How do I change my iOS applications' entitlements?
For a jailbreak app/entitlement, you need to do something like this. First, create a file named entitlements.xml
(or whatever you like):
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.backboard.client</key>
<true/>
</dict>
</plist>
You can add more entitlements if you need. This example file just grants the app the com.apple.backboard.client
entitlement.
It doesn't really matter where you put this file. The key is:
- You will need to modify Xcode's
SDKSettings.plist
file, as shown here.CODE_SIGNING_REQUIRED
should be set toNO
. - Do not code sign your app in Xcode. In Build Settings, make sure the code sign identity is set to Don't Code Sign.
- After you then Build your app for the iOS Device (not Simulator!), then go to the directory on your Mac where the output files are located. For an app named
HelloWorld
, you're looking for theHelloWorld.app
folder. It can differ depending on your configuration, so I won't bother trying to tell you where that is. If in doubt, use the command linefind
command. - Download
ldid
pre-built from this location, or as source from here. - Copy the entitlements.xml file into the same directory as where
HelloWorld.app
is. (Note: you don't have to have it here ... if you put it somewhere else, just adjust the command line I show you below). - Change directory to the directory where your entitlements.xml file is.
- Fake code-sign with this command:
$ldid -Sentitlements.xml HelloWorld.app/HelloWorld
After that point, you'll need to transfer the entire HelloWorld.app folder to install the app on your device. There's many ways to do that, and it sounds like you already have a way.
I have this whole process setup with a script, to make it easier.
Note: I am not stating whether or not this entitlement is the correct entitlement to use for the BKSDisplayServicesSetScreenBlanked()
call on iOS 6. I haven't tested that. I do know that this entitlement works to allow you to use SBDimScreen()
on lower iOS versions. But, this answer is just a description of how to add this kind of entitlement for a jailbreak app.
How do I resign app with entitlements?
The answer is actually quite self evident in the question itself. The output from:
$ codesign -d --entitlements - Example.app/Example
Is actually a perfectly valid entitlements file. So you can store the output from the original .ipa exported from xCode by writing:
$ codesign -d --entitlements entitlements.xml Example.app/Example
This will store the entitlements in entitlements.xml
which you can then use in an argument to sign the .ipa file yourself:
codesign --entitlements entitlements.xml -f -s "iPhone Distribution: Company (UFAYDHAUP)" Payload/Example.app
Naturally "iPhone Distribution: Company (UFAYDHAUP)" has to be replaced with the signing identify you use and Payload/Example.app
will be the path to your app which has been unzipped from the .ipa file.
How to create Entitlement.plist file in Xcode?
You can manage the Entitlements in the Capabilities tab of your target settings.
Any change there will automatically update either the Entitlements.plist
or the Info.plist
file.
That being said, an Entitlements.plist
file is in the end just a plist
. You can add as much plist
s as you like following the steps provided in this question.
How to ensure OS X app Entitlements are applied?
Magically, it started to work after:
- I've replaced
$(TeamIdentifierPrefix)
with actual identifier - Deleted
DerivedData
folders everywhere and rebuilt everything
Which entitlements are special entitlements? How do they work?
HKVerifiableClinicalRecordQuery
Request URL: https://developer.apple.com/contact/request/verifiable-health-records/
Entitlements Key: com.apple.developer.healthkit
. Must contain the health-records
from within its array.
WWDC: https://developer.apple.com/videos/play/wwdc2021/10089/
networking-multicast
Request URL: https://developer.apple.com/contact/request/networking-multicast
Entitlements Key: com.apple.developer.networking.multicast
usernotifications.filtering
Request URL: https://developer.apple.com/contact/request/notification-service
Entitlements Key: com.apple.developer.usernotifications.filtering
critical-alerts
Request URL: https://developer.apple.com/contact/request/notifications-critical-alerts-entitlement
Entitlements key: com.apple.developer.usernotifications.critical-alerts
Local Push Connectivity
Request URL: https://developer.apple.com/contact/request/local-push-connectivity
Entitlements Key: Not sure!
I think the com.apple.developer.networking.networkextension
key must exist. The key's value must contain app-push-provider
within its array
hotspot-helper
Request URL: https://developer.apple.com/contact/request/hotspot-helper/
Entitlements key: com.apple.developer.networking.HotspotHelper
Do NOT mistake this for NEHotspotConfigurationManager
. NEHotspotHelper
and NEHotspotConfigurationManager
are different and require distinct entitlements.
NetworkExtension used to need it but doesn't need it any more. See Dev Forums - Quinn
To use these facilities you previously had to be granted special
entitlements by Apple. This policy has now changed for
NetworkExtension providers. Any developer can now enable the
NetworkExtension provider entitlement like they would any other
entitlement.
com.apple.managed.vpn.shared
keychain access group
Request URL: https://developer.apple.com/support/technical/
Entitlements key: com.apple.managed.vpn.shared
However there's a catch with Network Extensions. From the same Dev Forums, Quinn says:
#9 — After moving to the new entitlement process, my app no longer has access to the
com.apple.managed.vpn.shared
keychain access group. How can I regain that access?
Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.
If I understand this correct, basically if you need to use com.apple.managed.vpn.shared
keychain access group entitlement for VPN Credential Storage then you need two entitlements:
- Network Extension entitlement which can be done through Apple Developer Portal
- Another Special entitlement as mentioned above.
It's also worth noting that every dev team gets to create two DTS tickets a year for free. Beyond that you have to pay.
Included with each enrollment are two Technical Support Incidents, which will expire at the end of your membership year. You will receive two new TSIs when you renew your membership. View your available TSIs, their expiration dates, and your request history in the Code-level Support section in your account. Your TSIs are grouped by expiration date, and the ones that expire soonest will be used first.
Additional TSIs are available for purchase in either a 2-pack for $99 USD or 5-Pack for $249 USD in the Code-level Support section in your account. TSIs purchased separately expire one year from the date of activation.
I'm not sure if any other entitlement needs a special request or not, but these were the ones that I found
How do I add the special entitlement into my app?
Special entitlements are not associated with your App ID, they're added at the very last step of creating your provisioning profile.
When you create an «iOS, macOS, tvOS» «Development / Distribution / In-House (Enterprise)» provisioning profile for the Team ID «Team ID», after selecting the devices to be included in the profile, you should see a new page entitled “Do you need additional entitlements?”. Select “«hotspot helper template name»” from the Entitlements popup to include this special entitlement in your new profile.
Once you’ve finished generating the profile, you can use it in Xcode like any other manually-generated profile.
source: Apple Forums
I have the special Entitlements but Xcode isn't building it correctly for me
Xcode can’t give a special entitlement to you by itself. Hence I don't think Automatic Code Signing would work for special entitlments. It’s something that Apple embeds into your provisioning profile — only at Apple Developer portal. So you have to generate the provisioning profile from Apple Developer portal and then download it from Xcode
Sample email you get from Apple upon approval:
Hello,
This Developer Team has already been assigned the HotspotHelper capability as part of the NetworkExtension entitlement.
To use this special entitlement you must create a new provisioning profile in the Certificates, Identifiers & Profiles section of your Developer account and select the entitlement after the "Do you need additional entitlements?" page.
Please note, it may take 1-3 business days for this entitlement to be visible. Once you've finished generating the profile, you can use it in Xcode like any other manually-generated profile.
IMPORTANT: If you have problems getting this to work, read Technote 2415 "Entitlements Troubleshooting" for troubleshooting steps.
If you have questions about adding or using this entitlement that are not answered by this Technote, please visit the Apple Developer Forums or contact Apple Developer Support.
Thank you,
Apple
How do you add multiple special entitlements?
This is not possible out of the box. The long-term solution for this
would be for Apple to change the developer web site to allow you to
select multiple templates. Please file a bug report requesting that,
then post your bug number, just for the record.I’m not sure whether there’s a good short-term option. My advice is
that you talk to Apple Developer Programs Support to see whether they
can help you (start [here][ref] and then go Membership and Account >
Other Membership or Account Questions). Make sure to:Reference this thread
Include your bug number
Tell them to reach out to me if they need clarifications
source: Dev Forums
Do I need the special entitlement only for my main app target?
Check each page's doc.
But I think it depends. e.g. the doc for Local Push Connectivity say:
After you receive the entitlement, apply it to both your app target and your provider extension target.
Source: Docs
What are extended entitlements?
They're exactly the same thing as special entitlements. Just a different name for it.
How long does it actually take to get approved?
Apple will respond within a week. But then usually it's not a straightforward approval. They'd ask for a bunch of changes or justifications and then approve/deny. Sometimes it takes 1 month overall.
Related Topics
How to Use Uiscrollview in Interface Builder
How to Add "Done" Button to Numpad in iOS Using Swift
How Big Should a Uibarbuttonitem Image Be
Implement Document Picker in Swift (Ios)
Updating iOS Badge Without Push Notifications
How to List Out All the Subviews in a Uiviewcontroller in iOS
How to Create P12 Certificate for iOS Distribution
Get an Array of Property Values from an Object Array
How to Create a Uilabel with Strikethrough Text
Why Xcode 7 Shows *.Tbd Instead of *.Dylib
iOS 11 Customise Search Bar in Navigation Bar
Swift - How to Detect Orientation Changes
Real Time Blur Effect for Navigation Bar
iOS Static VS Dynamic Frameworks Clarifications
Trying to Compile the Ffmpeg Libraries for Iphoneos Platform with Armv6 and Arv7 Architecture
Ios8 Photos Framework: How to Get the Name(Or Filename) of a Phasset