DTS regularly receives questions about how to preserve keychain items across an App ID change, and so I thought I’d post a comprehensive answer here for the benefit of all. If you have any questions or comments, or other creative solutions!, please start a new thread here on DevForums, tagging it with Security so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" App ID Prefix Change and Keychain Access The list of keychain access groups your app can access is determined by three entitlements. For the details, see Sharing Access to Keychain Items Among a Collection of Apps. If your app changes its App ID prefix, this list changes and you’re likely to lose access to existing keychain items. This situation crops up under two circumstances: When you migrate your app from using a unique App ID prefix to using your Team ID as its App ID prefix. When you transfer your app to another team. In both cases you have to plan carefully for this change. If you only learn about the problem after you’ve made the change, consider undoing the change to give you time to come up with a plan before continuing. Note On macOS, the information in this post only applies to the data protection keychain. For more information about the subtleties of the keychain on macOS, see On Mac Keychains. For more about App ID prefix changes, see Technote 2311 Managing Multiple App ID Prefixes and QA1726 Resolving the Potential Loss of Keychain Access warning. Migrate From a Unique App ID Prefix to Your Team ID Historically each app was assigned its own App ID prefix. This is no longer the case. Best practice is for apps to use their Team ID as their App ID prefix. This enables multiple neat features, including keychain item sharing and pasteboard sharing. If you have an app that uses a unique App ID prefix, consider migrating it to use your Team ID. This is a good thing in general, as long as you manage the migration process carefully. Your app’s keychain access group list is built from three entitlements: keychain-access-groups, see Keychain Access Groups Entitlement application-identifier (com.apple.application-identifier on macOS) com.apple.security.application-groups, see App Groups Entitlement IMPORTANT A macOS app can’t use an app group as a keychain access group. The first two depend on the App ID prefix. If that changes, you lose access to any keychain items in those groups. WARNING Think carefully before using the keychain to store secrets that are the only way to access irreplaceable user data. While the keychain is very reliable, there are situations where a keychain item can be lost and it’s bad if it takes the user’s data with it. In some cases losing access to keychain items is not a big deal. For example, if your app uses the keychain to manage a single login credential, losing that is likely to be acceptable. The user can recover by logging in again. In other cases losing access to keychain items is unacceptable. For example, your app might manage access to dozens of different servers, each with unique login credentials. Your users will be grumpy if you require them to log in to all those servers again. In such situations you must carefully plan your migration. The key element here is the third item in the list above, the com.apple.security.application-groups entitlement. An app group is tied to your team, and so your app retains access to the corresponding keychain access group across an App ID change. This suggests the following approach: Release a version of your app that moves keychain items from other keychain access groups to a keychain access group corresponding to an app group. Give your users time to update to this new version, run it, and so move their keychain items. When you’re confident that the bulk of your users have done this, change your App ID prefix. Be wary of the following caveats: This approach won’t work on macOS because macOS apps can’t use an app group as a keychain access group. It’s hard to judge how long to wait at step 2. Transfer Your App to Another Team There is no supported way to maintain access to keychain items across an app transfer. This makes it critical that you plan the transfer carefully. Note The approach described in the previous section doesn’t work in this case because app groups are tied to a team. There are three potential approaches here: Do nothing Do not transfer your app Get creative Do Nothing In this case the user loses all the secrets that your app stored in the keychain. This may be acceptable for certain apps. For example, if your app uses the keychain to manage a single login credential, losing that is likely to be acceptable. The user can recover by logging in again. Do Not Transfer Another option is to not transfer your app. Instead, ship a new version of the app from the new team and have the old app recommend that the user upgrade. There are a number of advantages to this approach. The first is that there’s absolutely no risk of losing any user data. The two apps are completely independent. The second advantage is that the user can install both apps on their device at the same time. This opens up a variety of potential migration paths. For example, you might ship an update to the old app with an export feature that saves the user’s state, including their secrets, to a suitably encrypted file, and then match that with an import facility on the new app. Finally, this approach offers flexible timing. The user can complete their migration at their leisure. However, there are a bunch of clouds to go with these silver linings: Your users might never migrate to the new app. If this is a paid app, or an app with in-app purchase, the user will have to buy things again. You lose the original app’s history, ratings, reviews, and so on. Get Creative Finally, you could attempt something creative. For example, you might: Publish a new version of the app that supports exporting the user’s state, including the secrets. Tell your users to do this, with a deadline. Transfer the app and then, when the deadline expires, publish the new version with an import feature. Frankly, this isn’t very practical. The problem is with step 2: There’s no good way to get all your users to do the export, and if they don’t do it before the deadline there’s no way to do it after.

