I've searched these terms all over the place and have found only a confusing mishmash of things that were probably true years ago but no longer seem to reflect today's reality so I'm posting it here to hopefully add a definitive 2026 answer to these search results for myself and others. The existence of the DNS Proxy Network Extension protocol in 10.15 has given me an idea. I would like to test this idea to see if it is worth developing further or a complete waste of time. This test does not need to run on any device anywhere in the world other than the one in front of me so I would prefer not to spend $100 just to see if I can make a small code fragment do a silly trick. XCode sadly refuses to build my Network Extension target when I only have a "Personal Team" to sign with: Personal development teams, including "XXXX XXXX", do not support the Network Extensions capability. Can this be done or is Apple just 100% pay-to-play nowadays? I have zero problems disabling SIPS or any other consumer grade protections if that will actually achieve my goal but I've read enough comments from people saying it didn't work that I haven't bothered trying. Thanks for reading. OS: 15.7.5 (24G624) XCode Version 26.3 (17C529)

I submitted a Family Controls Distribution entitlement request on April 21, 2026 for my app Dopfast. I also resubmitted on April 29, 2026. I received the confirmation page both times but have not received any approval, rejection, or status update. I contacted Developer Support (Case #102879238806) and was told the request is handled by another team and they cannot check the status. Details: Team ID: HSJ6KB4WEZ App: Dopfast (digital wellbeing / screen time management) Bundle ID: com.dopfast Purpose: #2 — individual device management for focus and productivity (personal screen time tracking and app blocking) This entitlement is the only remaining blocker for our App Store submission. The app is fully built and ready to ship. Has anyone experienced similar delays recently? Is there a recommended way to expedite this request?

A signed DriverKit extension fails OSSystemExtensionRequest activation on macOS 26.4.1. The user-facing error is OSSystemExtensionErrorDomain code 4 ("Extension not found in App bundle") — but the dext is in the bundle, the identifier matches, and sysextd confirms it received the request: sysextd: [com.apple.sx:XPC] client activation request for com.arqitekta.bluefield.rshim.driver sysextd: attempting to realize extension with identifier com.arqitekta.bluefield.rshim.driver …and then nothing further. systemextensionsctl list reports 0 extensions. Question: Which log subsystem/category surfaces the kernel-side reason that sysextd aborts after "attempting to realize"? com.apple.sx only shows the request was accepted; whatever vetoes the realize step isn't in that subsystem (or isn't at info/debug level). Is there a separate predicate for the kernelmanagerd / dext-loading path I should be capturing? Environment: macOS 26.4.1 (25E253), Apple Silicon Mac Studio Xcode 26.2 (17C52), DriverKit SDK 25.2 SIP disabled, systemextensionsctl developer on Apple Developer Program, signed "Apple Development: …" DriverKit entitlement request 264CFJJU36 approved; profile includes com.apple.developer.driverkit, allow-any-userclient-access, transport.pci Already verified: Dext at Contents/Library/SystemExtensions/RshimDriver.dext CFBundleIdentifier matches the request, CFBundlePackageType=DEXT codesign --verify --deep --strict passes on app + dext embedded.provisionprofile parses, contains the expected entitlements Three IOKitPersonalities (BF2 / BF2-alt / BF3) using Apple's placeholder IOPCIPrimaryMatch Installer app entitled with com.apple.developer.system-extension.install only spctl -a -vv on the dext reports "rejected" — expected for development signing, should be bypassed under developer mode Minimal repro: https://github.com/jfabienke/bluefield-macos-toolkit/tree/dev-stub-entitlements/rshim-dext — build.sh produces the failing app dext. Captured artefacts (build output, embedded profile dump, signing report, repro shell script) under rshim-dext/dts-artifacts/. Looking for either (a) the right log show predicate to find the actual refusal reason, or (b) an environmental requirement on macOS 26 I'm missing.

Hi, I have an approved com.apple.developer.family-controls entitlement for my main app bundle (com.maxflame.prove-it) and submitted a request on April 18, 2026 to extend it to an embedded extension: com.maxflame.prove-it.DeviceActivityMonitorExtension Request ID: 65CKJZ7DQ4 — status still shows "Submitted" with no further response. The extension uses DeviceActivity callbacks and needs to decode FamilyActivitySelection, which requires the entitlement on the extension bundle as well. In my experience, Family Controls entitlement approvals for the main app bundle have come through within 24 hours. It's now been 5 days with no response for this extension request, which seems unusual. Has anyone else gone through this for extension bundle IDs? Did you need to submit a separate request per bundle, or did Apple extend the approval to your extensions automatically once the main app was approved? And has anyone else experienced longer wait times specifically for extension bundles? Any guidance appreciated.

