Hi everyone, I'm developing an enterprise iOS application and need to access the WiFi connection channel. I understand that Apple's privacy and security policies restrict direct access to certain network details, including the WiFi connection channel. After some research, I found that this data might be accessible via the private API MobileWiFi.framework. However, when I tried to use this framework, I encountered the following error: Missing com.apple.wifi.manager-access entitlement I reached out to Apple regarding this entitlement, but they were not familiar with it, suggesting it might be deprecated. Here are my questions: Is there an official or supported way to access the WiFi connection channel in an enterprise iOS app? If not, is there any workaround or additional steps required to use the MobileWiFi.framework without encountering the entitlement error? Are there any specific entitlements or provisioning profile configurations that I need to be aware of to resolve this issue? Any guidance or suggestions would be greatly appreciated. Thank you!

We are implementing a connection between iPad and iPhone devices using LocalPushConnectivity, and have introduced SimplePushProvider into the project. We will have it switch between roles of Server and Client within a single project. ※ iPad will be Server and the iPhone will be Client. Communication between Server and Client is via TLS, with Server reading p12 file and Client setting public key. Currently, a TLS error code of "-9836" (invalid protocol version) is occurring when communicating from Client's SimplePushProvider to Server. I believe that Client is sending TLS1.3, and Server is set to accept TLS1.2 to 1.3. Therefore, I believe that the actual error is not due to TLS protocol version, but is an error that is related to security policy or TLS communication setting. Example: P12 file does not meet some requirement NWProtocolTLS.Options setting is insufficient etc... I'm not sure what the problem is, so please help. For reference, I will attach you implementation of TLS communication settings. P12 file is self-signed and was created by exporting it from Keychain Access. Test environment: iPad (OS: 16.6) iPhone (OS: 18.3.2) ConnectionOptions: TLS communication settings public enum ConnectionOptions { public enum TCP { public static var options: NWProtocolTCP.Options { let options = NWProtocolTCP.Options() options.noDelay = true options.enableFastOpen return options } } public enum TLS { public enum Error: Swift.Error { case invalidP12 case unableToExtractIdentity case unknown } public class Server { public let p12: URL public let passphrase: String public init(p12 url: URL, passphrase: String) { self.p12 = url self.passphrase = passphrase } public var options: NWProtocolTLS.Options? { guard let data = try? Data(contentsOf: p12) else { return nil } let pkcs12Options = [kSecImportExportPassphrase: passphrase] var importItems: CFArray? let status = SecPKCS12Import(data as CFData, pkcs12Options as CFDictionary, &importItems) guard status == errSecSuccess, let items = importItems as? [[String: Any]], let importItemIdentity = items.first?[kSecImportItemIdentity as String], let identity = sec_identity_create(importItemIdentity as! SecIdentity) else { return nil } let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_local_identity(options.securityProtocolOptions, identity) sec_protocol_options_append_tls_ciphersuite(options.securityProtocolOptions, tls_ciphersuite_t.RSA_WITH_AES_128_GCM_SHA256) return options } } public class Client { public let publicKeyHash: String private let dispatchQueue = DispatchQueue(label: "ConnectionParameters.TLS.Client.dispatchQueue") public init(publicKeyHash: String) { self.publicKeyHash = publicKeyHash } // Attempt to verify the pinned certificate. public var options: NWProtocolTLS.Options { let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_verify_block( options.securityProtocolOptions, verifyClosure, dispatchQueue ) return options } private func verifyClosure( secProtocolMetadata: sec_protocol_metadata_t, secTrust: sec_trust_t, secProtocolVerifyComplete: @escaping sec_protocol_verify_complete_t ) { let trust = sec_trust_copy_ref(secTrust).takeRetainedValue() guard let serverPublicKeyData = publicKey(from: trust) else { secProtocolVerifyComplete(false) return } let keyHash = cryptoKitSHA256(data: serverPublicKeyData) guard keyHash == publicKeyHash else { // Presented certificate doesn't match. secProtocolVerifyComplete(false) return } // Presented certificate matches the pinned cert. secProtocolVerifyComplete(true) } private func cryptoKitSHA256(data: Data) -> String { let rsa2048Asn1Header: [UInt8] = [ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00 ] let data = Data(rsa2048Asn1Header) + data let hash = SHA256.hash(data: data) return Data(hash).base64EncodedString() } private func publicKey(from trust: SecTrust) -> Data? { guard let certificateChain = SecTrustCopyCertificateChain(trust) as? [SecCertificate], let serverCertificate = certificateChain.first else { return nil } let publicKey = SecCertificateCopyKey(serverCertificate) return SecKeyCopyExternalRepresentation(publicKey!, nil)! as Data } } } }

