How to get the entitlement "com.apple.developer.driverkit.userclient-access"?

Question

We have requested all entitlements related DriverKit. What we got are below:

• com.apple.developer.driverkit
• com.apple.developer.driverkit.transport.hid
• com.apple.developer.driverkit.family.hid.device
• com.apple.developer.driverkit.family.hid.eventservice
• com.apple.developer.driverkit.family.hid.virtual.device

We just learned if we want to distribute out app which is able to communicate with DriverKit, the entitlement com.apple.developer.driverkit.userclient-access is required. However we don't know how to generate a provision profile containing this entitlement. Do we miss something when sending request entitlements to Apple? Or this entitlement is ready on certain item when we selecting appropriate capabilities?

Answer 1

Do we miss something when sending request entitlements to Apple?

The form does not ask about it, but you unfortunately must request it explicitly in the free-form text field. Make sure you also list all dext bundle IDs that your app(s) need to communicate with, as the entitlement is granted for each dext individually. (Or at least it was as of a few weeks ago.)

You can re-submit the form, or try replying to an email regarding your original entitlements grant. Make sure you explicitly request what distribution channels (Development, Developer ID, App Store) you will be using the entitlement with (and check that all existing entitlements have been granted for the channels you need) as one client of mine got some entitlements granted for only development, not distribution because we did not explicitly request otherwise.

For development purposes, until you are granted the entitlement, you can enable the following boot-args kernel parameter so that the system will ignore that the entitlement is missing in your provisioning profile (but the app still needs the entitlement listed) - this way the application can still launch and the kernel-side userclient access entitlement will pass. Normally, the app will be killed instantly by AMFI if it lists an entitlement that's not in the provisioning profile.

nvram boot-args="amfi_get_out_of_my_way=1"

(This is settable only from recovery environment; make sure you don't overwrite any existing boot-args, just append it to existing ones if necessary)

Finally, if you are planning to communicate with the dext from a sandboxed app (e.g. any app distributed via the App Store), I think you additionally need to apply for the IOKit User Client Class Temporary Exception from the sandbox. This is the com.apple.security.temporary-exception.iokit-user-client-class entitlement, and it will need to be issued for the IOUserUserClient class. I don't know the details for how this works, but I would definitely mention it along with your driverkit userclient access entitlement if it applies to you.