@DTS Engineer Quinn, THANK YOU. You were vital in getting me on the right track. I ended up noticing the same thing; that my personal account’s provisioning profile lacked the entitlement that I needed. With your help and insight, everything started working as expected. Bug report number is FB22461947 (I also mentioned the appPrefixId issue that IMO should also be fixed) Thanks again! I definitely learned something from your guidance.

An update: when I remove ALL of my keychain groups except for "com.apple.token" (i.e. I removed the one for pivtoken), it works ONLY WITH my enterprise provisioning profile. For some reason, xcode is OK with me manually modifying my .entitlement file to remove the app prefix ID that xcode is automatically adding. If I use my own personal account, xcode is NOT OK with me modifying the provisioning profile to remove the app prefix from "com.apple.token" (xcode says my provisioning profile "doesn't match the entitlements file's value for the keychain-access-groups entitlement. ") I'd like to get it working in both scenatios. Is there something I can do in xcode to make my automatically-managed one work?

@DTS Engineer Quinn, Thank you for your reply; I think I'm on a better path now. Unfortunately, I'm now getting an -34018 error and "nil" with the code below: var result: CFTypeRef? let status = SecItemCopyMatching([ kSecClass: kSecClassCertificate, kSecAttrAccessGroup: kSecAttrAccessGroupToken, kSecMatchLimit: kSecMatchLimitAll, kSecReturnRef: true, ] as CFDictionary, &result) print("status=\(status) result=\(String(describing: result))") I've tried your trouble shooting steps mentioned in your other posts, including printing out my app's entitlements, and they all look correct: <plist version="1.0"> <dict> <key>application-identifier</key> <string>MY_APP_ID.MY_APP_BUNDLE_ID</string> <key>com.apple.developer.default-data-protection</key> <string>NSFileProtectionComplete</string> <key>com.apple.developer.team-identifier</key> <string>MY_APP_ID</string> <key>com.apple.security.application-groups</key> <array></array> <key>get-task-allow</key> <true/> <key>keychain-access-groups</key> <array> <string>MY_APP_ID.com.apple.token</string> <string>MY_APP_ID.com.apple.pivtoken</string> <string>MY_APP_ID.MY_APP_BUNDLE_ID</string> </array> </dict> </plist> I've tried both an xcode-managed provisioning profile, and an enterprise one owned by my org, and neither work. I ALSO saw your note here about REMOVING the app ID prefix from the entitlement, but xcode won't let me run the app because it complains because "Provisioning profile "" doesn't match the entitlements file's value for the keychain-access-groups entitlement. " Any pointers? Feel like I'm close but must be overlooking something trivial. I am testing on real hardware, FYI.