General: Forums subtopic: App & System Services > Networking TN3151 Choosing the right networking API Networking Overview document — Despite the fact that this is in the archive, this is still really useful. TLS for App Developers forums post Choosing a Network Debugging Tool documentation WWDC 2019 Session 712 Advances in Networking, Part 1 — This explains the concept of constrained networking, which is Apple’s preferred solution to questions like How do I check whether I’m on Wi-Fi? TN3135 Low-level networking on watchOS TN3179 Understanding local network privacy Adapt to changing network conditions tech talk Understanding Also-Ran Connections forums post Extra-ordinary Networking forums post Foundation networking: Forums tags: Foundation, CFNetwork URL Loading System documentation — NSURLSession, or URLSession in Swift, is the recommended API for HTTP[S] on Apple platforms. Moving to Fewer, Larger Transfers forums post Testing Background Session Code forums post Network framework: Forums tag: Network Network framework documentation — Network framework is the recommended API for TCP, UDP, and QUIC on Apple platforms. Building a custom peer-to-peer protocol sample code (aka TicTacToe) Implementing netcat with Network Framework sample code (aka nwcat) Configuring a Wi-Fi accessory to join a network sample code Moving from Multipeer Connectivity to Network Framework forums post NWEndpoint History and Advice forums post Wi-Fi (general): How to modernize your captive network developer news post Wi-Fi Fundamentals forums post Filing a Wi-Fi Bug Report forums post Working with a Wi-Fi Accessory forums post — This is part of the Extra-ordinary Networking series. Wi-Fi (iOS): TN3111 iOS Wi-Fi API overview technote Wi-Fi Aware framework documentation WirelessInsights framework documentation iOS Network Signal Strength forums post Network Extension Resources Wi-Fi on macOS: Forums tag: Core WLAN Core WLAN framework documentation Secure networking: Forums tags: Security Apple Platform Security support document Preventing Insecure Network Connections documentation — This is all about App Transport Security (ATS). WWDC 2017 Session 701 Your Apps and Evolving Network Security Standards [1] — This is generally interesting, but the section starting at 17:40 is, AFAIK, the best information from Apple about how certificate revocation works on modern systems. WWDC 2025 Session 314 Get ahead with quantum-secure cryptography Available trusted root certificates for Apple operating systems support article Requirements for trusted certificates in iOS 13 and macOS 10.15 support article About upcoming limits on trusted certificates support article Apple’s Certificate Transparency policy support article What’s new for enterprise in iOS 18 support article — This discusses new key usage requirements. Prepare your network environment for stricter security requirements support article — This is primarily of interest to folks developing management software, for example, an MDM server. Technote 2232 HTTPS Server Trust Evaluation Technote 2326 Creating Certificates for TLS Testing QA1948 HTTPS and Test Servers Miscellaneous: More network-related forums tags: 5G, QUIC, Bonjour On FTP forums post Using the Multicast Networking Additional Capability forums post Investigating Network Latency Problems forums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] This video is no longer available from Apple, but the URL should help you locate other sources of this info.

Our business interface requests require disabling HTTP(s) proxies. We configured URLSessionConfiguration.connectionProxyDictionary as before, but found that it does not work on iOS 16.2 and 16.3.1. 1.Core code: let configuration = URLSessionConfiguration.default configuration.connectionProxyDictionary = [ "HTTPEnable": false, "HTTPSEnable": false, "SOCKSEnable": false, ] let session = URLSession(configuration: configuration) let request = URLRequest(url: URL(string: "https://www.baidu.com")!,timeoutInterval: Double.infinity) // 发送请求 let task = session.dataTask(with: request) { data, response, error in if let error = error { print("网络请求失败: \(error)") } if let data = data { print("网络请求成功，返回数据长度: \(data.count)") if let responseString = String(data: data, encoding: .utf8) { print("返回数据: \(responseString.prefix(100))...") } } } task.resume() 2.Specific steps: We captured traffic using Proxyman and Charles. With the same code, requests cannot be captured on iOS 18 and iOS 16.1, but can be captured on iOS 26.2 and 26.1. Conclusion:Therefore, we suspect there is a bug with URLSessionConfiguration.connectionProxyDictionary on iOS 26.x. Please let us know whether this is a bug. If not, how should we properly disable HTTP(s) proxies? Note: We need to exclude PAC proxies, which are commonly used in corporate internal networks. 3.Devices & Soft Xcode 16.4 iPhone 26.2、Simulator 26.1 Proxyman、Charles