Hello, A quick background: I am developing an App that receives a data stream from a device through its Wi-Fi network. The device itself is not connected to the internet, so the app won't be either. Now, I am adding a new feature to the App that would require internet connection during the data stream. Consequently, my users would need to use their cellular data. On later versions of iPhone, the phone would occasionally detect the lack of internet connection and asks the user via a pop-up if they want to use their cellular data. However, this behavior is not consistent. So my question is- can we programmatically invoke this pop-up so the user can connect to the internet? Or even better- can we program the App to use cellular data while still being connected to a Wi-Fi network? Note: I have seen mixed answers on the internet whether this is doable or not, and I know that users are able do it themselves by manually configuring their IP in their WiFi settings page, but I doubt this operation can be done through the App for security reasons. Thanks!

(iOS 17.3) I'm using the Apple supplied iOS sample project "ConfiguringAWiFiAccessoryToJoinTheUsersNetwork" as a base to write an App to configure an existing WiFi device using the NEHotspotConfiguration API's. I have almost everything working, and can join the network and send a packet to the device to configure it. I know that it is working as the device responds properly to what I send it. But I am not able to receive the response back from the device to the packet sent. (Only need 1 packet sent and 1 packet received) However. If I run a packet sniffer on the phone before running my test App, then I do get a response. No packet sniffer running, no response. When I do a debugDescription on the NWConnection after it reaches ".ready", I notice that when the sniffer is running I'm using loopback lo0: [C1 connected 192.168.4.1:80 tcp, url: http://192.168.4.1:80, attribution: developer, path satisfied (Path is satisfied), viable, interface: lo0] and I get a packet response in the NWConnection receiveMessage callback. But with no sniffer running, I get interface en0: [C1 connected 192.168.4.1:80 tcp, url: http://192.168.4.1:80, attribution: developer, path satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi] and there is no callback to the receiveMessage handler and the NWconnection eventually times out. The interface used seems to be the only difference that I can see when I have a sniffer running. Any ideas as to why I can't see a response in "normal" operation?

I'm working on enabling a content filter in my iOS app using NEFilterManager and NEFilterProviderConfiguration. The setup works perfectly in debug builds when running via Xcode, but fails on TestFlight builds with the following error: **Failed to save filter settings: permission denied ** **Here is my current implementation: ** (void)startContentFilter { NSUserDefaults *userDefaults = [NSUserDefaults standardUserDefaults]; [userDefaults synchronize]; [[NEFilterManager sharedManager] loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { dispatch_async(dispatch_get_main_queue(), ^{ if (error) { NSLog(@"Failed to load filter: %@", error.localizedDescription); [self showAlertWithTitle:@"Error" message:[NSString stringWithFormat:@"Failed to load content filter: %@", error.localizedDescription]]; return; } NEFilterProviderConfiguration *filterConfig = [[NEFilterProviderConfiguration alloc] init]; filterConfig.filterSockets = YES; filterConfig.filterBrowsers = YES; NEFilterManager *manager = [NEFilterManager sharedManager]; manager.providerConfiguration = filterConfig; manager.enabled = YES; [manager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) { dispatch_async(dispatch_get_main_queue(), ^{ if (error) { NSLog(@"Failed to save filter settings: %@", error.localizedDescription); [self showAlertWithTitle:@"Error" message:[NSString stringWithFormat:@"Failed to save filter settings: %@", error.localizedDescription]]; } else { NSLog(@"Content filter enabled successfully!"); [self showAlertWithTitle:@"Success" message:@"Content filter enabled successfully!"]; } }); }]; }); }]; } **What I've tried: ** Ensured the com.apple.developer.networking.networkextension entitlement is set in both the app and system extension. The Network extension target includes content-filter-provider. Tested only on physical devices. App works in development build, but not from TestFlight. **My questions: ** Why does saveToPreferencesWithCompletionHandler fail with “permission denied” on TestFlight? Are there special entitlements required for using NEFilterManager in production/TestFlight builds? Is MDM (Mobile Device Management) required to deploy apps using content filters? Has anyone successfully implemented NEFilterProviderConfiguration in production, and if so, how?

