Some capabilities include distribution restriction. For example, you might be able to use the capability for day-to-day development but have to get additional approval to publish an app using that capability to the App Store.
To tell if a capability has such a restriction:
-
Go to Developer > Account.
-
At the top right, make sure you’re logged in as the right team.
-
Under Certificates, IDs & Profiles, click Identifiers.
-
Find the App ID you’re working with and click it.
IMPORTANT Some managed capabilities are granted on a per-App ID basis, so make sure you choose the right App ID here.
-
This brings up the App ID editor. In the Capabilities tab, locate the capability you’re working with.
-
Click the little info (i) button next to the capability. The resulting popover lists the supported platforms and distribution channels for that capability.
For example, the following shows that the standard Family Controls (Development) capability, which authorises use of the com.apple.developer.family-controls entitlement, is only enabled for development on iOS and visionOS.
In contrast, if you’ve been granted distribution access to this capability, you’ll see a different Family Controls (Distribution) capability.
Its popover shows that you can use the capability for App Store Connect and Ad Hoc distribution, as well as day-to-day development, on both iOS and visionOS.
In the Family Controls example the development-only capability is available to all developers. However, restrictions like this can apply to initially managed capabilities, that is, managed capabilities where you have to apply to use the capability just to get started with your development.
For example, when you apply for the Endpoint Security capability, which authorises use of the com.apple.developer.endpoint-security.client entitlement, it’s typically granted for development only. If you want to distribute a product using that capability, you must re-apply for another capability that authorises Developer ID distribution [1].
Some folks encounter problems like this because their managed capability was incorrectly granted. For example, you might have applied for a managed capability from an Organization team but it was granted as if you were an Enterprise team. In this case the popover will show In House where you’d expect it to show App Store Connect.
If you’ve believe that you were granted a managed capability for the wrong distribution channel, contact the folks who granted you that capability.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Endpoint Security clients must use independent distribution; they are not accepted in the Mac App Store.
Revision History
- 2026-03-10 Updated to account for changes on the Apple Developer website.
- 2022-12-09 First posted.