Our business interface requests require disabling HTTP(s) proxies. We configured URLSessionConfiguration.connectionProxyDictionary as before, but found that it does not work on iOS 26 1.Core code: let configuration = URLSessionConfiguration.default configuration.connectionProxyDictionary = [ "HTTPEnable": false, "HTTPSEnable": false, "SOCKSEnable": false, ] let session = URLSession(configuration: configuration) let request = URLRequest(url: URL(string: "https://www.baidu.com")!,timeoutInterval: Double.infinity) // 发送请求 let task = session.dataTask(with: request) { data, response, error in if let error = error { print("网络请求失败: \(error)") } if let data = data { print("网络请求成功，返回数据长度: \(data.count)") if let responseString = String(data: data, encoding: .utf8) { print("返回数据: \(responseString.prefix(100))...") } } } task.resume() 2.Specific steps: We captured traffic using Proxyman and Charles. With the same code, requests cannot be captured on iOS 18 and iOS 16.1, but can be captured on iOS 26.2 and 26.1. Conclusion:Therefore, we suspect there is a bug with URLSessionConfiguration.connectionProxyDictionary on iOS 26.x. Please let us know whether this is a bug. If not, how should we properly disable HTTP(s) proxies? Note: We need to exclude PAC proxies, which are commonly used in corporate internal networks. 3.Devices & Software Xcode 16.4 iPhone 26.2、Simulator 26.1 iPhone 16、Simulator 18.0、Simulator 18.6 Proxyman、Charles

Hello Apple Support Team, We are experiencing a performance issue with HTTP/3 in our iOS application during testing. Problem Description: Network requests using HTTP/3 are significantly slower than expected. This issue occurs on both Wi-Fi and 4G networks, with both IPv4 and IPv6. The same setup worked correctly in an earlier experiment. Key Observations: The slowdown disappears when the device uses: · A personal hotspot. · Network Link Conditioner (with no limitations applied). · Internet sharing from a MacBook via USB (where traffic was also inspected with Wireshark without issues). The problem is specific to HTTP/3 and does not occur with HTTP/2. The issue is reproducible on iOS 15, 18.7, and the latest iOS 26 beta. HTTP/3 is confirmed to be active (via assumeHttp3Capable and Alt-Svc header). Crucially, the same backend endpoint works with normal performance on Android devices and using curl with HTTP/3 support from the same network. I've checked the CFNetwork logs in the Console but haven't found any suspicious errors or obvious clues that explain the slowdown. We are using a standard URLSession with basic configuration. Attempted to collect qlog diagnostics by setting the QUIC_LOG_DIRECTORY=~/ tmp environment variable, but the logs were not generated. Question: What could cause HTTP/3 performance to improve only when the device is connected through a hotspot, unrestricted Network Link Conditioner, or USB-tethered connection? The fact that Android and curl work correctly points to an issue specific to the iOS network stack. Are there known conditions or policies (e.g., related to network interface handling, QoS, or specific packet processing) that could lead to this behavior? Additionally, why might the qlog environment variable fail to produce logs, and are there other ways to obtain detailed HTTP/3 diagnostic information from iOS? Any guidance on further diagnostic steps or specific system logs to examine would be greatly appreciated. Thank you for your assistance.