We are unable to add/remove Merchant IDs in App IDs identifier profile, after pressing "Edit" button on "Apple Pay Payment Processing" section, then choosing desired Merchant ID to check/uncheck from the available Merchant IDs, then pressing Continue/Save/Confirm buttons - nothing happens, the "Save" button text briefly changes to "Processing" and then back To "Save" and we still have previously enabled Merchant IDs and the Save button is still in enabled state, any help?

trying to deploy the LotBot app to my physical device, rtd2, which is listed as a device in the App Developer Portal. when I create a provision file it is always for W246SX52AS, as seen in the developer portal, but from Xcode I am showing a app id of "Apple Development: Richard Dukes (86537MF8N2)". Message: I am unable to create a "Apple Development: Richard Dukes (W246SX52AS)" so I may deploy to the device and the App Store. I have signed out and back in to Xcode with my account but when creating the profile it is always the 86537MF8N2. 95E07D345D31D45E4589FA7EA6FDF161E079C100 "Apple Distribution: Richard Dukes (W246SX52AS)" 5AC76CE9331F80AE953C4C76FC21DE5C2416293E "Apple Development: Richard Dukes (86537MF8N2)" How can I get Xcode to use W246SX52AS? I have these help tickets open as well. case ID is 102678952862 case ID is 102678950460 I have been fighting this for a while. Please help me figure out to get this resolved.

Hi AppStore Connect Team, We have an application that we were distributing to macOS and iOS via the same Bundle ID and App ID. The macOS platform is no longer maintained and we would like to remove it from the store. At the same time iOS is still being worked on, receiving regular updates. Is there a way to remove platform for an app in AppStore Connet? Thanks

My app com.boatrouting (official app id in app store) cannot be updated anymore, since I got the message "Failed Registering Bundle Identifier The app identifier "com.boatrouting" cannot be registered to your development team because it is not available. Change your bundle identifier to a unique string to try again." when trying to sign it automatically via Xcode. com.boatrouting is the official bundle id for my app in app store and already distributed for years now. Updates worked fine for years but now I got this message. I cannot add an app id under Certificates, Identifiers & Profiles with the same name because another service has com.boatrouting as its identifier and I cannot delete the service's identifier since the app com.boatrouting is present on the app store (dead locked). I contacted the Apple developer support but they cannot do anything about it since they see the problem on my site. Is there any chance I can get an app update to the App Store? Thank you in advance.

I setup an App that I have been testing on my macOS and iOS in Xcode. Then I realized I have 6 more apps I need to start working on. I have plans to become a developer in the Apple program but I want to get further in my coding to move forward. Apparently the UI Tests in my 6 Apps and those Apps took 10App ID limits from my account. I have App I have App UI Test and then and again up to a total of 5 of those 6 apps. My main app is now locked out of development? I wasn't planning on working on the other apps until I got my big first app developed. What can I do?! I am stuck. I can't work on my main app, nor can I work on the other apps. I'm not ready to at all.

There is no plus button ![](" https://developer.apple.com/kr/forums/content/attachment/4c286784-7329-4e31-a5b1-8dd0c9aaf9ad" "title=test.png;width=2330;height=982")

Our app ID is 708064914; When we transferred an app with Sign in with Apple function, and request the REST API to get transfer_sub, approximately 25% of the requests return error responses such as: {"error":"invalid_request","error_description":"User not found."} 001307.dba0ea2b147f45aa9e85de2abfb4c072.2047 received the first error; We want to understand under what circumstances these errors occur. Since we have already transferred once before, this is the second transfer. The "User not found" error might be related to IDs from the original team. Is that right?

