes
Connect features. App managers, for example, will be able to create
users, assign user roles, change pricing, and submit apps for review.
Marketers will get access to updating store metadata, uploading promo
material, and requesting promo codes. Users assigned the developer
role will be able to upload binaries, and view crash logs and store
metadata.
Apple recently introduced Free-provisional-profile and/or free-developer-certificate support.
But it's limited (see below note).
To utilise that follow below steps suggested by Apple,
In Xcode, add your Apple ID to Accounts preferences, described in Adding Your Apple ID Account in Xcode.
In the project navigator, select the project and your target to
display the project editor.
Click General and choose your name fromthe Team pop-up menu.
Connect the device to your Mac and choose your device from the Scheme toolbar menu.
Below the Team pop-up menu, click Fix Issue.
Xcode creates a free provisioning profile for you and the warning text under the Team pop-up menu disappears.
Click the Run button.
Note that said support is limited, for example, the capability to sell things with "Apple Pay" would not even build with a free-certificate.
Yes, there are several ways to solve your problem.
You can create .ipa file with you provisioning profile and give them the file, they can you use application called "Application Loader", they can use this application to upload the .ipa, this should resign your application with their provisioning profile. I did not try this but it should work.
When you create an archive of you application, it will be listed in "Organizer", go to that location, and give them that .app file alone. Then they can use any third party application(can be downloaded from Mac Appstore) to resign the application with their profile. In this case, you are completely hiding your information. They can even change the application icon, default image.. etc during the resigning process.
When you build your application in release mode an .app file is created, this is unsigned binary. You can search for .app file in your Xcode project itself. Just find the location, and give them that .app file alone. Then they can use any third party application(can be downloaded from Mac Appstore) to resign the application with their profile. In this case, you are completely hiding your information. They can even change the application icon, default image.. etc during the resigning process.
Hope this helps.
No, There is no way to compile a .ipa without a provisioning profile (device compile, not simulator compile). To do this, you would go XCode->{AppTarget}->Build Settings->Code Signing->Code Signing Identity, and set 'Don't code sign".
Trying to compile afterwards will fail with
CodeSign error: Code signing is required for product type
'Application' in SDK...
EDIT: The goal is to prevent those external people from being able to
submit apps to the App Store by means of my Apple Developer account
and from being able to see the other apps managed in the account.
You have two options:
Send them your Source code + XCode Project, and not the library.
Compile the code using "iOS Developer" Code Signing identity, and not "iOS Distribution" identity.
Anything signed with iOS Developer can never be sent to the AppStore.
Anything signed with iOS Distribution can never be run on a device
unless it is downloaded from the AppStore.
They can never see what you have for sale, nor publish anything unless they have your AppleID username and password