Hi All, I am working on a macOS System Extension using Apple’s Network Extension Framework, designed to observe and log network activity at multiple layers. The system extension is currently stable and working as expected for HTTP and DNS traffic with 3 providers, getting Socket, HTTP, and DNS logs. Current Architecture Overview The project consists of two Xcode targets: 1. Main App Process Responsible for: Managing system extension lifecycle (activation, configuration) Establishing IPC (XPC) communication with extensions Receiving structured logs from extensions Writing logs efficiently to disk using a persistent file handle Uses: OSSystemExtensionManager NEFilterManager, NETransparentProxyManager, NEDNSProxyManager NWPathMonitor for network availability handling Persistent logging mechanism (FileHandle) 2. System Extension Process Contains three providers, all running within a single system extension process: a) Content Filter (NEFilterDataProvider) Captures socket-level metadata Extracts: PID via audit token Local/remote endpoints Protocol (TCP/UDP, IPv4/IPv6) Direction (inbound/outbound) Sends structured JSON logs via shared IPC b) Transparent Proxy (NETransparentProxyProvider) Intercepts TCP flows Creates a corresponding NWConnection to the destination Captures both HTTP and HTTPS traffic, sends it to HTTPFlowLogger file which bypasses if it's not HTTP traffic. Uses a custom HTTPFlowLogger: Built using SwiftNIO library (NIO HTTP1) Parses up to HTTP/1.1 traffic Handles streaming, headers, and partial body capture (with size limits) Maintains per-flow state and lifecycle management Logs structured HTTP data via shared IPC c) DNS Proxy (NEDNSProxyProvider) Intercepts UDP DNS traffic Forwards queries to upstream resolver (system DNS or fallback) Maintains shared UDP connection Tracks pending requests using DNS IDs Parses DNS packets (queries + responses) using a custom parser Logs structured DNS metadata via shared IPC Shared Component: IPCConnection Single bidirectional XPC channel used by all providers Handles: App → Extension registration Extension → App logging Uses Mach service defined in system extension entitlements Project Structure NetworkExtension (Project) │ ├── NetworkExtension (Target 1: Main App) │ ├── AppDelegate.swift │ ├── Assets.xcassets │ ├── Info.plist │ ├── NetworkExtension.entitlements │ ├── Main.storyboard │ └──ViewController.swift │ ├── SystemExtensions (Target 2: Extension Process) │ ├── common/ │ │ ├── IPCConnection.swift │ │ └── main.swift │ │ │ ├── DNSProxyProvider/ │ │ ├──DNSDataParser.swift │ │ └──DNSProxyProvider.swift (DNS Proxy) │ │ │ ├── FilterDataProvider/ │ │ └── FilterDataProvider.swift │ │ │ ├── TransparentProxyProvider/ │ │ ├── HTTPLogParser.swift │ │ ├── LogDataModel.swift │ │ └──TransparentProxyProvider.swift │ │ │ ├── Info.plist │ └── SystemExtensions.entitlements │ Current Capabilities Unified logging pipeline across: Socket-level metadata HTTP traffic (HTTP/1.1) DNS queries/responses Efficient log handling using persistent file descriptors Stable IPC communication between app and extensions Flow-level tracking and lifecycle management Selective filtering (e.g., bypass rules for specific IPs) What's the best approach to add TLS Inspection with MITM proxy setup? Some context and constraints: Existing implementation handles HTTP parsing and should remain unchanged (Swift-based). I’m okay with bypassing apps/sites that use certificate pinning (e.g., banking apps) and legitimate sites. Performance is important — I want to avoid high CPU utilization. I’m relatively new to TLS inspection and MITM proxy design. Questions Is it a good idea to implement TLS inspection within a system extension, or does that typically introduce significant complexity and performance overhead? As NETransparentProxyProvider already intercepting HTTPS traffic, can we redirect it to a separate processing pipeline (e.g., another file/module), while keeping the existing HTTP parser(HTTPFlowLogger - HTTP only parser) intact? What are the recommended architectural approaches for adding HTTPS parsing via MITM in a performant way? Are there best practices for selectively bypassing pinned or sensitive domains while still inspecting other traffic? Any guidance on avoiding common pitfalls (e.g., certificate handling, connection reuse, latency issues)? I’m looking for a clean, maintainable approach to integrate HTTPS inspection into my existing system without unnecessary complexity or performance degradation. Please let me know if any additional details from my side would help in suggesting the most appropriate approach. Thanks in advance for your time and insights—I really appreciate it.

