We are implementing an exam mode feature for an educational app used in schools, which restricts device usage during assessments.
We requested the Automatic Assessment Configuration capability, received approval from Apple, and confirmed that the capability is listed as Assigned under our App ID in the Apple Developer portal.
What works:
When using a Development Provisioning Profile (downloaded from the portal), the entitlement key com.apple.developer.automatic-assessment-configuration is included in the profile, and our exam lock feature works correctly in development testing.
The problem:
When we manually download a Distribution (InHouse/Enterprise) Provisioning Profile from the portal — even after creating a new one — the entitlement key com.apple.developer.automatic-assessment-configuration is not present in the profile.
verified this by running:
security cms -D -i YourProfile.mobileprovision The key appears in the Development PP but is absent in the manually downloaded Distribution PP, despite the App ID showing the capability as Assigned.
Note:
When using Xcode's automatic signing, the generated profile does include the entitlement correctly. However, due to our organization's internal security policy, we are required to use manually managed provisioning profiles and cannot use Xcode automatic signing for distribution builds.
Questions:
Is the com.apple.developer.automatic-assessment-configuration entitlement intentionally restricted to Development profiles only, or is this a known portal issue with managed capabilities not being embedded in manually created Distribution profiles?
Is it technically supported and intended to use AEAssessmentSession in an InHouse (Enterprise) distribution environment?
If InHouse is not supported, is the correct path to test internally via Development profiles and then submit through App Store distribution to include this entitlement in production?
Any guidance on the correct technical direction would be greatly appreciated.
So, the behaviour you’re seeing is expected. This capability is restricted to specific distribution models. To confirm that, follow the instructions in Finding a Capability’s Distribution Restrictions.
As to what you should do about that, it kinda depends on how your product is deployed. You wrote:
We are implementing an exam mode feature for an educational app used in schools
In-House (Enterprise) distribution is intended to be used for apps deployed within your enterprise. Presumably these schools are separate organisations, which means you must use some other distribution mechanism to distribute your app to them. What is that mechanism? The App Store?
If so, the standard path forward here is to use your Organization team for both development and distribution. I see a lot of folks use In-House (Enterprise) for internal testing, and that’s not something I recommend [1]. Rather:
- Use Apple Development code signing for day-to-day debugging.
- Use Apple Distribution code signing for App Store builds.
- Use TestFlight for internal testing.
- And for public beta testing.
- If necessary, use Ad Hoc distribution for internal testing. But, honestly, TestFlight is better (-:
And you do all of this from your Organization team.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] In addition to problems like this, you have to use a different App ID because each App ID is assigned to one specific team. That complicates your build process, and it also means that your internal testing doesn’t test the app as you end up distributing it to your customers.