You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

Hi, I submitted my Family Controls entitlement requests on April 15 for my iOS app, but I still haven’t received an approval, rejection, or any status update. This is blocking my ability to properly test and move forward with the app, since it depends on the Screen Time / Family Controls APIs. I've tried contact to apple developer support and filed a code-level support on app connect dashboard. and still nothing received. Here is the request information: code-level support case id: 19834379 apple developer support case id: 102878196850 Family Controls Distribution RequestId: BT4C47F5VB,SLP56WRZ3J,BZ7MF3R4FF,5HAY5UF5X2,P49SM5C859,KG2T2X2L76,N353H759C4 Thanks.

Hello, We are currently in the process of creating our Developer ID Application certificate which is due to expire. While creating the certificate, we were posed with the option of choosing a Developer ID Certificate Intermediary G2 Sub CA which is supported by Xcode 11.4.1 and later Previous Sub CA We currently build our application out of Xcode using Make or CMake files and perform the codesign and productsign using the codesign commands. We also use 2 different build machines, Ventura with Xcode 14.3 for our latest releases High Sierra (10.13) with Xcode 10.1 for legacy releases to support some customers. Can you please let us know which Developer ID Certificate Intermediary we should choose for generating the new Developer ID Application certificate?

Hi, I'm building a wellness app called that helps users manage their phone usage based on their consumption, using the Screen Time API. I need the Family Controls (Distribution) entitlement to ship it. I've already submitted multiple requests across all my bundle IDs, but due to the lack of confirmation feedback after each submission, I may have submitted more than needed. Regardless, the oldest request submitted was on April 22nd (exactly 2 weeks ago), without any reply or change. Is this normal ? Also, I came across a forum post (https://developer.apple.com/forums/thread/821964?answerId=885672022#885672022) suggesting that the entitlement is now scoped at the team level rather than per bundle ID, and that I should resubmit a single request. I want to do the right thing here but I'm not sure whether to resubmit or wait and I don't want to make the situation worse than it already is. We're about a month away from our launch date and this is the last remaining blocker for both TestFlight and App Store submission. Any guidance on next steps, or help prioritizing this, would mean a lot. Thanks so much,

Problem My ARM64 macOS application is being immediately killed with SIGKILL when launched. No crash report is generated, and the process terminates instantly. Environment macOS Version: 15.x (Sequoia) Architecture: ARM64 (Apple Silicon) Certificate: Mac Developer certificate (development signing) App Type: Native ARM64 application with embedded Java runtime Symptoms ./MacOS/myapp Immediately returns: zsh: killed ./MacOS/myapp Investigation Results System Logs Show Security Policy Rejection kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 92850, /path/to/myapp syspolicyd: (Security) MacOS error: -67062 Error Code Analysis Error -67062 = errSecCSReqFailed (Code signature requirement failed) This is a Gatekeeper enforcement issue, not a code signing problem 3. Code Signature is Valid codesign -dvvv myapp Shows valid signature with Mac Developer certificate Authority=Mac Developer: Name (TEAMID) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA What We Tried (That Didn't Help) ✅ Removed hardened runtime flag from Java components ✅ Added JIT entitlements (com.apple.security.cs.allow-jit) ✅ Verified Mach-O structure is correct ✅ Confirmed all libraries are ARM64 ✅ Re-signed with proper entitlements None of these fixed the issue because the problem is Gatekeeper policy enforcement. Question How can I allow this development-signed ARM64 app to run on macOS 15 without full notarization? I've tried: Removing quarantine attributes Various code signing approaches Different entitlements But Gatekeeper still blocks it with error -67062. Is there a way to add a security exception for development builds, or do I need to use a Developer ID certificate even for internal testing? Additional Context This is for internal development/testing. The app works fine when properly notarized, but we need a way to test development builds without going through the full notarization process each time. Any suggestions would be greatly appreciated!