Hello, We have a security solution which intercepts network traffic for inspection using a combination of Transparent Proxy Provider and Content filter. Lately we are seeing reports from the market that on M5 Macbooks and A18 Neos the system will kernel panic using our solution, even though it never happens on M1-M4 and no significant code changes were made in the mean time. All crashes seem to be related to an internal double free in the kernel: panic(cpu 0 caller 0xfffffe003bb68224): skmem_slab_free_locked: attempt to free invalid or already-freed obj 0xf2fffe29e15f2400 on skm 0xf6fffe2518aaa200 @skmem_slab.c:646 Debugger message: panic Memory ID: 0xff OS release type: User OS version: 25D2128 Kernel version: Darwin Kernel Version 25.3.0: Wed Jan 28 20:54:38 PST 2026; root:xnu-12377.91.3~2/RELEASE_ARM64_T6050 Additionally, from further log inspection, before panics we find some weird kernel messages which seem to be related to some DMA operations gone wrong in the network driver on some machines: 2026-03-30 14:11:21.779124+0300 0x30f2 Default 0x0 873 0 Arc: (Network) [com.apple.network:connection] [C9.1.1.1 IPv4#e5b4bb04:443 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns, uses wifi, flow divert agg: 1, LQM: good)] event: flow:start_connect @0.075s 2026-03-30 14:11:21.780015+0300 0x1894 Default 0x0 0 0 kernel: (402262746): No more valid control units, disabling flow divert 2026-03-30 14:11:21.780017+0300 0x1894 Default 0x0 0 0 kernel: (402262746): Skipped all flow divert services, disabling flow divert 2026-03-30 14:11:21.780102+0300 0x1894 Default 0x0 0 0 kernel: SK[2]: flow_entry_alloc fe "0 proc kernel_task(0)Arc nx_port 1 flow_uuid D46E230E-B826-4E0A-8C59-4C4C8BF6AA60 flags 0x14120<CONNECTED,QOS_MARKING,EXT_PORT,EXT_FLOWID> ipver=4,src=<IPv4-redacted>.49703,dst=<IPv4-redacted>.443,proto=0x06 mask=0x0000003f,hash=0x04e0a750 tp_proto=0x06" 2026-03-30 14:11:21.780194+0300 0x1894 Default 0x0 0 0 kernel: tcp connect outgoing: [<IPv4-redacted>:49703<-><IPv4-redacted>:443] interface: en0 (skipped: 0) so_gencnt: 14634 t_state: SYN_SENT process: Arc:873 SYN in/out: 0/1 bytes in/out: 0/0 pkts in/out: 0/0 rtt: 0.0 ms rttvar: 250.0 ms base_rtt: 0 ms error: 0 so_error: 0 svc/tc: 0 flow: 0x9878386f 2026-03-30 14:11:21.934431+0300 0xed Default 0x0 0 0 kernel: Hit error condition (not panicking as we're in error handler): t8110dart <private> (dart-apcie0): invalid SID 2 TTBR access: level 1 table_index 0 page_offset 0x2 2026-03-30 14:11:21.934432+0300 0xed Default 0x0 0 0 kernel: [ 73.511690]: arm_cpu_init(): cpu 6 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.511696]: arm_cpu_init(): cpu 9 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.569033]: arm_cpu_init(): cpu 6 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.569038]: arm_cpu_init(): cpu 9 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.577453]: arm_cpu_init(): cpu 7 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.586328]: arm_cpu_init(): cpu 5 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.586332]: arm_cpu_init(): cpu 8 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.621392]: (dart-apcie0) AppleT8110DART::_fatalException: dart-apcie0 (<ptr>): DART DART SID exception ERROR_SID_SUMMARY 0x00003000 ERROR_ADDRESS 0x0000000000009800 2026-03-30 14:11:21.934443+0300 0xed Default 0x0 0 0 kernel: [ 73.621397]: Hit error condition (not panicking as we're in error handler): 2026-03-30 14:11:21.934443+0300 0xed Default 0x0 0 0 kernel: t8110dart <ptr> (dart-apcie0): invalid SID 2 TTBR access: level 1 table_index 0 page_offset 0x2Expect a `deadbeef` in the error messages below 2026-03-30 14:11:21.934452+0300 0xed Default 0x0 0 0 kernel: Expect a `deadbeef` in the error messages below 2026-03-30 14:11:21.934456+0300 0xed Default 0x0 0 0 kernel: (AppleEmbeddedPCIE) apcie[0:centauri-control]::_dartErrorHandler() InvalidPTE caused by read from address 0x9800 by SID 2 (RID 2:0:1/useCount 1/device <private>) 2026-03-30 14:11:21.934469+0300 0xed Default 0x0 0 0 kernel: (AppleT8110DART) Ignored dart-apcie0 (0xfbfffe18820b0000): DART(DART) error: SID 2 PTE invalid exception on read of DVA 0x9800 (SEG 0 PTE 0x2) ERROR_SID_SUMMARY 0x00003000 TIME 0x11242d43fd TTE 0xffffffffffffffff AXI_ID 0 We do not have any correlation between machines, usage pattern or installed applications. Uninstalling the network protection features seem to largely fix the issues, even though we have heard of crashes happening even in safe mode or with our network extension disabled from system settings. We weren't able to reproduce internally and it seems to happen completely random on client machines, but often enough to be disrupting. Can you tell us please if this is a known problem and if there's a workaround or what can we do to narrow it down? Thanks.

