This is my apple-app-site-association file:
{
"applinks": {
"apps": [],
"details": [
{
"paths": [
"*",
"\/doubanapp\/*",
"\/authorHome"
],
"appID": "KV99XUUJ3U.com.moer.MoerFinance"
}
]
}
}
I already set Xcode Associated Domains, this is my screenshot:
I use https://search.developer.apple.com/appsearch-validation-tool/ test my domains,but get error:
Error no apps with domain entitlements The entitlement data used to
verify deep link dual authentication is from the current released
version of your app. This data may take 48 hours to update.
If my app must be released then wait for 48 hours?
There is no requirement that your app be live in the App Store for Universal Links to work.
However, looking at https://moer.jiemian.com/apple-app-site-association and https://moer.cn/apple-app-site-association, both are serving invalid SSL certificates. iOS will reject these, which breaks Universal Links.
I'll put in a shameless plug here for Branch.io (full disclosure: I'm on the Branch team), in case you're just looking for simple deep linking and don't want to deal with these set up details.
For the self-signed cert issue, have you tried adding ?mode=developer to the URL in your entitlements (e.g. applinks:mydomain.com?mode=developer) for the Associated Domains?
This is the format for the domain when you're using an untrusted cert:
<service>:<fully qualified domain>?mode=<alternate mode>
with
<alternate mode> set to developer as in my example above
Docs say:
developer
Specifies that only devices in developer mode can access the domain. In this mode, you can use any valid SSL certificate on your web server, including a certificate the system doesn’t trust. Make sure you don’t expose your users to security issues, such as man-in-the-middle attacks. As an added precaution, only apps signed with a development profile can use developer mode, and users must opt in on any device they use.
Here's the reference documentation from Apple - scroll to the bottom of the page:
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains
Related
I looked at this page and can't tell which entitlements are special.
I couldn't find any docs on how to figure out which ones require a dedicated request to Apple. Are there any docs for it?
HKVerifiableClinicalRecordQuery
Request URL: https://developer.apple.com/contact/request/verifiable-health-records/
Entitlements Key: com.apple.developer.healthkit. Must contain the health-records from within its array.
WWDC: https://developer.apple.com/videos/play/wwdc2021/10089/
networking-multicast
Request URL: https://developer.apple.com/contact/request/networking-multicast
Entitlements Key: com.apple.developer.networking.multicast
usernotifications.filtering
Request URL: https://developer.apple.com/contact/request/notification-service
Entitlements Key: com.apple.developer.usernotifications.filtering
critical-alerts
Request URL: https://developer.apple.com/contact/request/notifications-critical-alerts-entitlement
Entitlements key: com.apple.developer.usernotifications.critical-alerts
Local Push Connectivity
Request URL: https://developer.apple.com/contact/request/local-push-connectivity
Entitlements Key: Not sure!
I think the com.apple.developer.networking.networkextension key must exist. The key's value must contain app-push-provider within its array
hotspot-helper
Request URL: https://developer.apple.com/contact/request/hotspot-helper/
Entitlements key: com.apple.developer.networking.HotspotHelper
Do NOT mistake this for NEHotspotConfigurationManager. NEHotspotHelper and NEHotspotConfigurationManager are different and require distinct entitlements.
NetworkExtension used to need it but doesn't need it any more. See Dev Forums - Quinn
To use these facilities you previously had to be granted special
entitlements by Apple. This policy has now changed for
NetworkExtension providers. Any developer can now enable the
NetworkExtension provider entitlement like they would any other
entitlement.
com.apple.managed.vpn.shared keychain access group
Request URL: https://developer.apple.com/support/technical/
Entitlements key: com.apple.managed.vpn.shared
However there's a catch with Network Extensions. From the same Dev Forums, Quinn says:
#9 — After moving to the new entitlement process, my app no longer has access to the com.apple.managed.vpn.shared
keychain access group. How can I regain that access?
Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.
IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.
If I understand this correct, basically if you need to use com.apple.managed.vpn.shared keychain access group entitlement for VPN Credential Storage then you need two entitlements:
Network Extension entitlement which can be done through Apple Developer Portal
Another Special entitlement as mentioned above.
It's also worth noting that every dev team gets to create two DTS tickets a year for free. Beyond that you have to pay.
Included with each enrollment are two Technical Support Incidents, which will expire at the end of your membership year. You will receive two new TSIs when you renew your membership. View your available TSIs, their expiration dates, and your request history in the Code-level Support section in your account. Your TSIs are grouped by expiration date, and the ones that expire soonest will be used first.
Additional TSIs are available for purchase in either a 2-pack for $99 USD or 5-Pack for $249 USD in the Code-level Support section in your account. TSIs purchased separately expire one year from the date of activation.
