diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 67f172b39..dc3c3644e 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -137,9 +137,11 @@ jobs:
           mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
           sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
           sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
+          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
         env:
           VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
           REVISION_NO: ${{ needs.get-version.outputs.revNum }}
+          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
       - name: Generate license for dmg
         run: >
           mvn -B -Djavafx.platform=mac license:add-third-party
@@ -194,9 +196,12 @@ jobs:
             fi
           done
           echo "Codesigning Cryptomator.app..."
+          sed -i '' "s|###APP_IDENTIFIER_PREFIX###|${TEAM_IDENTIFIER}.|g" dist/mac/Cryptomator.entitlements
+          sed -i '' "s|###TEAM_IDENTIFIER###|${TEAM_IDENTIFIER}|g" dist/mac/Cryptomator.entitlements
           codesign --force --deep --entitlements dist/mac/Cryptomator.entitlements -o runtime -s ${CODESIGN_IDENTITY} Cryptomator.app
         env:
           CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
+          TEAM_IDENTIFIER: ${{ secrets.MACOS_TEAM_IDENTIFIER }}
       - name: Prepare .dmg contents
         run: |
           mkdir dmg
diff --git a/dist/mac/.gitignore b/dist/mac/.gitignore
new file mode 100644
index 000000000..bd6569978
--- /dev/null
+++ b/dist/mac/.gitignore
@@ -0,0 +1 @@
+embedded.provisionprofile
diff --git a/dist/mac/Cryptomator.entitlements b/dist/mac/Cryptomator.entitlements
index 16890d644..86f01405e 100644
--- a/dist/mac/Cryptomator.entitlements
+++ b/dist/mac/Cryptomator.entitlements
@@ -2,6 +2,10 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.application-identifier</key>
+	<string>###APP_IDENTIFIER_PREFIX###org.cryptomator</string>
+	<key>com.apple.developer.team-identifier</key>
+	<string>###TEAM_IDENTIFIER###</string>
 	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
 	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
@@ -10,5 +14,9 @@
 	<true/>
 	<key>com.apple.security.cs.disable-library-validation</key>
 	<true/>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>###APP_IDENTIFIER_PREFIX###org.cryptomator</string>
+	</array>
 </dict>
 </plist>
diff --git a/dist/mac/dmg/.gitignore b/dist/mac/dmg/.gitignore
index ebc5e2c5e..d6adab5c4 100644
--- a/dist/mac/dmg/.gitignore
+++ b/dist/mac/dmg/.gitignore
@@ -5,4 +5,5 @@ dmg/
 *.dmg
 license.rtf
 openjfx-jmods.zip
-*.jmod
\ No newline at end of file
+*.jmod
+Cryptomator.entitlements
diff --git a/dist/mac/dmg/build.sh b/dist/mac/dmg/build.sh
index 80eb10541..df6ed2374 100755
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -1,12 +1,15 @@
 #!/bin/bash
 
 # parse options
-usage() { echo "Usage: $0 [-s <codesign-identity>]" 1>&2; exit 1; }
-while getopts ":s:" o; do
+usage() { echo "Usage: $0 [-s <codesign-identity>] [-t <team-identifier>]" 1>&2; exit 1; }
+while getopts ":s:t:" o; do
     case "${o}" in
         s)
             CODESIGN_IDENTITY=${OPTARG}
             ;;
+        t)
+            TEAM_IDENTIFIER=${OPTARG}
+            ;;
         *)
             usage
             ;;
@@ -121,6 +124,7 @@ ${JAVA_HOME}/bin/jpackage \
 cp ../resources/${APP_NAME}-Vault.icns ${APP_NAME}.app/Contents/Resources/
 sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
+cp ../embedded.provisionprofile ${APP_NAME}.app/Contents/
 
 # generate license
 mvn -B -Djavafx.platform=mac -f../../../pom.xml license:add-third-party \
@@ -133,7 +137,7 @@ mvn -B -Djavafx.platform=mac -f../../../pom.xml license:add-third-party \
     -Dlicense.licenseMergesUrl=file://$(pwd)/../../../license/merges
 
 # codesign
-if [ -n "${CODESIGN_IDENTITY}" ]; then
+if [ -n "${CODESIGN_IDENTITY}" ] && [ -n "${TEAM_IDENTIFIER}" ]; then
     find ${APP_NAME}.app/Contents/runtime/Contents/MacOS -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
     for JAR_PATH in `find ${APP_NAME}.app -name "*.jar"`; do
     if [[ `unzip -l ${JAR_PATH} | grep '.dylib\|.jnilib'` ]]; then
@@ -151,7 +155,10 @@ if [ -n "${CODESIGN_IDENTITY}" ]; then
     fi
     done
     echo "Codesigning ${APP_NAME}.app..."
-    codesign --force --deep --entitlements ../${APP_NAME}.entitlements -o runtime -s ${CODESIGN_IDENTITY} ${APP_NAME}.app
+    cp ../${APP_NAME}.entitlements .
+    sed -i '' "s|###APP_IDENTIFIER_PREFIX###|${TEAM_IDENTIFIER}.|g" ${APP_NAME}.entitlements
+    sed -i '' "s|###TEAM_IDENTIFIER###|${TEAM_IDENTIFIER}|g" ${APP_NAME}.entitlements
+    codesign --force --deep --entitlements ${APP_NAME}.entitlements -o runtime -s ${CODESIGN_IDENTITY} ${APP_NAME}.app
 fi
 
 # prepare dmg contents