We have a Man In The Middle proxy that supports all kind of protocols (http, tls, dns, mail protocols, grpc, etc...)... On apple devices we are running it using the Network Extension framework as a NETransparentProxy. First of all, thank you for the framework, took a while to learn the ins and outs but it works nicely and runs smooth... However now that we start to roll it out to customers we see issues here and there.. For most it works fine, but for some that use other proxy/vpn solutions they run into all kind of "connectivity" issues... E.g. some customers run products from companies like zscaler, fortinet, tailscale etc... First we weren't sure if you could even run multiple TransparentProxy's that have the same network capture rules (e.g. the entire TCP range), but turns out that is fine as we tested it with a demo proxy of ours as well as the product version, both deployed as system extensions NETransparentProxy, and it is all fine.. However also here the ordering is not clear? Traffic seems to flow through both but cannot tell what the order is and if the user or we have any control over it. Now... Our proxy is not a VPN and thus not open a tunnel to a remote location. It is local only there to protect the developer. As such in theory it should be compatible with any other VPN and proxy as any traffic we intercept (all traffic) is still ok to go through their proxy/client-vpn and than through a remote tunnel if desired. So the questions I have is: Is there a way, either from within the code or that our users can configure to, on the order of multiple (network extension or other) proxies? Is TransparentProxy the correct solution if I also want compatibility with these other products and want to MITM the traffic? The flows that current work fine are: ClientApp --> NETransparentProxy[ours] --> remote target server clientApp --> L7 HTTP/SOCKS5 Proxy (system or app-defined) --> NETransparentProxy[ours] --> remote target server clientApp --> L7 HTTP/SOCKS5 Proxy (system or app-defined) --> NETransparentProxy[ours/demo] --> NETransparentProxy[demo/ours] --> remote target server However when people also have products from zscaler, fortinet, tailscale or some others it seems to work sometimes but not always, which makes me think it is order defined? What all of them have in common is that they need to go through a remote tunnel, whereas we do not go through a remote tunnel... Which if I am correct (perhaps I am not) should mean that as long as traffic always goes first via us that it should work? e.g. clientApp --> NETransparentProxy[ours] --> NETransparentProxy/Tunnel/...[third party vpn] --> Vpn Server --> remote target server That should in that case just work. But it does not work in case we are behind the (vpn proxy) client. Please let me know if I provide enough detail and if I'm clear? I am mostly wondering about what I can expect in terms of compatibility if there is anything I (or our company user) can do about ordering/priority/something ?

Hi. I have a private cryptographic key that I want to generate and store for use by the system extension only (a network extension NETransparentProxyProvider). The ideal properties I want is: only accessible by extension never leave extension not be accessible by root user or other apps Here is what I have tried so far (by/within the system extension): app data container / local storage: this works, but is accessible by root user app data shared container (storage): this works, but also acccessible by root user system keyring: works, but also accesible by root user System extension by itself does not seem to be able to store/load secrets in app protected keyring. The host application however can store in app protected keyring.... So I though, let's use an app group (as access group) and have it like this shared between host and (system) extension... but nop... (system) extension cannot access the secret... Ok... so than I thought: manual low-level XPC calls.... Also that doesn't work, got something almost to work but seemed to require an entire 3rd (launchd/daemon) service.... way to complex for what I want... also seems that as a root user I can use debug tools to also access it There is however the SendMessage/HandleMessage thing available for TransparentProxy.... that does work... but (1) also doesn't seem the most secure (2) the docs clearly state cannot rely on that for this state as the system extension can be started while the host app is not active.... (e.g. at startup) So that is not a solution either.... I went in so many different directions and rabbit holes in the last days.... this feels like a lot harder than it should be? How do other VPN/Proxy like solutions store secrets that are unique to an extension???? I am hoping there is something available here that I am simply missing despite all my effort... any guidance greatly appreciated...