I submitted a Family Controls Distribution entitlement request on 4/22 for my app Prof Blob. I received the confirmation page after submitting, but I have not received any approval, rejection, or status update. We are currently blocked from moving forward with our production release submission due to this entitlement. Details: Request ID: Y2L55S3W34 Team ID: 5AXHQ5ZF3G App: Prof Blob Bundle ID: com.spammusubi.blob-screen-time Related extension bundle IDs: com.spammusubi.blob-screen-time.BlobActivityReportExtension com.spammusubi.blob-screen-time.DeviceActivityMonitorExtension com.spammusubi.blob-screen-time.ShieldActionExtension com.spammusubi.blob-screen-time.ShieldConfigurationExtension Purpose: Individual device management for focus and productivity. Prof Blob is a digital wellbeing / screen time management app that uses Apple’s Screen Time APIs to let users select distracting apps and require a short math-based cognitive gate before opening them. The app uses FamilyControls, DeviceActivity, and ManagedSettings. Development builds are working, but the Family Controls Distribution entitlement is required for production builds, TestFlight validation, and App Store submission. Is there a way to expedite this request or confirm that it is still in review? I would be happy to provide any additional information needed to move the request forward.

I am experiencing an issue with Apple Development certificate creation in Xcode for my organization account. Account details: Organization: Jtecx LLC Team ID: 8V397ULNY4 Issue: When I attempt to create a new Apple Development certificate in Xcode under the Jtecx LLC (8V397ULNY4) team, the certificate is consistently generated under a different team: Apple Development: Joseph Salmond (67P4AAZ5TA) This appears to be my personal team, not the organization team. Impact: Because of this mismatch: Provisioning profiles created under 8V397ULNY4 cannot find a matching signing certificate Xcode shows “Signing Certificate: None” Xcode reports that the provisioning profile does not include the signing certificate I am unable to run or test the app on physical devices due to signing failures Troubleshooting performed: Deleted all Apple Development certificates from Keychain Access Revoked existing Apple Development certificates in the Apple Developer Portal Created a new Certificate Signing Request (CSR) using Keychain Access Generated a new Apple Development certificate through the Apple Developer portal Downloaded and installed the certificate into Keychain Attempted certificate creation via Xcode (Settings → Accounts → Manage Certificates → + → Apple Development) Verified installed identities using Terminal (security find-identity) Confirmed that only the following development identity is being created: Apple Development: Joseph Salmond (67P4AAZ5TA) Deleted this identity and repeated the process multiple times Recreated provisioning profiles after generating new certificates Downloaded and installed new provisioning profiles Attempted both manual signing and “Automatically manage signing” in Xcode Revoked certificates directly from Xcode and allowed Xcode to regenerate them Confirmed that Apple Distribution certificates are correctly issued under 8V397ULNY4 Despite all of the above steps, every new Apple Development certificate continues to be created under Team ID 67P4AAZ5TA instead of 8V397ULNY4. Expected behavior: When creating an Apple Development certificate while the Jtecx LLC (8V397ULNY4) team is selected, the certificate should be issued under that same team: Apple Development: Joseph Salmond (8V397ULNY4) Requested fix: Please investigate and correct the team association so that: Apple Development certificates are generated under the correct team (8V397ULNY4) is properly associated with the Jtecx LLC developer team for certificate issuance Xcode correctly creates and uses development certificates for the organization team Additional notes: Apple Distribution certificates are working correctly under 8V397ULNY4 Only Apple Development certificates are affected This issue is blocking local development and testing on physical devices Thank you.

Hi everyone, I'm developing a macOS app using Tauri 2. I need to test In-App Purchases (IAP), which requires running the actual built .app (it doesn't work properly in the development environment).I tried two approaches: Apple Development Certificate (free account): After cargo tauri build, the app "Mind Elixir.app" shows this error when I try to open it: “Mind Elixir.app” was not opened because it contains malware. This action did not harm your Mac. Apple Distribution Certificate: The app builds successfully, but because it is not notarized, Gatekeeper completely blocks it and I cannot open it at all. I just want to test IAP locally on my own Mac during development. Is there any other way to get a properly signed and runnable .app for testing IAP? Any help or workaround would be greatly appreciated. Thanks!

Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed. We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain OpenSSL check shows: X509v3 Extended Key Usage: Critical (Expected one might be: Code Signing) We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result. Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue. Thanks!