My laptop (M1 Pro, macOS 15.3.2) is connected to a dual stack network via Wi-Fi. The home.arpa. domain is supplied as a search domain via both DHCPv4 (options 15 and 119) and DHCPv6 (option 24). "Details…" for the network connection in System Settings show this domain under the DNS tab. The laptop uses a Forwarding DNS Resolver of my router, which in turn forwards requests for home.arpa. (including subdomains) to a local DNS server (CoreDNS) which is authoritative for this zone. The DNS server is configured via the following zone file: $ORIGIN home.arpa. $TTL 3600 @ IN SOA @ nobody.invalid. (1 3600 1200 604800 3600) @ NS @ @ AAAA ….1 gateway A ….1 gateway AAAA …::1 b._dns-sd._udp PTR @ lb._dns-sd._udp PTR @ db._dns-sd._udp PTR @ _services._dns-sd._udp PTR _smb._tcp _smb._tcp PTR Media._smb._tcp Media._smb._tcp SRV 0 0 445 gateway Media._smb._tcp TXT ("path=/media" "u=guest") Output of dig(1) looks like: $ dig @….1 -t PTR lb._dns-sd._udp.home.arpa. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43291 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;lb._dns-sd._udp.home.arpa. IN PTR ;; ANSWER SECTION: lb._dns-sd._udp.home.arpa. 1993 IN PTR home.arpa. ;; AUTHORITY SECTION: home.arpa. 2771 IN NS home.arpa. $ dig @….1 -t PTR _services._dns-sd._udp.home.arpa. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9057 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_services._dns-sd._udp.home.arpa. IN PTR ;; ANSWER SECTION: _services._dns-sd._udp.home.arpa. 3600 IN PTR _smb._tcp.home.arpa. ;; AUTHORITY SECTION: home.arpa. 3600 IN NS home.arpa. $ dig @….1 -t PTR _smb._tcp.home.arpa. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44220 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_smb._tcp.home.arpa. IN PTR ;; ANSWER SECTION: _smb._tcp.home.arpa. 3599 IN PTR Media._smb._tcp.home.arpa. ;; AUTHORITY SECTION: home.arpa. 3599 IN NS home.arpa. $ dig @….1 -t SRV Media._smb._tcp.home.arpa. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45878 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;Media._smb._tcp.home.arpa. IN SRV ;; ANSWER SECTION: media._smb._tcp.home.arpa. 3600 IN SRV 0 0 445 gateway.home.arpa. ;; AUTHORITY SECTION: home.arpa. 3600 IN NS home.arpa. $ dig @….1 -t A gateway.home.arpa. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2782 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;gateway.home.arpa. IN A ;; ANSWER SECTION: gateway.home.arpa. 86400 IN A 192.168.99.1 ;; AUTHORITY SECTION: home.arpa. 3578 IN NS home.arpa. $ dig @….1 -t AAAA gateway.home.arpa. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17297 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;gateway.home.arpa. IN AAAA ;; ANSWER SECTION: gateway.home.arpa. 3600 IN AAAA fd6f:9784:5753::1 ;; AUTHORITY SECTION: home.arpa. 3600 IN NS home.arpa. Output of dns-sd(1): /usr/bin/dns-sd -test … Testing for error returns when various strings are > 63 bytes: PASSED Running basic API input range tests with various pointer parameters set to NULL: Basic API input range tests: PASSED $ dns-sd -m -F Looking for recommended browsing domains: DATE: ---Fri 11 Apr 2025--- 8:50:17.846 ...STARTING... Timestamp Recommended Browsing domain 8:50:17.847 Added (More) local 8:50:17.847 Added arpa - > home $ dns-sd -B _smb._tcp home.arpa. Browsing for _smb._tcp.home.arpa. DATE: ---Fri 11 Apr 2025--- 8:59:10.044 ...STARTING... $ dns-sd -L Media _smb._tcp home.arpa. Lookup Media._smb._tcp.home.arpa. DATE: ---Fri 11 Apr 2025--- 9:15:53.328 ...STARTING... $ dns-sd -Q _smb._tcp.home.arpa. PTR IN DATE: ---Fri 11 Apr 2025--- 9:16:52.208 ...STARTING... Timestamp A/R Flags IF Name Type Class Rdata 9:16:52.210 Add 40000002 0 _smb._tcp.home.arpa. PTR IN 0.0.0.0 No Such Record 9:16:52.222 Add 2 0 _smb._tcp.home.arpa. PTR IN 0.0.0.0 No Such Record Similarly, when I open Finder->Network I see home.arpa but it's empty. Of interest is that on the DNS server side I see the following requests being made: 2025-04-11 09:03:15 container,info,debug [INFO] […]:56541 - 21555 "SOA IN _afpovertcp._tcp.home.arpa. udp 44 false 512" NXDOMAIN qr,aa,rd 112 0.000755089s 2025-04-11 09:03:15 container,info,debug [INFO] […]:56077 - 58266 "SOA IN _smb._tcp.home.arpa. udp 37 false 512" NOERROR qr,aa,rd 105 0.001012632s 2025-04-11 09:03:15 container,info,debug [INFO] […]:45274 - 45976 "SOA IN _rfb._tcp.home.arpa. udp 37 false 512" NXDOMAIN qr,aa,rd 105 0.000762339s 2025-04-11 09:03:15 container,info,debug [INFO] […]:54387 - 32090 "SOA IN _adisk._tcp.home.arpa. udp 39 false 512" NXDOMAIN qr,aa,rd 107 0.001058132s 2025-04-11 09:03:15 container,info,debug [INFO] […]:35855 - 51155 "SOA IN _tcp.home.arpa. udp 32 false 512" NOERROR qr,aa,rd 100 0.000664963s I suppose that an attempt to locate services is made but it's unsuccessful and I'm not sure why. What further debugging can I attempt?