Hi Apple team, Could you please let us know the estimated timeline for approval of our OHTTP relay request? We’d appreciate any updates on the current status or next steps from your side. My request number is GZ8425KHD9. Thanks in advance.

I haven’t been able to get this to work at any level! I’m running into multiple issues, any light shed on any of these would be nice: I can’t implement a bloom filter that produces the same output as can be found in the SimpleURLFilter sample project, after following the textual description of it that’s available in the documentation. No clue what my implementation is doing wrong, and because of the nature of hashing, there is no way to know. Specifically: The web is full of implementations of FNV-1a and MurmurHash3, and they all produce different hashes for the same input. Can we get the proper hashes for some sample strings, so we know which is the “correct” one? Similarly, different implementations use different encodings for the strings to hash. Which should we use here? The formulas for numberOfBits and numberOfHashes give Doubles and assign them to Ints. It seems we should do this conversing by rounding them, is this correct? Can we get a sample correct value for the combined hash, so we can verify our implementations against it? Or ignoring all of the above, can we have the actual code instead of a textual description of it? 😓 I managed to get Settings to register my first attempt at this extension in beta 1. Now, in beta 2, any other project (including the sample code) will redirect to Settings, show the Allow/Deny message box, I tap Allow, and then nothing happens. This must be a bug, right? Whenever I try to enable the only extension that Settings accepted (by setting its isEnabled to true), its status goes to .stopped and the error is, of course, .unknown. How do I debug this? While the extension is .stopped, ALL URL LOADS are blocked on the device. Is this to be expected? (shouldFailClosed is set to false) Is there any way to manually reload the bloom filter? My app ships blocklist updates with background push, so it would be wasteful to fetch the filter at a fixed interval. If so, can we opt out of the periodic fetch altogether? I initially believed the API to be near useless because I didn’t know of its “fuzzy matching” capabilities, which I’ve discovered by accident in a forum post. It’d be nice if those were documented somewhere! Thanks!!

We use TeamCity as our Continuous Integration (CI) solution to build and run automated tests. These are integration tests executed through our 4D application, which is properly code‑signed and notarized. These CI machines are heavily used and build multiple versions per day, making them critical to our development workflow. However, we are experiencing an issue on some machines: after a certain period of time, network communication through our application stops working, while network communication remains fully functional when using third‑party tools (for example, LDAP clients). Based on our investigation, this issue appears to be related to Local Network Privacy management. We have followed the procedure described in Apple’s Technical Note: TN3179: Understanding local network privacy | Apple Developer Documentation to reset network authorizations, but this has not been sufficient to resolve the issue. In addition, our CI environment requires acknowledging a large number of Local Network access permission prompts. Given that these machines build multiple versions per day and are intended to run unattended, this is not practical in an automated CI context. We have around ten Macs dedicated to running these tests, and manually approving these pop‑ups is not a viable solution.

https://aninterestingwebsite.com/documentation/corewlan/cweventtype/linkqualitydidchange As per the documentation core WLAN will send notification when there is a change in RSSI. I did not receive any notification when there is a change in RSSI.

Hello, I have an app that is using iOS 26 Network Framework APIs. It is using QUIC, TLS 1.3 and Bonjour. For TLS I am using a PKCS#12 identity. All works well and as expected if the devices (iPhone with no cellular, iPhone with cellular, and iPad no cellular) are all on the same wifi network. If I turn off my router (ie no more wifi network) and leave on the wifi toggle on the iOS devices - only the non cellular iPhone and iPad are able to discovery and connect to each other. My iPhone with cellular is not able to. By sharing my logs with Cursor AI it was determined that the connection between the two problematic peers (iPad with no cellular and iPhone with cellular) never even makes it to the TLS step because I never see the logs where I print out the certs I compare. I tried doing "builder.requiredInterfaceType(.wifi)" but doing that blocked the two non cellular devices from working. I also tried "builder.prohibitedInterfaceTypes([.cellular])" but that also did not work. Is AWDL on it's way out? Should I focus my energy on Wi-Fi Aware? Regards, Captadoh

While going through the documentation for NWConnection, there seems to be state known as .waiting which means that the connection is waiting for a path change. For TCP, the state is understandable and can occur under some scenarios. But for the case of UDP, I have following queries: Why do we need .waiting state for the case of UDP? Even if we do need .waiting state for UDP, when all does this state occurs?