Two months ago we got approval for using the Notification Filtering entitlement. We rushed out to implement it in our app, only to find out that the permission was set for the wrong bundle identifier. We expected to get the permission for the notification extension's bundle identifier, yet it is added for the main app's bundle identifier. Per the official docs, the entitlement permission should be in the notification service extension target: After you receive permission to use the entitlement, add com.apple.developer.usernotifications.filtering to the entitlements file in the Notification Service Extension target. However, this fails to get signed when compiling for non-simulator targets because of the bundle mismatch issue. Simulator perfectly filters notifications. Adding the entitlement to the main app does compile, but filtering does not work (as expected). We reached out to Apple twice (Case-ID: 14330583) but we have yet to receive any response. Could there be something else wrong instead of the identifier mismatch?

I have downloaded the ShinyTV example to test simplified sign-in on tvOS since it is not working in my own app, and I am having the same issue there. After assigning my team to the sample app, the bundle ID updates with my team id. I copy the bundle ID into a file entitled "apple-app-site-association" with this format: { "webcredentials": { "apps": [ "{MyTeamID}.com.example.apple-samplecode.ShinyTV{MyTeamID}" ] } } I upload the file to my personal site, ensuring that the content type is application/json. I adjust the Associated Domain entitlement to: webcredentials:*.{personal-site.com}?mode=developer using the alternate mode to force it to load from my site, not the CDN. When I run the build on tvOS, and click the Sign In button, it fails with these errors: Failed to start session: Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 "Failed to prepare authorization requests" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"Missing associated web credentials domains\" UserInfo={NSLocalizedDescription=Missing associated web credentials domains}" ), NSLocalizedDescription=Failed to prepare authorization requests} Session failed: Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 "Failed to prepare authorization requests" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"Missing associated web credentials domains\" UserInfo={NSLocalizedDescription=Missing associated web credentials domains}" ), NSLocalizedDescription=Failed to prepare authorization requests} ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"(null)\"" )} Failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Failed to prepare authorization requests" UserInfo={NSMultipleUnderlyingErrorsKey=( "Error Domain=com.apple.CompanionServices.CPSErrorDomain Code=205 \"Missing associated web credentials domains\" UserInfo={NSLocalizedDescription=Missing associated web credentials domains}" ), NSLocalizedDescription=Failed to prepare authorization requests} What am I missing here?

I have been trying to add improved tvOS login using an Associated Domain and web credentials. In some places, I am seeing that the format is <TEAM_ID>.<BUNDLE_ID>, and in other places I am seeing <APP_ID>.<BUNDLE_ID>. I am having trouble getting both to work, but in order to properly troubleshoot, I want to make sure that I am using the correct identifier. Can someone give me a definitive answer? The documentation says app id, but I have seen Apple engineers in this forum say team id, and many other posts around the internet also saying team id.

Hello, I am at wits' end with the Apple Sign-in api. I have tested in stage and it works beautifully, but when i push to production it gives me the error "invalid_client". I'm confident the setup is correct, when I asked Apple for help over the phone, they sent me a few forums with no answers. Has anyone had the same issue? How did you resolve? Could it be because I have two app IDs and two service IDs? (prod + stage) Help!

I'm currently unable to create new identifiers in the Apple Developer portal at this URL: https://developer.apple.com/account/resources/identifiers/list The “+” button that should appear to create a new identifier is missing entirely from the page. What’s odd is that another team member (with the same access level and role under the same team) can see and use the button without any issues. So this doesn't appear to be a permissions-related problem. I’ve already tried: Logging out and back in Clearing browser cache Using different browsers (Safari, Chrome) Using Incognito/Private mode Still no luck. Has anyone encountered this before or knows how to resolve it? Thanks in advance.