Hi, I have an approved com.apple.developer.family-controls entitlement for my main app bundle (com.maxflame.prove-it) and submitted a request on April 18, 2026 to extend it to an embedded extension: com.maxflame.prove-it.DeviceActivityMonitorExtension Request ID: 65CKJZ7DQ4 — status still shows "Submitted" with no further response. The extension uses DeviceActivity callbacks and needs to decode FamilyActivitySelection, which requires the entitlement on the extension bundle as well. In my experience, Family Controls entitlement approvals for the main app bundle have come through within 24 hours. It's now been 5 days with no response for this extension request, which seems unusual. Has anyone else gone through this for extension bundle IDs? Did you need to submit a separate request per bundle, or did Apple extend the approval to your extensions automatically once the main app was approved? And has anyone else experienced longer wait times specifically for extension bundles? Any guidance appreciated.

Hi all, and particularly @Eskimo if you spot this — I believe I'm reproducing the backend issuance bug reported in thread 816377 (https://developer.apple.com/forums/thread/816377) on a different Team ID and would like a second pair of eyes before I burn a TSI. Feedback Assistant filed as FB22582333. Team ID: MCN4U9B2K4 · Bundle ID: com.michaeltocco.Sanbox · Xcode 17 · iOS 18.5 · Automatic signing Setup App ID com.michaeltocco.Sanbox has ShazamKit ticked in App Services; persists through portal reloads. Local entitlements file declares com.apple.developer.shazamkit = YES only (no MusicKit client entitlement, per DTS guidance in thread 799000: https://developer.apple.com/forums/thread/799000). CODE_SIGN_ENTITLEMENTS set in both Debug and Release XCBuildConfiguration buildSettings. NSMicrophoneUsageDescription and NSAppleMusicUsageDescription are both present in the generated Info.plist. What Xcode reports After wiping DerivedData and any Sanbox-matching profiles and running xcodebuild … -allowProvisioningUpdates -destination 'generic/platform=iOS': error: Entitlement com.apple.developer.shazamkit not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. (in target 'Sanbox' from project 'Sanbox') What I verified on the profile Apple just issued $ security cms -D -i 0596f302-….mobileprovision | plutil -extract Entitlements xml1 -o - - shows only the baseline four entitlements — application-identifier, keychain-access-groups, get-task-allow, com.apple.developer.team-identifier. com.apple.developer.shazamkit is absent, which is exactly what thread 816377 describes. What I've already tried Deleted and recreated the App ID from scratch — same symptom. Performed the capability-toggle trick (uncheck ShazamKit → Save → wait 60s → re-check → Save → delete local profiles → rebuild) documented in the "Capability & entitlement updates" help page (https://developer.apple.com/help/account/reference/capability-entitlement-updates/) for the Game Center precedent — same symptom. Confirmed I am building for device, not Simulator. Confirmed the entitlement key name matches DTS guidance in thread 799000 and the live profile dumps in thread 816377. Runtime confirmation When I force a build with only the team wildcard profile, SHManagedSession().result() returns com.apple.ShazamKit Code=202 "Missing entitlements", wrapping an AMS 306 wrapping HTTP 401 from api.shazam.apple.com/v1/catalog/US/match. AMS server correlation key: E5VYL5YSUT4L55KQDDP4MJQAZE. So the server side is consistent: the token the client presents lacks ShazamKit scope because the binary doesn't carry the entitlement, and the binary doesn't carry it because Apple isn't issuing it into the profile. Question Is there a configuration step beyond "tick ShazamKit in App Services" that I've missed for Individual-program accounts, or is this the same backend issuance pathology as thread 816377? Happy to share the security cms output, the decoded plist, the build log, or anything else useful. Thanks.

Hi, I’m hoping someone can help clarify the correct entitlement format for the Enhanced Security capability in a macOS App Store build. Context Our app is a sandboxed macOS app built with Xcode 26.4. We enabled the Enhanced Security capability in Signing & Capabilities, and we configured the entitlements based on the current documentation. What’s confusing me The Xcode 26.4 release notes say apps that already adopted Enhanced Security should remove: com.apple.security.hardened-process.enhanced-security-version com.apple.security.hardened-process.platform-restrictions and replace them with: com.apple.security.hardened-process.enhanced-security-version-string with value 1 com.apple.security.hardened-process.platform-restrictions-string with value 2 Reference: https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes The entitlement reference pages also seem consistent with that: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.hardened-process.enhanced-security-version-string https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.hardened-process.platform-restrictions-string So our app currently uses the new -string entitlements with values "1" and "2". Our App Review rejection said: The app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Entitlement "com.apple.security.hardened-process.enhanced-security-version-string" value must be boolean and true. Entitlement "com.apple.security.hardened-process.platform-restrictions-string" value must be boolean and true. That’s the part I can’t reconcile with the documentation. Questions For a Mac App Store submission built with Xcode 26.4, should these two entitlements use the new string-based form, or Boolean true? If the expected format has changed, is there any updated guidance beyond the Xcode 26.4 release notes and current entitlement reference? If Apple staff or anyone familiar with this can clarify what format is currently expected, I’d really appreciate it. Thanks.