I’m encountering a persistent issue with my Network Extension (specifically NEFilterDataProvider) and would really appreciate any insights. The extension generally works as expected, but after some time — especially after sleep/wake cycles or network changes — a global network outage occurs. During this state, no network traffic works: pings fail, browsers can’t load pages, etc. As soon as I stop the extension (by disabling it in System Preferences), the network immediately recovers. If I re-enable it, the outage returns instantly. I’ve also noticed that once this happens, the extension stops receiving callbacks like handleNewFlow(), and reinstalling the app or restarting the extension doesn’t help. The only thing that resolves the issue is rebooting the system. After reboot, the extension works fine again — until the problem reoccurs later. I asked AI about this behavior, and it suggested the possibility that the kernel might have marked the extension as untrusted, causing the system to intentionally block all network traffic as a safety mechanism. Has anyone experienced similar behavior with NEFilterDataProvider? Could there be a way to detect or prevent this state without rebooting? Is there any logging or diagnostic data I should collect when it happens again? Any guidance or pointers would be greatly appreciated. Thanks in advance!

Hi We are modifying the official Wi‑Fi Aware sample app to integrate QUIC for transmission speed testing. Unfortunately, we have been unable to establish a successful QUIC connection between two iOS devices. Could you provide a correct implementation example of using QUIC over Wi‑Fi Aware? I have attached the iOS system logs and our modified app project for your reference in case FB22499984 . Thanks

Here’s the formatted summary in English for your issue submission: Issue Summary We are activating a Network Extension system extension (filter-data) from a signed and notarized macOS app. Activation consistently fails with the following error: Error Message: OSSystemExtensionErrorDomain code=4 Extension not found in App bundle. Unable to find any matched extension with identifier: com.seaskylight.yksmacos.ExamNetFilter.data At the same time, sysextd logs show: no policy, cannot allow apps outside /Applications However, our host app and executable paths are already under /Applications, and the extension bundle physically exists in the expected app bundle location. Environment Information macOS: Darwin 25.4.0 Host App: /Applications/xxx.app Host Bundle ID: com.seaskylight.yksmacos System Extension Bundle ID: com.seaskylight.yksmacos.ExamNetFilter.data Team ID: BVU65MZFLK Device Management: Enrolled via DEP: No MDM Enrollment: No Reproduction Steps Install the host app to /Applications. Launch the host app via Finder or using the command: open -a "/Applications/xxx.app" Trigger OSSystemExtensionRequest activationRequestForExtension for: com.seaskylight.yksmacos.ExamNetFilter.data. Observe failure callback (code=4). Collect logs: log show --last 2m --style compact --info --debug --predicate 'process == "sysextd"' Check extension status using: systemextensionsctl list (shows 0 extension(s)) Observed Results sysextd client activation request for com.seaskylight.yksmacos.ExamNetFilter.data attempts to realize extension with identifier com.seaskylight.yksmacos.ExamNetFilter.data. Log indicates: no policy, cannot allow apps outside /Applications App-side Diagnostics (captured at failure) PID: 3249 Bundle Path: /Applications/xxx.app Real Path: /Applications/xxx.app Exec Path: /Applications/xxx.app/Contents/MacOS/xxx Real Exec Path: /Applications/xxx.app/Contents/MacOS/xxx Ext Path: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension Ext Exists: true Running From Helper: false Error Callback: NSError{domain=OSSystemExtensionErrorDomain code=4 desc=Extension not found in App bundle...} Additional Validation We reproduced the same failure using a minimal native host app (SysExtProbe) in /Applications that only submits the activation request for the same extension identifier. It also fails with OSSystemExtensionErrorDomain code=4, indicating this is not specific to Electron app logic. Signing / Packaging Notes Host app and system extension are signed with the same Team ID (BVU65MZFLK). System extension bundle exists under: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension Extension Info.plist contains bundle id: com.seaskylight.yksmacos.ExamNetFilter.data Host app includes NSSystemExtensionUsageDescription. Questions for DTS In non-MDM personal-device scenarios, what exact conditions trigger sysextd to emit: no policy, cannot allow apps outside /Applications even when both bundlePath and realpath are in /Applications? Can code=4 (“Extension not found in App bundle”) be returned for policy/state reasons even when the extension bundle is present and the identifier matches? Are there known sysextd policy/cache states that cause this behavior, and what is the recommended recovery procedure? Feel free to copy and paste this summary for your submission. If you need any further modifications or assistance, let me know!