Hello, In our Account we have an iOS app with an explicit identifier "ABC123.com.some.app" that is using non-team prefix which is DEF456. It has also explicit identifiers for Widgets bundle and Notification Service. Due to non-team prefix, it can't access e.g. shared keychain and data put there by our other apps. Since we are working on features that require these capabilities, we would like to update the app identifier, so it is prefixed with our team id DEF456. Initially, we thought that the process would require steps like: Create new app, team-prefixed identifier(s) for app and all things that need them Recreate the provisioning profiles with new App Identifier Roll out the app using with new profiles via App Store but when trying to create the new identifier with com.some.app and team id prefix DEF456 we are getting following error: An App ID with Identifier com.some.app is not available. Please enter a different string. Can anybody advise us how to correctly perform such change and what steps are required from our end? We would like to keep our existing App Store entry, ratings and smoothly switch users. We are aware that this kind of migration results in loss of Keychain access. Thanks for any advice on that!

Hi, I am currently working on an App Transfer from Company A to Company B but can't find any documentation about what happens to existing Siri Shortcuts working via App Extension intents. I have separated the rest of the post in 2 sections: one what summarizes my current understanding and the other with some questions and hypotheses. It would be great to have either someone from Apple to answer that, or someone else share their experience and possibly some documentation that I might have missed. To my understanding, when a new Shortcut is created, it stores the BundleID of the App and of the App Extension to find the application that will execute it afterwards. If I uninstall the App, I can see a message in the Shortcut app that says "This action requires APPNAME but it may not be installed", but I know that after transferring the app the BundleID doesn't change completely, only the team part does. However, it is not possible to test that as this change cannot be done in xCode as far as I know. Another part that seems to play a role here is the info.plist file, but in my situation, there are no entries related to the BundleID. All that being said, I am wondering: Is it possible to perform an app transfer and keep previously created shortcuts working? Is it possible to test this kind of things without having to perform a transfer? I haven't found a way to change the team part of the Bundle ID Is there a place in the documentation that takes care of those things in depth?

We've recently transferred one of our existing Production apps to a new centralized store in Apple, and the Bundle ID has changed. What's the customer experience for those with the old app? Are they able to upgrade in place, are they notified there's a new build, or do they need to first delete the old app and then search and download the new one?

Good morning, recently we had our application migrated to a new account due to company changes. In the old account we were able to notarize and publish the application, using notarytool and altool, both as an external installer dmg and on the App Store. The migration was successful and after signing up for a paid developer program, creating the new certificates and the new application password, we are now able to successfully sign and notarize the application for distributing the dmg package as an external installer. However we have an issue with the altool used to publish the application on the App Store. It seems a credentials rejection. This is unfortunately preventing us to deliver updated version of our software to our clients. Here are the logs for the two commands The USERNAME, TEAM_ID and APPLICATION_PASS are obviously placeholders by me to not show them in the following requests, and are originally the same in both commands This is the notarytool command -> SUCCESS xcrun notarytool history --apple-id "USERNAME" --team-id "TEAM_ID" --password "APPLICATION_PASS" Successfully received submission history. createdDate: 2025-01-21T12:24:28.472Z id: 94e5e0ba-9529-4c38-b36f-1e0369b745ab name: installer.app.zip status: Accepted

We have a DriverKit entitlement for our USB driver. We now wish to use this same driver with a variant of our existing application. Of course this application has its own separate App ID and will be published in the App Store alongside our existing application. Will we need to go back to the well and ask Apple for another entitlement?

It is possible to provide new updates for the existing users while not having any more new users download our app by removing the app from sale ?

Hi, after 2 years of not updating my app on appstore i wanted to submit an update for my iOS app which also containts a watch app target. When i try to submit it to upload it i get the following errors: Failed registering bundle identifier The app identifier "(myappBundleID).watchkitapp" cannot be registered to your development team because it is nit available. Change your bundle identifier to a unique string to try again. No Profiles for "(myappBundleID).watchkitapp" were found. Xcode culdn't find any iOS App Store provisining profiles matching "(myappBundleID).watchkitapp" Since i have my app already in store with that bundle identifier i don't know why it can not be registered to my team. Also i don't want to change the bundle identifier because then i can not publish it as update to store.

I removed my application from app store 4 days back. and now I am trying to delete app ID that is associated with it, but I am getting error as below: "your app ID "xyz" appears to be in use by the app store, so it can not be removed at this time" how can I resolve this and delete app ID successfully?