Hi all! I’m having trouble distributing an iOS app with a DNS Proxy NetworkExtension via AdHoc. The app and extension work perfectly with development profiles, but when I export and install the AdHoc IPA, I get a “permission denied” error when trying to install/enable the DNS Proxy extension. What I’ve done: Both the app and the DNS Proxy extension have their own App IDs in the Apple Developer portal. Both App IDs have the same App Group enabled: group.com.irakai.SafeLinkApp2. The extension App ID has the NetworkExtension capability with dns-proxy enabled. I created two AdHoc provisioning profiles (one for the app, one for the extension), both including the same devices and the correct entitlements. I assigned the correct AdHoc profiles to each target in Xcode and exported the IPA via Organizer. I install the IPA on a registered device using Apple Configurator. Entitlements (extracted from the signed binaries on device): App: <key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2</string> <key>com.apple.developer.networking.networkextension</key><array> <string>packet-tunnel-provider</string> <string>dns-proxy</string> </array> <key>com.apple.developer.team-identifier</key><string>6PBG234246</string> <key>com.apple.security.application-groups</key><array> <string>group.com.irakai.SafeLinkApp2</string> </array> <key>get-task-allow</key><false/> DNSProxy Extension: <key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2.DNSProxy</string> <key>com.apple.developer.networking.networkextension</key><array> <string>dns-proxy</string> </array> <key>com.apple.developer.team-identifier</key><string>6PBG234246</string> <key>com.apple.security.application-groups</key><array> <string>group.com.irakai.SafeLinkApp2</string> </array> <key>get-task-allow</key><false/> Error message (from my app’s logs): Error instalando DNS Proxy: permission denied Usuario: Roberto AppGroup: group.com.irakai.SafeLinkApp2 AppGroupPath: /private/var/mobile/Containers/Shared/AppGroup/D8AD2DED-AD96-4915-9B7A-648C9504679B Entitlements: BundleId: com.irakai.SafeLinkApp2 Debug info: Error Domain=NEDNSProxyErrorDomain Code=1 "permission denied" UserInfo={NSLocalizedDescription=permission denied} Other details: The device is included in both AdHoc profiles. The App Group is present and identical in both entitlements. The extension’s bundle identifier matches the App ID in the portal. The extension is signed with the correct AdHoc profile. I have tried rebooting the device and reinstalling the IPA. The error only occurs with AdHoc; development builds work fine. Questions: Is there anything else I should check regarding AdHoc provisioning for NetworkExtension DNS Proxy? Are there any known issues with AdHoc and NetworkExtension on recent iOS versions? Is there a way to get more detailed diagnostics from the system about why the permission is denied? Could this be a bug in iOS, or am I missing a subtle configuration step? Any help or suggestions would be greatly appreciated. Thank you!