I've successfully signed Unix apps manually in the past. Today (after signing the new agreement) I can get it to replace the existing signature but it says "rejected" when I check it. Here are the commands I'm using: michaelleahy@Michaels-Mini ~ % sudo codesign --force --deep --options runtime --sign "Developer ID Application: Bookup Corp. (6J8PUT****)” /Users/michaelleahy/Documents/theapp /Users/michaelleahy/Documents/theapp: replacing existing signature michaelleahy@Michaels-Mini ~ % spctl -a -vvvv -t install /Users/michaelleahy/Documents/theapp /Users/michaelleahy/Documents/theapp: rejected source=Unnotarized Developer ID origin=Developer ID Application: Bookup Corp. (6J8PUT****) Here is a command (issued right after the one above) showing an older signed app is accepted: michaelleahy@Michaels-Mini ~ % spctl -a -vvvv -t install /Users/michaelleahy/Documents/olderapp /Users/michaelleahy/Documents/olderapp: accepted source=Notarized Developer ID origin=Developer ID Application: Bookup Corp. (6J8PUT****) What might I be missing? Something changed since the last time I signed an app.

My company only needed an Apple Developer Program account in order to sign macOS binaries. Because our scope was very limited, we enrolled with an individual account. Now our scope may grow, supporting more Apple features. As a result, we may need to change to an Organization account. If we change the account type, will this invalidate the certificate we use to sign the macOS binaries?

Hi, I submitted a Family Controls (Distribution) entitlement request for my app Faith Lock (com.faithlock.ios) - a prayer-focused iOS app that uses the Screen Time API to help users block distracting apps. I received an approval email, but the portal still shows the request as "Submitted" and the Distribution option does not appear under Additional Capabilities for my identifier. This is blocking me from submitting to App Store Connect. Details: Bundle ID: com.faithlock.ios Team ID: F86P575UNP Request IDs: 3PWTDR8KL3 / 885ZK276KK Status in portal: Submitted (unchanged since approval email) Has anyone experienced this? Is there a way to get the portal manually updated to reflect the approval? Any help or escalation from a DTS engineer would be greatly appreciated. Thank you.

Unable to Verify App An internet connection is required to verify trust of the developer "Apple Development: John Doe (ABCXYZ123)". This app will not be available until verified. I've been getting this constantly over the last few weeks. It has been a real struggle to get anything done. Sometimes it goes away on its own after I try to launch the app a few times, but currently it's just staying down and I can't do any work. Apparently there were issues with some Apple server ppq.apple.com before. They seem to be back, because trying again right now: ping ppq.apple.com PING use1-ppq-ext-prod.apple.com (17.33.200.235): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 ^C --- use1-ppq-ext-prod.apple.com ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss ping apple.com PING apple.com (17.253.144.10): 56 data bytes 64 bytes from 17.253.144.10: icmp_seq=0 ttl=60 time=9.776 ms 64 bytes from 17.253.144.10: icmp_seq=1 ttl=60 time=8.726 ms ^C --- apple.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.726/9.251/9.776/0.525 ms This is incredibly disruptive. Surely there must be a way to disable this online verification? This is a development device that never leaves my desk and never installs any software except the things I build locally from my Mac (which I have trusted on the device).

In my application I validate the authenticity of my own binaries by checking that the Team Identifier in the code signature matches a predefined value. Currently I do not perform a full signature validation that verifies the certificate chain up to Apple’s root CA. When attempting to do this using SecStaticCodeCheckValidityWithErrors (or validateWithRequirement), the operation sometimes takes several minutes. During that time the calling thread appears blocked, and the system logs show: trustd: [com.apple.securityd:SecError] Malformed anchor records, not an array Because of this delay, I decided to rely only on the Team Identifier. My question is: Can it be assumed that if a Mach-O binary contains a Team Identifier in its code signature, then it must have been signed with a valid Apple Developer certificate? Or are there cases where a binary could contain a Team ID but still not be signed by Apple’s trust chain? Thanks for the help !

Hi, I do have a strange behavior in my development environment on a Mac mini (M4) running 26.2 and Xcode 26.3. Everything was working as expected. My project had a stable state and I wanted to enable iCloud support. As result I could not run the app any more because code signing failed with the message that my profile does not include the above entitlement. On my notebook (M2) with XCode 26.3 everything is working. Im am using GIT and both computers have identical code. The code compiling and running on my notebook will not run any more on my Max mini. Any help to find what might have broken the code signing and how it could be fixed? Thanks in advance.

