Should Enhanced Security entitlements use string values or Boolean true for Mac App Store submission?

You’re now watching this thread. If you’ve opted in to email or web notifications, you’ll be notified when there’s activity. Click again to stop watching or visit your profile to manage watched threads and notifications.
You’ve stopped watching this thread and will no longer receive emails or web notifications when there’s activity. Click again to start watching.
Created 1w
Replies 4
Boosts 0
Views 294
Participants 2

Hi,

I’m hoping someone can help clarify the correct entitlement format for the Enhanced Security capability in a macOS App Store build.

Context

Our app is a sandboxed macOS app built with Xcode 26.4. We enabled the Enhanced Security capability in Signing & Capabilities, and we configured the entitlements based on the current documentation.

What’s confusing me

The Xcode 26.4 release notes say apps that already adopted Enhanced Security should remove:

  • com.apple.security.hardened-process.enhanced-security-version
  • com.apple.security.hardened-process.platform-restrictions

and replace them with:

  • com.apple.security.hardened-process.enhanced-security-version-string with value 1
  • com.apple.security.hardened-process.platform-restrictions-string with value 2

Reference: https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes

The entitlement reference pages also seem consistent with that:

So our app currently uses the new -string entitlements with values "1" and "2".

Our App Review rejection said:

The app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values.

Entitlement "com.apple.security.hardened-process.enhanced-security-version-string" value must be boolean and true.

Entitlement "com.apple.security.hardened-process.platform-restrictions-string" value must be boolean and true.

That’s the part I can’t reconcile with the documentation.

Questions

  1. For a Mac App Store submission built with Xcode 26.4, should these two entitlements use the new string-based form, or Boolean true?
  2. If the expected format has changed, is there any updated guidance beyond the Xcode 26.4 release notes and current entitlement reference?

If Apple staff or anyone familiar with this can clarify what format is currently expected, I’d really appreciate it.

Thanks.

Answered by DTS Engineer in 883294022

This sounds like a bug in the App Store Connect app checking system. The -string entitlement values must be strings, because that format changes is what allows for back deployment.

Please file a bug against App Store Connect. Once you’re done, reply here with your bug number and I’ll take action from there.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Share this post
Copied to Clipboard
Replies  4
Boosts  0
Views  294
Participants  2

For reference, I’m attaching screenshots of:

  1. the App Review message that says these entitlements must be boolean and true, and
  2. the Xcode 26.4 release note section that says to use the new -string variants with values 1 and 2.

These are the two pieces of guidance I’m trying to reconcile. 👁 Screenshot 2026-04-02 at 9.44.44 PM.png

👁 Screenshot 2026-04-02 at 9.44.40 PM.png

0
Share this post
Copied to Clipboard

A quick update from my side:

After receiving the App Review guidance, I tried changing both of these entitlements from the documented string values to Boolean true:

  • com.apple.security.hardened-process.enhanced-security-version-string
  • com.apple.security.hardened-process.platform-restrictions-string

In local testing, that change caused the app to fail to launch on both macOS and iOS.

I then changed them back to the documented string values ("1" and "2"), and the app immediately launched normally again.

So at least in my current Xcode 26.4 / OS 26.4 environment, the Boolean form appears to break launch, while the string-based form works normally.

0
Share this post
Copied to Clipboard

A quick update from my side:

After receiving the App Review guidance, I tried changing both of these entitlements from the documented string values to Boolean true:

  • com.apple.security.hardened-process.enhanced-security-version-string
  • com.apple.security.hardened-process.platform-restrictions-string

In local testing, that change caused the app to fail to launch on both macOS and iOS.

I then changed them back to the documented string values ("1" and "2"), and the app immediately launched normally again.

I also created a brand-new Xcode 26.4 project and enabled the Enhanced Security capability there. Xcode generated these two entitlements as String values (1 and 2) by default in the new project as well.

So at least in my current Xcode 26.4 / OS 26.4 environment, the string-based form appears to be both the Xcode default and the only form that launches normally in testing.

0
Share this post
Copied to Clipboard
DTS Engineer OP
Apple
4d
Recommended

This sounds like a bug in the App Store Connect app checking system. The -string entitlement values must be strings, because that format changes is what allows for back deployment.

Please file a bug against App Store Connect. Once you’re done, reply here with your bug number and I’ll take action from there.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Share this post
Copied to Clipboard
Should Enhanced Security entitlements use string values or Boolean true for Mac App Store submission?
First post date Last post date
Q