Good day, this is a concept maybe newbie question… what would be the best approach to develop the real time app… what I want is to be able to connect one device to other one within the app, and for example, if the app has a draggable object, then if one user drags the object, the other user see the object moving in real time I his own device, maybe using a ghost mode when interacting… this way both users using the app can interact with the objects in real-time. It’s not a game, so there’s no score… could I use gamecenter? or multipeer connectivity over BT? Is there a native framework? wich would be the easiest and less battery and system consuming approach someone could suggest? thank you in advance….

I’m working on an iOS parental-control app that needs to block specific network traffic (e.g. certain domains or URLs). We’ve already obtained the Family Controls entitlement (since our app is explicitly a parental-control solution), but we do not use MDM to supervise devices. In testing, our NEFilterDataProvider extension only activates when the device is enrolled under a managed Family Controls profile. I am aware that we can use a PacketTunnel to achieve this but i was wondering if there is any simpler solution to this? Thanks for you time!

Our application currently uses NEFilterPacketProvider to filter network traffic based on Layer 4 rules (5-tuple: source IP, destination IP, source port, destination port, and protocol) on a packet-by-packet basis. We now want to extend this filtering to also consider the associated process—for example, allowing traffic from a specific source IP to a destination IP and port only if it's associated with a specific local process. That is, we’d like to make filtering decisions not just based on the 5-tuple, but also on the identity of the process either sending or receiving the traffic. We’ve looked into NEFilterSocketProvider, which does expose Layer 7 information such as process identifiers. However, it doesn’t seem to be tightly synchronized with the packet flow handled by NEFilterPacketProvider. As a result, there’s a risk that we might only get process information after the TCP handshake is complete, or before the socket is fully bound—at which point some of the 5-tuple fields (such as the local port) may still be unavailable. What we need is a way to correlate the 5-tuple with the relevant process name (either sender or receiver) at the time the first packet—e.g., a SYN packet—is about to be sent or received. Is there a recommended way to achieve this kind of early, process-aware filtering using NetworkExtension APIs?

