App Store Compliance

Mac App Store vs iOS App Store: the web-requirement differences

The web URLs and files Apple requires are mostly identical for Mac and iOS App Store apps — but four differences trip up developers shipping to both.

By · · 7 min read

Shipping the same app to both the iOS and Mac App Stores? The web requirements — privacy policy, support URL, account deletion, AASA — are ~90% identical. But there are four differences that catch developers who assume “it passed iOS, so Mac is automatic.” This is exactly what carries over and what doesn’t.

For the baseline list both platforms share, see every URL and file Apple requires for an iOS App Store submission.

What’s identical

Apple’s App Store Review Guidelines are a single document covering all platforms. These web requirements are the same for Mac and iOS:

  • Privacy Policy URL — required for both; the App Information reference lists it as “Required for iOS and macOS apps.”
  • Support URL — required for both (Guideline 1.5).
  • Account deletion — Guideline 5.1.1(v) applies to any Mac app with account creation, same as iOS.
  • App Privacy details — the same questionnaire; declare the same way.

A single OrbitKit-hosted privacy policy / support / deletion set satisfies both stores if the app’s data practices are the same across platforms.

The four differences

1. Privacy manifest applicability

PrivacyInfo.xcprivacy is required for iOS, iPadOS, tvOS, watchOS, visionOS, and Mac Catalyst apps. A standalone AppKit Mac app that doesn’t share frameworks with the iOS-family platforms has historically had different enforcement — but if your Mac app is Catalyst, or SwiftUI multiplatform sharing code with the iOS target, the manifest applies. Don’t assume your Mac target is exempt just because it’s “a Mac app”; assume it’s in scope if it shares any code with iOS. See the privacy manifest reference.

2. Distribution outside the Mac App Store changes the picture

iOS apps can only ship through the App Store (or TestFlight / enterprise). Mac apps can also ship via direct download with Developer ID + notarization. The web requirements in this post are App Store requirements — a directly-distributed notarized Mac app doesn’t go through App Review and doesn’t need the App Store Connect privacy questionnaire. If you distribute the same Mac app both ways, the App Store build still needs the full set; the direct-download build needs notarization instead. Don’t conflate the two pipelines.

Universal Links work on macOS, but the user experience differs (a link can open the Mac app if installed). The AASA file requirements are identical — same path, same Content-Type: application/json, same no-redirect rule (see Universal Links AASA without nginx). The difference is testing: verify on macOS separately; a working iOS Universal Link doesn’t guarantee the Mac association resolved (different system daemon, different cache).

4. App Review’s rendering context for the Support URL

iOS App Review checks the Support URL on an iPhone (mobile viewport, contact info above the fold). Mac App Review checks it in a desktop browser context. A support page that’s iPhone-first will still pass on Mac (desktop is more forgiving), but a desktop-only page that assumed a wide viewport can fail the iOS review. Design iPhone-first and it passes both; design desktop-first and you risk the iOS rejection. This is why OrbitKit’s hosted support pages render iPhone-first by default.

Practical guidance for “ship to both”

  1. Use the same hosted privacy policy / support / deletion set for both stores if data practices match across platforms. They usually do.
  2. Re-answer the App Privacy questionnaire per App Store Connect product — the iOS app and Mac app are separate products even if they share a policy URL.
  3. Ship the privacy manifest in any target that shares iOS-family code (Catalyst/SwiftUI multiplatform). Don’t assume Mac exemption.
  4. Test Universal Links separately on macOS — the AASA file is the same; the resolution path isn’t.
  5. Keep the support page iPhone-first so one page passes both reviews.

How OrbitKit handles it

OrbitKit hosts one set of pages per app on your custom domain; if your iOS and Mac apps share data practices, point both App Store Connect products at the same hosted privacy policy / support / deletion URLs. The privacy manifest generator covers the shared-code case. iPhone-first rendering means the support page passes both the iOS and Mac review. $5/mo per app. Start free or see features.