I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension.
Environment
- macOS: Sequoia (15.7.2)
- Xcode: 26.2
- Distribution: Developer ID + notarization, deployed via MDM
- Host bundle ID: com.mydns.agent.MyDNSMacProxy
DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy
Host entitlements (Release):
File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements:
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>B234657989.com.mydns.agent.MyDNSMacProxy</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>dns-proxy</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>B234657989</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.mydns.MyDNSmac</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>B234657989.*</string>
</array>
</dict>
</plist>
xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release :
PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5
CODE_SIGN_IDENTITY = Developer ID Application
Host Developer ID profile
main_MyDNSMacProxy5.provisionprofile (via security cms -D):
"Entitlements" => {
"com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy"
"com.apple.developer.team-identifier" => "B234657989"
"com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ]
"keychain-access-groups" => [ "B234657989.*" ]
"com.apple.developer.system-extension.install" => 1
"com.apple.developer.networking.networkextension" => [
"packet-tunnel-provider-systemextension",
"app-proxy-provider-systemextension",
"content-filter-provider-systemextension",
"dns-proxy-systemextension",
"dns-settings",
"relay",
"url-filter-provider",
"hotspot-provider"
]
}
So:
- App ID, team ID, keychain and system‑extension.install match.
- The profile’s
com.apple.developer.networking.networkextensionis a superset of what I request in the host entitlements (dns-proxyonly).
System extension (for context) DNS Proxy system extension target:
NSExtensionPointIdentifier = com.apple.dns-proxyNetworkExtension→NEProviderClasses→com.apple.networkextension.dns-proxy→ my provider class- Entitlements:
com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"]
This target uses a separate Developer ID profile and builds successfully.
Xcode error Release build of the host fails with:
…MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy')
Xcode UI also says:
Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension.
Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements.
Questions:
- For
com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here justdns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? - Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension:
- Host entitlements:
["dns-proxy"] - System extension entitlements:
["dns-proxy-systemextension"] - Host profile’s NE array includes the DNS Proxy system extension types.
- If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround?
Thanks for any guidance.