Do NOT mistake this for NEHotspotConfigurationManager. NEHotspotHelper and NEHotspotConfigurationManager are different and require distinct entitlements.

NetworkExtension used to need it but doesn't need it any more. See Dev Forums - Quinn

To use these facilities you previously had to be granted special entitlements by Apple. This policy has now changed for NetworkExtension providers. Any developer can now enable the NetworkExtension provider entitlement like they would any other entitlement.

`com.apple.managed.vpn.shared` keychain access group

Request URL: https://developer.apple.com/support/technical/

Entitlements key: com.apple.managed.vpn.shared

However there's a catch with Network Extensions. From the same Dev Forums, Quinn says:

#9 — After moving to the new entitlement process, my app no longer has access to the com.apple.managed.vpn.shared keychain access group. How can I regain that access? Access to this keychain access group requires a special entitlement. If you need that entitlement, please open a DTS tech support incident and we will take things from there.

IMPORTANT This entitlement is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.

If I understand this correct, basically if you need to use com.apple.managed.vpn.shared keychain access group entitlement for VPN Credential Storage then you need two entitlements:

Network Extension entitlement which can be done through Apple Developer Portal
Another Special entitlement as mentioned above.

It's also worth noting that every dev team gets to create two DTS tickets a year for free. Beyond that you have to pay.

_{Included with each enrollment are two Technical Support Incidents, which will expire at the end of your membership year. You will receive two new TSIs when you renew your membership. View your available TSIs, their expiration dates, and your request history in the Code-level Support section in your account. Your TSIs are grouped by expiration date, and the ones that expire soonest will be used first.}

_{Additional TSIs are available for purchase in either a 2-pack for $99 USD or 5-Pack for $249 USD in the Code-level Support section in your account. TSIs purchased separately expire one year from the date of activation.}

I'm not sure if any other entitlement needs a special request or not, but these were the ones that I found

How do I add the special entitlement into my app?

Special entitlements are not associated with your App ID, they're added at the very last step of creating your provisioning profile.

When you create an «iOS, macOS, tvOS» «Development / Distribution / In-House (Enterprise)» provisioning profile for the Team ID «Team ID», after selecting the devices to be included in the profile, you should see a new page entitled “Do you need additional entitlements?”. Select “«hotspot helper template name»” from the Entitlements popup to include this special entitlement in your new profile.

Once you’ve finished generating the profile, you can use it in Xcode like any other manually-generated profile.

_{source: Apple Forums}

I have the special Entitlements but Xcode isn't building it correctly for me

Xcode can’t give a special entitlement to you by itself. Hence I don't think Automatic Code Signing would work for special entitlments. It’s something that Apple embeds into your provisioning profile — only at Apple Developer portal. So you have to generate the provisioning profile from Apple Developer portal and then download it from Xcode

Sample email you get from Apple upon approval:

Hello, This Developer Team has already been assigned the HotspotHelper capability as part of the NetworkExtension entitlement. To use this special entitlement you must create a new provisioning profile in the Certificates, Identifiers & Profiles section of your Developer account and select the entitlement after the "Do you need additional entitlements?" page. Please note, it may take 1-3 business days for this entitlement to be visible. Once you've finished generating the profile, you can use it in Xcode like any other manually-generated profile. IMPORTANT: If you have problems getting this to work, read Technote 2415 "Entitlements Troubleshooting" for troubleshooting steps. If you have questions about adding or using this entitlement that are not answered by this Technote, please visit the Apple Developer Forums or contact Apple Developer Support. Thank you, Apple

How do you add multiple special entitlements?

This is not possible out of the box. The long-term solution for this would be for Apple to change the developer web site to allow you to select multiple templates. Please file a bug report requesting that, then post your bug number, just for the record.

I’m not sure whether there’s a good short-term option. My advice is that you talk to Apple Developer Programs Support to see whether they can help you (start [here][ref] and then go Membership and Account > Other Membership or Account Questions). Make sure to:

Reference this thread

Include your bug number

Tell them to reach out to me if they need clarifications

_{source: Dev Forums}

Do I need the special entitlement only for my main app target?

Check each page's doc.

But I think it depends. e.g. the doc for Local Push Connectivity say:

After you receive the entitlement, apply it to both your app target and your provider extension target.

_{Source: Docs}

What are extended entitlements?

They're exactly the same thing as special entitlements. Just a different name for it.

How long does it actually take to get approved?

Apple will respond within a week. But then usually it's not a straightforward approval. They'd ask for a bunch of changes or justifications and then approve/deny. Sometimes it takes 1 month overall.

Which entitlements are special entitlements? How do they work?

HKVerifiableClinicalRecordQuery

networking-multicast

usernotifications.filtering

critical-alerts

Local Push Connectivity

hotspot-helper

com.apple.managed.vpn.shared keychain access group