I'm not sure if any other entitlement needs a special request or not, but these were the ones that I found
How do I add the special entitlement into my app?
Special entitlements are not associated with your App ID, they're added at the very last step of creating your provisioning profile.
When you create an «iOS, macOS, tvOS» «Development / Distribution / In-House (Enterprise)» provisioning profile for the Team ID «Team ID», after selecting the devices to be included in the profile, you should see a new page entitled “Do you need additional entitlements?”. Select “«hotspot helper template name»” from the Entitlements popup to include this special entitlement in your new profile.
Once you’ve finished generating the profile, you can use it in Xcode like any other manually-generated profile.
source: Apple Forums
I have the special Entitlements but Xcode isn't building it correctly for me
Xcode can’t give a special entitlement to you by itself. Hence I don't think Automatic Code Signing would work for special entitlments. It’s something that Apple embeds into your provisioning profile — only at Apple Developer portal. So you have to generate the provisioning profile from Apple Developer portal and then download it from Xcode
Sample email you get from Apple upon approval:
Hello,
This Developer Team has already been assigned the HotspotHelper capability as part of the NetworkExtension entitlement.
To use this special entitlement you must create a new provisioning profile in the Certificates, Identifiers & Profiles section of your Developer account and select the entitlement after the "Do you need additional entitlements?" page.
Please note, it may take 1-3 business days for this entitlement to be visible. Once you've finished generating the profile, you can use it in Xcode like any other manually-generated profile.
IMPORTANT: If you have problems getting this to work, read Technote 2415 "Entitlements Troubleshooting" for troubleshooting steps.
If you have questions about adding or using this entitlement that are not answered by this Technote, please visit the Apple Developer Forums or contact Apple Developer Support.
Thank you,
Apple
How do you add multiple special entitlements?
This is not possible out of the box. The long-term solution for this
would be for Apple to change the developer web site to allow you to
select multiple templates. Please file a bug report requesting that,
then post your bug number, just for the record.
I’m not sure whether there’s a good short-term option. My advice is
that you talk to Apple Developer Programs Support to see whether they
can help you (start [here][ref] and then go Membership and Account >
Other Membership or Account Questions). Make sure to:
Reference this thread
Include your bug number
Tell them to reach out to me if they need clarifications
source: Dev Forums
Do I need the special entitlement only for my main app target?
Check each page's doc.
But I think it depends. e.g. the doc for Local Push Connectivity say:
After you receive the entitlement, apply it to both your app target and your provider extension target.
Source: Docs
What are extended entitlements?
They're exactly the same thing as special entitlements. Just a different name for it.
How long does it actually take to get approved?
Apple will respond within a week. But then usually it's not a straightforward approval. They'd ask for a bunch of changes or justifications and then approve/deny. Sometimes it takes 1 month overall.
According to your answer, i think it would be better share the link content which you shared which needs to login Developer Account. If I find new ones i will add here.
Multicast Networking Entitlement Request
This entitlement allows advanced networking apps to interact with their local network by sending multicast and broadcast IP packets and browsing for arbitrary Bonjour service types. Your app may need to access this level of networking in order to communicate with custom or non-standard devices or to act as a network utility.
Hotspot Helper Request
The NEHotspotHelper interface allows Wi-Fi network implementers to facilitate connections to the large-scale wireless networks that they manage. For a complete explanation of all Wi-Fi management APIs available on iOS, see Technical Q&A QA1942: iOS Wi-Fi Management APIs.
Request a Critical Alert Notifications Entitlement
When a user enables critical alert notifications, your app can send push notifications that play a sound at an app-specified volume when the device is locked, muted, or has Do Not Disturb enabled.
I am looking to block the developer's machines to communicate with Apple servers.
Some places we need to communicate:
Adding an account
Validating certificate and auto signing
Validating Profiles
Uploading an .ipa to AppStore Connect
Anything else(legacy services?)...
Can anyone list the url's for the above services?
I used Charles to check the urls, this is what I found:
https://devimages-cdn.apple.com
http://ocsp.apple.com
https://developerservices2.apple.com
https://contentdelivery.itunes.apple.com
http://ocsp.digicert.com
https://gs-loc.apple.com
I am a newbie in ios development and working on Universal deep-linking.
I have added apple-app-site-association file to my website. (I have validated the file)
Client enabled Associated Domains feature for the app and added me as a team member.
He has an individual account and sent me an invitation for the app.
I have a couple of questions:
Do I need to enable signing with my account (created by invitation) for Universal deep linking to work in the development phase?
If yes then Issue is that I am getting "Your development team, "Bhaskar Dabhi", does not support the Associated Domains capability." maybe because he couldn't enable access to certificates, identifiers and profiles. Does he need to enable "access to certificates, identifiers and profiles" for me to Universal deep linking to work?
if No then Universal deep linking is not working. not sure why.
