How to Change My iOS Applications' Entitlements

How do I change my iOS applications' entitlements?

For a jailbreak app/entitlement, you need to do something like this. First, create a file named entitlements.xml (or whatever you like):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.backboard.client</key>
    <true/>
  </dict>
</plist>

You can add more entitlements if you need. This example file just grants the app the com.apple.backboard.client entitlement.

It doesn't really matter where you put this file. The key is:

1. You will need to modify Xcode's SDKSettings.plist file, as shown here. CODE_SIGNING_REQUIRED should be set to NO.
2. Do not code sign your app in Xcode. In Build Settings, make sure the code sign identity is set to Don't Code Sign.
3. After you then Build your app for the iOS Device (not Simulator!), then go to the directory on your Mac where the output files are located. For an app named HelloWorld, you're looking for the HelloWorld.app folder. It can differ depending on your configuration, so I won't bother trying to tell you where that is. If in doubt, use the command line find command.
4. Download ldid pre-built from this location, or as source from here.
5. Copy the entitlements.xml file into the same directory as where HelloWorld.app is. (Note: you don't have to have it here ... if you put it somewhere else, just adjust the command line I show you below).
6. Change directory to the directory where your entitlements.xml file is.
7. Fake code-sign with this command:

$ldid -Sentitlements.xml HelloWorld.app/HelloWorld

After that point, you'll need to transfer the entire HelloWorld.app folder to install the app on your device. There's many ways to do that, and it sounds like you already have a way.

I have this whole process setup with a script, to make it easier.

Note: I am not stating whether or not this entitlement is the correct entitlement to use for the BKSDisplayServicesSetScreenBlanked() call on iOS 6. I haven't tested that. I do know that this entitlement works to allow you to use SBDimScreen() on lower iOS versions. But, this answer is just a description of how to add this kind of entitlement for a jailbreak app.

How do I resign app with entitlements?

The answer is actually quite self evident in the question itself. The output from:

$ codesign -d --entitlements - Example.app/Example

Is actually a perfectly valid entitlements file. So you can store the output from the original .ipa exported from xCode by writing:

$ codesign -d --entitlements entitlements.xml Example.app/Example

This will store the entitlements in entitlements.xml which you can then use in an argument to sign the .ipa file yourself:

codesign --entitlements entitlements.xml   -f -s "iPhone Distribution: Company (UFAYDHAUP)" Payload/Example.app

Naturally "iPhone Distribution: Company (UFAYDHAUP)" has to be replaced with the signing identify you use and Payload/Example.app will be the path to your app which has been unzipped from the .ipa file.

How to create Entitlement.plist file in Xcode?

You can manage the Entitlements in the Capabilities tab of your target settings.

Any change there will automatically update either the Entitlements.plist or the Info.plist file.

That being said, an Entitlements.plist file is in the end just a plist. You can add as much plists as you like following the steps provided in this question.

How to ensure OS X app Entitlements are applied?

Magically, it started to work after:

• I've replaced $(TeamIdentifierPrefix) with actual identifier
• Deleted DerivedData folders everywhere and rebuilt everything

Which entitlements are special entitlements? How do they work?

HKVerifiableClinicalRecordQuery

Request URL: https://developer.apple.com/contact/request/verifiable-health-records/

Entitlements Key: com.apple.developer.healthkit. Must contain the health-records from within its array.

WWDC: https://developer.apple.com/videos/play/wwdc2021/10089/

---

networking-multicast

Request URL: https://developer.apple.com/contact/request/networking-multicast

Entitlements Key: com.apple.developer.networking.multicast

---

usernotifications.filtering

Request URL: https://developer.apple.com/contact/request/notification-service

Entitlements Key: com.apple.developer.usernotifications.filtering

---

critical-alerts

Request URL: https://developer.apple.com/contact/request/notifications-critical-alerts-entitlement

Entitlements key: com.apple.developer.usernotifications.critical-alerts

---

Local Push Connectivity

Request URL: https://developer.apple.com/contact/request/local-push-connectivity

Entitlements Key: Not sure!

I think the com.apple.developer.networking.networkextension key must exist. The key's value must contain app-push-provider within its array

---

hotspot-helper

Request URL: https://developer.apple.com/contact/request/hotspot-helper/

Entitlements key: com.apple.developer.networking.HotspotHelper

Do NOT mistake this for NEHotspotConfigurationManager. NEHotspotHelper and NEHotspotConfigurationManager are different and require distinct entitlements.