I've already submitted multiple cases about this issue. My Family Controls Distribution request was apparently approved (or I was told via Developer Support) for my Device Activity extension, but the Distribution option still does not appear in the identifier. This is blocking my ability to distribute via TestFlight. I need someone who can update the identifier capabilities or explain why the approved capability is not showing.

Since this evening (March 10, 2026), I'm unable to launch any developer-signed app on my physical device (iPhone 16 Pro Max, iOS 26.4 beta 23E5223k). The error is: "Unable to launch [app] because it has an invalid code signature, inadequate entitlements or its profile has not been explicitly trusted by the user." On the device itself, it shows: "Unable to Verify App - An internet connection is required to verify the trust of the developer." What I've tried: Created a new Apple Development certificate Deleted and reinstalled the app Restarted the device Tested on both Wi-Fi and cellular Confirmed Developer Mode is enabled Removed all third-party CA certificates from the device Verified the code signature is valid (codesign -dv shows correct Authority chain) The root cause: https://ppq.apple.com is currently returning 502 Bad Gateway. I confirmed this both from my Mac (curl -s -o /dev/null -w "%{http_code}" https://ppq.apple.com → 502) and from Safari on the device. This affects all developer-signed apps, not just a specific project. Is anyone else experiencing this? Is there an ETA for the fix? Environment: Xcode 26.3 (17C519) macOS 26.3.1 (25D2128) iPhone 16 Pro Max, iOS 26.4 (23E5223k)

I accidentally mis-copy-pasted when creating a new app identifier, and I can't create the correct one. I missed the leading "c" and I created An App ID with om.automaticduck.MyApp I deleted it, but now I can't create the correct one. The error says An attribute in the provided entity has invalid value An App ID with Identifier 'com.automaticduck.MyApp' is not available. Please enter a different string. Thank you for helping with what I need to do.

Apple has introduced the Wireless Insights Service Predictions capability in iOS 26. After prior alignment with Apple engineers, we are working to integrate this capability into the Douyin App, and intend to provide a TestFlight build for Apple engineers to validate and debug the integration. We have encountered a blocking issue with entitlement configuration: We use our Apple Developer Enterprise Program account to build and submit TestFlight builds. When we manually create and configure provisioning profiles via the Apple Developer Portal, the required entitlement key com.apple.developer.wireless-insights.service-predictions is not available for selection or inclusion in the profile's Entitlements. This completely blocks us from enabling, using, and validating the Wireless Insights Service Predictions capability. For comparison, when we use our Apple Developer Program individual account, the entitlement com.apple.developer.wireless-insights.service-predictions is fully available. It is automatically included in provisioning profiles generated for local debugging, and can also be manually added to custom provisioning profiles via the Apple Developer Portal without issues. We request assistance to resolve this entitlement access discrepancy for our Enterprise Program account, so that we can complete the integration and provide the TestFlight build for validation as planned.

Hello We have a pkg installer whose signing certificate is expiring next month. It has a trusted timestamp on it. As per https://developer.apple.com/support/certificates/ it states Developer ID Installer Certificate (Mac applications) If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp. Previously installed apps will continue to run. However, new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. Wanted to check on behavior for new installations post expiration date. Since the installer has a trusted timestamp we would not need to release a new installer with new cert ?? Any guidance here would be much appreciated.

Context: I am building an iOS productivity app using EAS Build. The project has 4 targets: the main app and 3 extensions (ShieldAction, ShieldConfiguration, ActivityMonitorExtension). The Issue: I have officially received approval from Apple for the Family Controls (Distribution) entitlement for my main Bundle ID. However, the build still fails during the Xcode phase. The Errors: Xcode reports that the generated provisioning profiles do not include the com.apple.developer.family-controls entitlement. For example: Provisioning profile "*[expo] com.*.** AdHoc 177247892...." doesn't support the Family Controls capability. All 3 extensions are failing with the exact same error. What I've done: Confirmed approval from Apple for com.*.**. Enabled Family Controls and App Groups on the Apple Developer Portal for all 4 Identifiers. Cleared EAS local and remote cache using eas build --clear-cache. Deleted existing profiles on both Expo.dev and Apple Portal to force regeneration. The Question: Even with official approval, why does EAS continue to generate "empty" profiles for my Ad-Hoc development build? Do I need separate approval for each extension's Bundle ID, or is there a way to force EAS to sync these "Managed Capabilities" correctly?