We have an app with the default email entitlement that was granted several years ago. During our latest deployment, we received an error from our pipeline. When testing a manual submission in Xcode, we saw this error: Entitlement com.apple.developer.mail-client not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file. We checked the provisioning profile, and the default email entitlement is still present. It is visible on the certificate portal and also in the embedded.mobileprovision file. Can you suggest what we can do to release a new version of our app?

I have an existing app in App Store Connect. I added the SharedWithYou functionality to the app code and tested it on several devices. Everything is working as expected. One of the first steps was to add the com.apple.developer.shared-with-you entitlement to the Entitlements.plist file. This required a round of updates for app identifiers and provisioning profiles. When I upload the production build for testing in TestFlight I receive the following error: 90919: Invalid entitlement. The “” bundle has the com.apple.developer.shared-with-you entitlement, but it doesn’t use the Shared with You framework. Please remove the entitlement and upload a new build. I'm using SWHighlight, SWHighlightCenter, and SWAttributionView in several places throughout my app... I filed an issue in the Feedback Assistant but so far, have not received any response.

Hi Apple Developer Support, We are reaching out to request guidance on a testing constraint we have encountered related to iOS Universal Links and Associated Domains entitlements. As part of aligning with updated recommendations from our authentication provider, we have transitioned our mobile apps to use HTTPS redirect callbacks (Universal Links) instead of custom URI schemes. This works as expected in production and on real physical devices. However, we are encountering a significant issue in our cloud-based device testing environment. When our testing platform re-signs the app to run it on their infrastructure, the re-signing process strips the Associated Domains entitlement from the app bundle. As a result, iOS no longer honors our Universal Links, which breaks the authentication redirect flow — the callback cannot route back into the app after the user authenticates. We have identified a potential workaround that would involve disabling app re-signing in the testing platform, but this requires provisioning under an Apple Enterprise Developer account. This introduces considerable operational complexity, as it would require us to maintain separate signing and distribution paths alongside our existing Apple Developer Program membership. Before pursuing that path, we wanted to understand Apple's perspective on the following: Is there a supported or recommended approach for preserving Associated Domains entitlements when an app is re-signed by a third party (e.g., a cloud testing platform)? Are there any provisioning or entitlement configurations that would allow Universal Links to function correctly in re-signed builds without requiring an Enterprise Developer account? Does Apple have documented best practices for validating Universal Link–based flows in automated or cloud-based testing environments? Are there any alternative deep linking patterns that would be more resilient to re-signing while still meeting App Store and platform security requirements? Any guidance or recommendations from Apple on how to handle this within the bounds of the standard Apple Developer Program would be greatly appreciated. Thank you for your time.

My application will create a virtual touchpad. The problem I encountered is: click on the Product menu, select Archives, then select the Distribute App, then click on Drill Distribution, then click on Distribute, and then a prompt appears: Provisioning profile "Mac Team direct Provisioning Profile:"com.xxx.xxx"doesn't match the entitlements file's valuefor the com.apple.developer.driverkit.userclient-access entitlement. But My Identifiers Selected the:DriverKit Allow Any UserClient (development) Do I need toRequest a System Extension or DriverKit Entitlement Select "Virtual HID" in here? https://developer.apple.com/contact/request/system-extension/

Hi, I’m requesting the Family Controls distribution capability for my app and its extensions. The main app bundle ID was approved within 1 day. However, I later realized the associated extensions (Shield Configuration, Device Activity Monitor, Device Activity Report) also require separate approval. I submitted those extension requests 4 days ago, and they are still in "Submitted" with no updates. This is currently blocking me from proceeding with TestFlight/App Store submission, since the extensions require the approved capability. Is this delay expected for extension bundle IDs? Thanks for your help.

