Should Enhanced Security entitlements use string values or Boolean true for Mac App Store submission?

Question

Created 16h

Replies 3

Boosts 0

Participants 1

Hi,

I’m hoping someone can help clarify the correct entitlement format for the Enhanced Security capability in a macOS App Store build.

Context

Our app is a sandboxed macOS app built with Xcode 26.4. We enabled the Enhanced Security capability in Signing & Capabilities, and we configured the entitlements based on the current documentation.

What’s confusing me

The Xcode 26.4 release notes say apps that already adopted Enhanced Security should remove:

com.apple.security.hardened-process.enhanced-security-version
com.apple.security.hardened-process.platform-restrictions

and replace them with:

com.apple.security.hardened-process.enhanced-security-version-string with value 1
com.apple.security.hardened-process.platform-restrictions-string with value 2

Reference: https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes

The entitlement reference pages also seem consistent with that:

So our app currently uses the new -string entitlements with values "1" and "2".

Our App Review rejection said:

The app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values.

Entitlement "com.apple.security.hardened-process.enhanced-security-version-string" value must be boolean and true.

Entitlement "com.apple.security.hardened-process.platform-restrictions-string" value must be boolean and true.

That’s the part I can’t reconcile with the documentation.

Questions

For a Mac App Store submission built with Xcode 26.4, should these two entitlements use the new string-based form, or Boolean true?
If the expected format has changed, is there any updated guidance beyond the Xcode 26.4 release notes and current entitlement reference?

If Apple staff or anyone familiar with this can clarify what format is currently expected, I’d really appreciate it.

Thanks.

Boost

Answer 1

kangchen OP

15h

For reference, I’m attaching screenshots of:

the App Review message that says these entitlements must be boolean and true, and
the Xcode 26.4 release note section that says to use the new -string variants with values 1 and 2.

These are the two pieces of guidance I’m trying to reconcile. Screenshot 2026-04-02 at 9.44.44 PM.png

Screenshot 2026-04-02 at 9.44.40 PM.png

0

Answer 2

kangchen OP

15h

A quick update from my side:

After receiving the App Review guidance, I tried changing both of these entitlements from the documented string values to Boolean true:

com.apple.security.hardened-process.enhanced-security-version-string
com.apple.security.hardened-process.platform-restrictions-string

In local testing, that change caused the app to fail to launch on both macOS and iOS.

I then changed them back to the documented string values ("1" and "2"), and the app immediately launched normally again.

So at least in my current Xcode 26.4 / OS 26.4 environment, the Boolean form appears to break launch, while the string-based form works normally.

0

Answer 3

kangchen OP

15h

A quick update from my side:

After receiving the App Review guidance, I tried changing both of these entitlements from the documented string values to Boolean true:

com.apple.security.hardened-process.enhanced-security-version-string
com.apple.security.hardened-process.platform-restrictions-string

In local testing, that change caused the app to fail to launch on both macOS and iOS.

I then changed them back to the documented string values ("1" and "2"), and the app immediately launched normally again.

I also created a brand-new Xcode 26.4 project and enabled the Enhanced Security capability there. Xcode generated these two entitlements as String values (1 and 2) by default in the new project as well.

So at least in my current Xcode 26.4 / OS 26.4 environment, the string-based form appears to be both the Xcode default and the only form that launches normally in testing.

0