Summary We are activating a Network Extension system extension (filter-data) from a signed and notarized macOS app. Activation consistently fails with: OSSystemExtensionErrorDomain code=4 Extension not found in App bundle. Unable to find any matched extension with identifier: com.seaskylight.yksmacos.ExamNetFilter.data At the same time, sysextd logs: no policy, cannot allow apps outside /Applications However, our host app and executable real paths are already under /Applications, and the extension bundle physically exists in the expected app bundle location. Environment macOS: Darwin 25.4.0 Host app: /Applications/xxx.app Host bundle id: com.seaskylight.yksmacos System extension bundle id: com.seaskylight.yksmacos.ExamNetFilter.data Team ID: BVU65MZFLK Device management: Enrolled via DEP: No MDM enrollment: No Reproduction Steps Install host app to /Applications. Launch host app via Finder or: open -a "/Applications/xxx.app" Trigger OSSystemExtensionRequest activationRequestForExtension for: com.seaskylight.yksmacos.ExamNetFilter.data Observe failure callback (code=4). Collect logs: log show --last 2m --style compact --info --debug --predicate 'process == "sysextd"' systemextensionsctl list (shows 0 extension(s)) Observed Results sysextd client activation request for com.seaskylight.yksmacos.ExamNetFilter.data attempting to realize extension with identifier com.seaskylight.yksmacos.ExamNetFilter.data no policy, cannot allow apps outside /Applications App-side diagnostics (captured at failure) pid=3249 bundlePath=/Applications/xxx.app bundlePathReal=/Applications/xxx.app execPath=/Applications/xxx.app/Contents/MacOS/xxx execPathReal=/Applications/xxx.app/Contents/MacOS/xxx extPath=/Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension extExists=true runningFromHelper=false Error callback NSError{domain=OSSystemExtensionErrorDomain code=4 desc=Extension not found in App bundle...} Additional Validation We reproduced the same failure using a minimal native host app (SysExtProbe) in /Applications that only submits the activation request for the same extension identifier. It also fails with OSSystemExtensionErrorDomain code=4, indicating this is not specific to Electron app logic. Signing / Packaging Notes Host app and system extension are signed with the same Team ID (BVU65MZFLK). System extension bundle exists under: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension Extension Info.plist contains bundle id: com.seaskylight.yksmacos.ExamNetFilter.data Host app includes NSSystemExtensionUsageDescription. Questions for DTS In non-MDM personal-device scenarios, what exact conditions trigger sysextd to emit: no policy, cannot allow apps outside /Applications even when both bundlePath and realpath are in /Applications? Can code=4 (“Extension not found in App bundle”) be returned for policy/state reasons even when extension bundle is present and identifier matches? Are there known sysextd policy/cache states that cause this behavior, and what is the recommended recovery procedure?

Hello team, I am trying to find out a way to block urls in the chrome browser if it is found in local blocked list cache. I found URL Filter Network very much suitable for my requirement. But I see at multiple places that this solution is only for Enterprise level or MDM or supervised device. So can I run this for normal user ? as my targeting audience would be bank users. One more thing how can I test this in development environment if we need supervised devices and do we need special entitlement ? When trying to run sample project in the simulator then getting below error

Hello, I am currently developing a PIR server using the pir-server-example repository. We are anticipating a total of 10 million URLs for our dataset. In this context, what would be the optimal shard size (number of records per shard) to balance computational latency and communication overhead? Any advice or best practices for handling a dataset of this scale would be greatly appreciated. Thank you.