Hello, We recently resubmitted our Family Controls (Distribution) request with a much more detailed explanation after our previous declined. Our entire app (including an extension) depends on this capability, and right now we’re completely blocked from launching. Months of work are stuck at this final step and it’s honestly becoming very stressful with no visibility on the timeline. If anyone has experience with the approval timeline after resubmitting, or if someone from Apple could help look into it, it would truly mean a lot. 4C6XLQWZQY Y5JJ7GT6BP 3ZBSC333WU Thank you

Hi, I submitted a Family Controls (Distribution) entitlement request on March 9, 2026 for my iOS app, but I still have not received any approval, rejection, or other status update. At this point, I’m mainly trying to understand: whether this waiting time is currently normal, whether there is any way to check if the request is actually under review, and whether Apple provides any follow-up if more information is needed. This is blocking my progress, because the app depends on the Screen Time / Family Controls APIs. Has anyone recently experienced similar delays, and is there any recommended next step besides waiting? Thanks. Imi

Hi everyone, I recently submitted the Family Controls request form and received the following request IDs: 429MKWT5VX
 KNL6T2DC7A
 N62KV78DKC However, I haven’t received any updates yet and I’m not sure how these requests are tracked or when we’ll know if they’re approved. Our app is almost ready to launch and this capability is critical for us. Both the main app and an extension depend on Family Controls, so we’re currently blocked from moving forward. I also raised a support ticket with Apple Developer Support (Case ID: 102838723073), but I haven’t received any response there either. To be honest, this is becoming really stressful. Months of work are stuck at the final step and we’re unable to move forward without this approval. This isn’t just a small personal project and we’re building a production app and were hoping to launch very soon. If anyone has been through this process or has any guidance on the approval timeline, or if someone from Apple could help look into these request IDs, it would genuinely mean a lot to us.

 Thank you

Hi everyone, I recently submitted the Family Controls request form and received the following request IDs: 429MKWT5VX
 KNL6T2DC7A
 N62KV78DKC However, I haven’t received any updates yet and I’m not sure how these requests are tracked or when we’ll know if they’re approved. Our app is almost ready to launch and this capability is critical for us. Both the main app and an extension depend on Family Controls, so we’re currently blocked from moving forward. I also raised a support ticket with Apple Developer Support (Case ID: 102838723073), but I haven’t received any response there either. To be honest, this is becoming really stressful. Months of work are stuck at the final step and we’re unable to move forward without this approval. This isn’t just a small personal project and we’re building a production app and were hoping to launch very soon. If anyone has been through this process or has any guidance on the approval timeline, or if someone from Apple could help look into these request IDs, it would genuinely mean a lot to us.

 Thank you

I am seeking clarification on whether the various driverkit entitlement families (com.apple.developer.driverkit.family.*) are available for development on my local Mac without requesting entitlements from Apple. My experience is inconsistent with public statements made by Apple, and I am wondering if there have been changes to development entitlements as of 2026. I am hoping there is something obvious that I have missed. At WWDC2022 Apple stated that "In MacOS... In fact, all DriverKit family entitlements are now available to use for development." On these very forums, Eskimo himself also suggested this was the case in 2024. However, my own experience has been that in my provisioning profile on my paid developer account, I am not able to obtain com.apple.developer.driverkit.family.networking for the purpose of developing a driver for unsupported hardware. As you can see, I do not have the networking entitlement: { .. "Entitlements" => { ... "com.apple.developer.driverkit" => true "com.apple.developer.driverkit.transport.usb" => [ 0 => { "idVendor" => "*" } ] And there appears to be no mechanism to add these entitlement:

I have gotten all necessary entitlements for all my extensions,

I requested the Family Controls (distribution) capability but am not sure if I did it correct. I applied, answered the questions why i needed it and submitted. Its been about 2 weeks since applying. In the app configurations, it on apple dev site, it shows in the request history that I submitted it on March 17, but I can click the request (+) button and request it again. Just want to make sure I didn't mess anything up--it seems like they would prevent me from sendin another request if I had already requested it. It hasn't taken them this long to get back to me in the past which is why I am confused. If anyone knows how to speed up the process, please let me know! Thanks.

We've got an in-house Swift macOS desktop app with a FileProvider extension, which has been working fine on various machines up through Sonoma (and still does). We've just installed it on a Sequoia machine, and on it the FileProvider extension has lost the ability to access the shared app group. It can neither log to the Group Containers folder under ~/Library, nor access the pipe to the main app. The group name is formatted as group.XXXXXXXXXX.com.orgname.appname in both targets. I'm not sure why it combines the iOS and macOS conventions, with both the group prefix and the teamIdentifier one -- it was first built some time before the point in 2025 when macOS supported iOS-style groups -- but again, it's been working. For the record, The provisioning profile for EMPFileProvider has the App Groups capability enabled, and the App Groups capability is present in both build targets in Xcode. The existing group identifier is registered on the website; I've also manually registered the team-ID-less group name, so I can migrate. The question is, is this actually the right approach? Will such a change break the app on pre-Sequoia machines? And if I proceed, what do I need to do to complete the migration? The app was built back in Xcode 12.5; will I need to update the entire build environment to take advantage of Xcode 16.3's explicit support for iOS-style group names, or can I get away with it since I've manually registered the new group?