I've implemented a custom VPN system extension for macOS, utilizing Packet Tunnel Provider. One of the users reported a problem: he was connected to the VPN, and then his Mac entered sleep mode. Upon waking, the VPN is supposed to connect automatically (because of the on-demand rules). The VPN's status changed to 'connecting', but it remained stuck in this status. From my extension logs, I can see that the 'startTunnelWithOption()' function was called 2 minutes after the user clicked the 'connect' button. From the system logs, I noticed some 'suspicious' logs, but I can't be sure if they are related to the problem. Some of them are: kernel: (Sandbox) Sandbox: nesessionmanager(562) deny(1) system-fsctl (_IO "h" 47) entitlement com.apple.developer.endpoint-security.client not present or not true (I don't need this entitlement at the extension) nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:XXXXXX(null)]: Skip a start command from YYYYY:session in state connecting NetworkExtension.com.***: RunningBoard doesn't recognize submitted process - treating as a anonymous process sysextd: activateDecision found existing entry of same version: state activated_enabled, ID FAE... Are any of the logs related to the above problem? How can I debug such issues? What info should I get from the user?

Hello, I am seeking guidance regarding the com.apple.managed.vpn.shared keychain access group entitlement for our iOS app, which is required to support managed VPN configurations distributed via MDM profiles. Background: Our app uses the Network Extension framework and requires access to VPN credentials stored in configuration profiles, which—according to Apple documentation and forum posts—necessitates the com.apple.managed.vpn.shared entitlement We have already enabled the standard Network Extension entitlements via the Apple Developer portal What I Have Tried: I referenced the advice from a past Apple DTS engineer in this forum post: https://aninterestingwebsite.com/forums/thread/67613 I have submitted multiple requests to Apple Developer Technical Support (DTS) over the past two months, clearly explaining our use case and referencing the official documentation as well as the above forum thread Unfortunately, I have either received no response or responses that do not address my request for the special entitlement Questions: Has anyone successfully received the com.apple.managed.vpn.shared entitlement recently? If so, what was the process and how long did it take? Is there a specific format or information I should include in my DTS request to expedite the process or avoid misunderstandings? Are there any alternative contacts or escalation paths within Apple Developer Support for cases where standard DTS requests are ignored or misunderstood? Thank you in advance for your help

Hey, We also opened a feedback assistant request, and also opened a ticket with Apple Developer Technical Support a while ago that notice the unmount problem also but it was before we pin point the problem to the Network Extension. After a further investigation, we've found out that the root cause of this problem is cause by having a network filter from the NetworkExtension provider on (Specifically we have tested with the NEFilterDataProvider) while having a Xsan volume. The NEFilterDataProvider causing problems for the Xsan, and is stalling the shutdown until we get a panic from watchdog timeout, and only then the mac is fully shutdown. The problem from what we investigated and also talked with you, is that the Xsan process can't unmount the volume and stuck. We have also noticed that if we install a network extension and allow the popup of the network filters, i.e enabled the NEFilterDataProvider the computer is stuck, and the finder is in a non responsive state until a reboot (Also probably due to the fact the Xsan is now in a problematic state). This tests was done on latest versions of MacOs 13 & 14. We have taken a sysdiagnose from the computer while we have tested. Do you familiar with the problem (We got no answer on the feedback assistant)? Thank you, Idan

Our app supports live streaming (RTSP, RTMP, WebRTC) functionality. After updating to the 18.5 Developer Beta version, we’ve encountered an issue where streaming over LTE is not working for customers using SKT (SK Telecom) as their carrier. Upon investigation, it seems that a similar issue might be occurring with a streaming service app called "SOOP." I would appreciate it if you could share any information regarding this bug. Thank you.

Hi, I had a few questions regarding the multicast networking entitlement. What are the criteria for approval? Do ad-hoc multicast protocols fall under the approval criteria? How long do approvals for multicasting generally take?