NetworkExtension used to need it but doesn't need it any more. See Dev Forums - Quinn

To use these facilities you previously had to be granted special
entitlements by Apple. This policy has now changed for
NetworkExtension providers. Any developer can now enable the
NetworkExtension provider entitlement like they would any other
entitlement.

---

com.apple.managed.vpn.shared keychain access group

Request URL: https://developer.apple.com/support/technical/

Entitlements key: com.apple.managed.vpn.shared

However there's a catch with Network Extensions. From the same Dev Forums, Quinn says:

#9 — After moving to the new entitlement process, my app no longer has access to the com.apple.managed.vpn.shared
keychain access group. How can I regain that access?
Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.

IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.

If I understand this correct, basically if you need to use com.apple.managed.vpn.shared keychain access group entitlement for VPN Credential Storage then you need two entitlements:

• Network Extension entitlement which can be done through Apple Developer Portal
• Another Special entitlement as mentioned above.

It's also worth noting that every dev team gets to create two DTS tickets a year for free. Beyond that you have to pay.

_{Included with each enrollment are two Technical Support Incidents, which will expire at the end of your membership year. You will receive two new TSIs when you renew your membership. View your available TSIs, their expiration dates, and your request history in the Code-level Support section in your account. Your TSIs are grouped by expiration date, and the ones that expire soonest will be used first.}

_{Additional TSIs are available for purchase in either a 2-pack for $99 USD or 5-Pack for $249 USD in the Code-level Support section in your account. TSIs purchased separately expire one year from the date of activation.}

I'm not sure if any other entitlement needs a special request or not, but these were the ones that I found

---

How do I add the special entitlement into my app?

Special entitlements are not associated with your App ID, they're added at the very last step of creating your provisioning profile.

When you create an «iOS, macOS, tvOS» «Development / Distribution / In-House (Enterprise)» provisioning profile for the Team ID «Team ID», after selecting the devices to be included in the profile, you should see a new page entitled “Do you need additional entitlements?”. Select “«hotspot helper template name»” from the Entitlements popup to include this special entitlement in your new profile.

Once you’ve finished generating the profile, you can use it in Xcode like any other manually-generated profile.

_{source: Apple Forums}

---

I have the special Entitlements but Xcode isn't building it correctly for me

Xcode can’t give a special entitlement to you by itself. Hence I don't think Automatic Code Signing would work for special entitlments. It’s something that Apple embeds into your provisioning profile — only at Apple Developer portal. So you have to generate the provisioning profile from Apple Developer portal and then download it from Xcode

Sample email you get from Apple upon approval:

Hello,
This Developer Team has already been assigned the HotspotHelper capability as part of the NetworkExtension entitlement.
To use this special entitlement you must create a new provisioning profile in the Certificates, Identifiers & Profiles section of your Developer account and select the entitlement after the "Do you need additional entitlements?" page.
Please note, it may take 1-3 business days for this entitlement to be visible. Once you've finished generating the profile, you can use it in Xcode like any other manually-generated profile.
IMPORTANT: If you have problems getting this to work, read Technote 2415 "Entitlements Troubleshooting" for troubleshooting steps.
If you have questions about adding or using this entitlement that are not answered by this Technote, please visit the Apple Developer Forums or contact Apple Developer Support.
Thank you,
Apple

---

How do you add multiple special entitlements?

This is not possible out of the box. The long-term solution for this
would be for Apple to change the developer web site to allow you to
select multiple templates. Please file a bug report requesting that,
then post your bug number, just for the record.

I’m not sure whether there’s a good short-term option. My advice is
that you talk to Apple Developer Programs Support to see whether they
can help you (start [here][ref] and then go Membership and Account >
Other Membership or Account Questions). Make sure to:

Reference this thread

Include your bug number

Tell them to reach out to me if they need clarifications

_{source: Dev Forums}

---

Do I need the special entitlement only for my main app target?

Check each page's doc.

But I think it depends. e.g. the doc for Local Push Connectivity say:

After you receive the entitlement, apply it to both your app target and your provider extension target.

_{Source: Docs}

---

What are extended entitlements?

They're exactly the same thing as special entitlements. Just a different name for it.

---

How long does it actually take to get approved?

Apple will respond within a week. But then usually it's not a straightforward approval. They'd ask for a bunch of changes or justifications and then approve/deny. Sometimes it takes 1 month overall.

---

Related Topics