I went through a couple of tutorials but couldn't figure out if it's because of signing in.
Universal Links
Step 1: Register your app at developer.apple.com.
Step 2: Enable ‘Associated Domains’ on your app identifier.
Step 3: Enable ‘Associated Domain’ on in your Xcode project.
Step 4: Configure your website to host the ‘apple-app-site-association’ file
AASA (apple-app-site-association) File
{
"applinks": {
"apps": [],
"details": [
{
"appID": “*****.com.*****.ios",
"paths": [
"*"
]
}
]
}
}
Step 5: Host your AASA file on your domain. After validating it using AASA validator.
Refer: https://developer.apple.com/ios/universal-links/
Even after 48 hours, as said in apple documentation, apple-app-site-association is not working in my application. I have checked with [apple validation tools] (https://search.developer.apple.com/appsearch-validation-tool/) but its showing Error no apps associated with url in the Link to Application. Here is the format of my apple-app-site-association file
{
"applinks": {
"apps": [],
"details": [{
"appID": "{team_id}.{bundle_id}",
"paths": ["*"]
}]
}
}
I have also enabled Associated Domains for the appId from developer.apple.com and in the XCode capabilities settings also.
I have already tried [this] (iOS Universal Links not working via TestFlight)
Also check the Apple Developer Forum but couldn't find a solution there also.
Little late to this thread but if you want Apple to call your app-site-association file each time the app is installed, simply do this:
applinks:[domain]?mode=developer
This way you can change the settings of the file while developing!
Make sure you are following these steps
Enabled Associated Domains in the app App services from the developer.apple.com
Set the domain name correctly in the Associated Domains in the Xcode capabilities and also enabled this.
You have correctly generated the apple-app-site-association file. The file must not have any extension. Here is the format for the file:
{
"applinks": {
"apps": [],
"details": [{
"appID": “{app_prefix}.{your_app_bundle_identifier}”,
"paths": ["*"]
}]
}
}
Make sure apps tag in the file is be empty and appID is made up of your app Prefix and bundle identifier separated by.
NOTE: I don't know why but I am using app prefix instead teamID as mentioned in most of the posts and even on the apple documentation. But it didn't work for me.
You can also try by using app prefix of the app id instead of teamID
Universal links work perfectly fine in development, but once I sign the applications and deploy them to TestFlight and App Store, it looks like the apple-app-site-association is not fetched and therefore the app isn't registered for oppening the universal links.
1. /.well-known/apple-app-site-association file:
{
"applinks": {
"apps": [],
"details": [{
"appID": "myteamid.com.mycompany.appName",
"paths": ["*"]
}]
}
}
The server part looks OK, since it is successfuly fetched whenever I run the app via the cable on my phone.
App Search API Validation tool returns this for Link to application:
Action required
Could not extract required information for Universal Links. Learn how
to implement the recommended Universal Links.
Error no apps with domain entitlements
The entitlement data used to verify deep link dual authentication is from the current released version of your app. This data may take 48 hours to update.
2) Capabilities:
Associated domains - ON with Domain list of:
applinks: link.mycompany.com
Other things I have turned on are: Push Notifications and Background Modes.
3) Provisioning profile:
I created a new one after adding the Universal links and Push notifications and it includes:
Capabilities:
Associated Domains,
List item
Game Center,
In-App Purchase,
Keychain Sharing,
Push Notifications.
Entitlements:
get-task-allow,
app-enviroment,
com.apple.developer.associated-domains,
com.apple.developer.team-identifier,
application-identifier,
beta-reports-active,
keychain-access-groups
4) While installing the app, it behaves different in test flight then it does when loading via cable:
Via cable I can see the successfull http request for the apple-app-site-association file and finally form the process swcd: "Added service 'applinks', appID 'myteamid.com.mycompany.appName', domain 'link.mycompany.com' "
Test flight - when installing there is no sign of http request and the following line is shown if I previously had the app installed via cable: "Removed service 'applinks', app ID 'myteamid.com.mycompany.appName', domain 'link.mycompany.com' (removed domain) "
This of course results in the fact that whenever I install the app via TestFlight or Describution, the Universal links do not work.
Any ideas where it goes wrong?
I finally got to the bottom of this with help of Apple Developer Technical Support. In my (cordova) project folder there are two files:
Entitlements-Debug.plist
Entitlements-Release.plist
When I add the value applinks:mywebpage.com to Capabilities->Associated domains->Domains, the Entitlements-Debug.plist got the lines:
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:mywebpage.com</string>=
</array>
BUT the Entitlements-Release.plist did not change. What I did to solve the issue is to copy-paste the generated lines form the Entitlements-Debug.plist. After this, I did the exact same Archive and upload process as before and everything worked fine.