When the machine connects to the network cable through the Thunderbolt interface using the docking station, if the Network Extension shown in the following code is running at this time, after unplugging and reinserting the docking station, the machine will not be able to obtain a valid IP address through DHCP until the system is restarted. @interface MyTransparentProxyProvider : NETransparentProxyProvider @end @implementation MyTransparentProxyProvider - (void)startProxyWithOptions:(NSDictionary *)options completionHandler:(void (^)(NSError *))completionHandler { NETransparentProxyNetworkSettings *objSettings = [[NETransparentProxyNetworkSettings alloc] initWithTunnelRemoteAddress:@"127.0.0.1"]; // included rules NENetworkRule *objIncludedNetworkRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound]; NSMutableArray<NENetworkRule *> *arrIncludedNetworkRules = [NSMutableArray array]; [arrIncludedNetworkRules addObject:objIncludedNetworkRule]; objSettings.includedNetworkRules = arrIncludedNetworkRules; // apply [self setTunnelNetworkSettings:objSettings completionHandler: ^(NSError * _Nullable error) { // TODO } ]; if (completionHandler != nil) completionHandler(nil); } - (BOOL)handleNewFlow:(NEAppProxyFlow *)flow { return NO; } @end This problem will not occur if the IP of the DNS server or all UDP ports 53 are excluded in the Network Extension. @interface MyTransparentProxyProvider : NETransparentProxyProvider @end @implementation MyTransparentProxyProvider - (void)startProxyWithOptions:(NSDictionary *)options completionHandler:(void (^)(NSError *))completionHandler { NETransparentProxyNetworkSettings *objSettings = [[NETransparentProxyNetworkSettings alloc] initWithTunnelRemoteAddress:@"127.0.0.1"]; // included rules NENetworkRule *objIncludedNetworkRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound]; NSMutableArray<NENetworkRule *> *arrIncludedNetworkRules = [NSMutableArray array]; [arrIncludedNetworkRules addObject:objIncludedNetworkRule]; // excluded rules NENetworkRule *objExcludedNetworkRule = [[NENetworkRule alloc] initWithRemoteNetwork:[NWHostEndpoint endpointWithHostname:@"" port:@(53).stringValue] remotePrefix:0 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolUDP direction:NETrafficDirectionOutbound]; NSMutableArray<NENetworkRule *> *arrExcludedNetworkRules = [NSMutableArray array]; [arrExcludedNetworkRules addObject:objExcludedNetworkRule]; objSettings.includedNetworkRules = arrIncludedNetworkRules; objSettings.excludedNetworkRules = arrExcludedNetworkRules; // apply [self setTunnelNetworkSettings:objSettings completionHandler: ^(NSError * _Nullable error) { // TODO } ]; if (completionHandler != nil) completionHandler(nil); } - (BOOL)handleNewFlow:(NEAppProxyFlow *)flow { return NO; } @end Is MyTransparentProxyProvider in what place do wrong? To handle the connection on port 53, it is necessary to add the implementation of NEDNSProxyProvider? In -[MyTransparentProxyProvider handleNewFlow:] how to reverse DNS? getnameinfo() doesn't work, it returns EAI_NONAME.

Hey there! I’ve got some exciting news about Apple’s virtio_net_hdr implementation on macOS 15.4. It’s making communication a lot smoother, with a noticeable improvement! Now, I’d love to hear your thoughts on a couple of things. First, how do you think we can validate the populated values? And secondly, should we consider reusing populated values for the other endpoint, like the ‘flags’ field? Your insights would be invaluable!

I've built a VPN app that is based on wireguard on macOS (I have both AppStore ver. and Developer ID ver). I want to achieve split tunneling function without changing the system route table. Currently, I'm making changes in PacketTunnelProvider: NEPacketTunnelProvider. It has included/excluded routes that function as a split tunnel, just that all changes are immediately reflected on the route table: if I run netstat -rn in terminal, I would see all rules/CIDRs I added, displayed all at once. Since I have a CIDR list of ~800 entries, I'd like to avoid changing the route table directly. I've asked ChatGPT, Claude, DeepSeek, .etc. An idea was to implement an 'interceptor' to intercept all packets in packetFlow(_:readPacketsWithCompletionHandler:), extract the destination IP from each packet, check if it matches your CIDR list, and either reinject it back to the system interface (for local routing) or process it through your tunnel. Well, LLMs could have hallucinations and I've pretty new to macOS programming. I'm asking to make sure I'm on the right track, not going delusional with those LLMs :) So the question is, does the above method sounds feasible? If not, is it possible to achieve split tunneling without changing the route table?

Starting on macOS Sequoia, flows originated in Firefox have an empty sourceAppAuditToken. Other apps contain a valid token. Background: in order to fetch process info for a certain NEFilterFlow, my content filter extension uses sourceAppAuditToken, audit_token_to_pid() and proc_* (as recommended in #126820). When that fails, we use SecCodeCopyGuestWithAttributes, recommended in some other thread as a better alternative. Both approaches break when the sourceAppAuditToken is empty since they need the pid. Debugging: My logging shows audit token is empty for Firefox Typical logs from com.apple.networkextension also indicate it fails to fetch the same info I'm looking for: com.apple.networkextension debug 11:22:07.024588-0300 Fetching appInfo from cache for pid: 948 uuid: 5C40B765-C6C9-3641-A822-2BC44D264361 bundle id: (null) com.apple.networkextension debug 11:22:07.024657-0300 Calling delegate lookup handler with pid: 948, uuid: 5C40B765-C6C9-3641-A822-2BC44D264361, bundleID: (null) com.apple.networkextension debug 11:22:07.025856-0300 Could not look up appInfo for pid: 948 bundle id: (null) uuid: 5C40B765-C6C9-3641-A822-2BC44D264361 com.apple.networkextension error 11:22:07.025897-0300 Could not find app info, return the original flow without filling in app info Handling new flow: identifier = D89B5B5D-793C-4940-D992-4E90F2AD1900 procPID = 953 eprocPID = 948 direction = outbound inBytes = 0 outBytes = 0 signature = {length = 32, bytes = 0x4afeafde b484aa0c c5cb8698 0567343d ... 7cdee33e 135666dd } socketID = 19adf2904e92d9 localEndpoint = 0.0.0.0:0 remoteEndpoint = 17.33.202.170:443 protocol = 6 family = 2 type = 1 procUUID = 0C68E603-967E-3643-B225-378BD2A655F7 eprocUUID = 5C40B765-C6C9-3641-A822-2BC44D264361 Perhaps there's a bug when generating the audit token or could it be something with the Firefox signature? I double-checked Firefox and it seems fine: $ codesign --verify --verbose /Applications/Firefox.app /Applications/Firefox.app: valid on disk /Applications/Firefox.app: satisfies its Designated Requirement Not sure if relevant, but codesign with -dv showed different flags in CodeDirectory when compared to chrome: codesign -dv /Applications/Firefox.app ... CodeDirectory v=20500 size=863 flags=0x10000(runtime) hashes=18+5 ... Versus chrome CodeDirectory v=20500 size=1821 flags=0x12a00(kill,restrict,library-validation,runtime) hashes=46+7 location=embedded

I have written an App which extracts data, over WiFi, from an instrument that creates its own WiFi Hotspot. The instrument provides no internet connection. The iPad version of this App is connects fine and is assigned an IP address by DHCP server running on a MicroChip RN171 wifi module. iOS assigns an obscure IP address on a completely different subnet. I understand this is iOS' way of "Complaining" that is wasn't assigned an IP address. Consequently in the case of the iPhone I am forced to manually assign an IP address for the iPhone, the mask and the gateway. Only then is the connection successful. Anyone know why the iPhone won't talk DHCP to a WiFi module not connected to the internet? Are there perhaps some parameters that I need to adjust on either the iPhone or WiFi module?