As you mentioned, I currently have an SSH server. I would like to know if it's possible to download the MDM profile via SFTP instead of Safari in the app. If that is possible, I am considering implementing it through an SFTP client library. Thank you!

I found out the following information during my research: I wonder if the following statements are correct: If 'Warn about fraudulent websites' is enabled in Settings > Safari > Apps, HSTS is also enabled. The reason for the message 'Safari cannot open the page. Error: Could not navigate to HTTP URL with HTTPS-only mode enabled' is that HSTS blocks HTTP. Are these correct?

To elaborate, it is as follows. I have been uploading my MDM app to the App Store for several years, and there have been no changes to the guidelines related to 2.5.9 during that time. However, I received a rejection for guideline 2.5.9 during this review without any changes to the functionality. They say it is because of the installation of the MDM profile. Is the issue with the camera blocking itself, or is it with the method of profile installation (HIG)? Feedback received: The app is using standard switches or other basic user interface elements in a non-standard way. Specifically, this app installs a configuration profile that disables the device's camera. To resolve this issue, please modify the app to implement this functionality in a way that does not use standard switches or other basic user interface elements in a non-standard manner. Is it acceptable to request a re-evaluation without any changes to the functionality?

I also feel bad because I'm not the decision maker. Anyway, I want to ask more questions to try to resolve as much as possible. You mentioned The infrastructure used to install configuration profiles is internal to Safari. It’s not available as an API, and nor is it accessible via WKWebView. does that mean it is impossible to implement other communication methods such as SFTP for MDM profiles instead of the web? If it's possible, could you let me know the optimal results, aside from the web option? Thank you for your comment ! :)

I am attempting to apply NSAllowsLocalNetworking in the Plist, despite the risk of it affecting the review process, as I am using a loopback address. However, it is not being applied. According to the documentation, local network access should not be blocked on iOS 17 and above. I am testing on iOS 18.2, but it is still being blocked. If the "Not Secure Connection Warnings" is enabled in Settings > App > Safari, are HTTP connections not allowed under any circumstances? Reference: https://developer.apple.com/documentation/bundleresources/information-property-list/nsapptransportsecurity/nsallowslocalnetworking Thank you for your help!

You are not checking your email. The file you want to download is an MDM profile! Thank you.😀

Before answering, I would like to make a correction. I have confirmed that Safari is not opened as a third-party browser but is instead launched in-app using SFSafariViewController. When the app enters the foreground, the server stops, and when it moves to the background, the server starts running. Before transitioning to the background, the following code is used to define a background task: - (void)didEnterBackground { if(_willEnterBackground && _bgTask == UIBackgroundTaskInvalid) { NSAssert(_bgTask == UIBackgroundTaskInvalid, nil); _bgTask = [[UIApplication sharedApplication] beginBackgroundTaskWithExpirationHandler: ^{ dispatch_async(dispatch_get_main_queue(), ^{ [[UIApplication sharedApplication] endBackgroundTask:self->_bgTask]; self->_bgTask = UIBackgroundTaskInvalid; }); }]; } }

Overall Flow: When the user clicks a button, an embedded HTML page is opened in Safari. This serves as a UI to display instructions and allows the user to download a single file. There are no additional functionalities beyond this. To ensure lightweight operation and prevent external access, we do not use external servers or domains. Answers to Your Questions: 1. Are multiple users using this feature? Yes, multiple users are using it. However, they can only download the designated file from the server; they cannot modify any data. 2. Does this run on multiple devices? Yes, it does. 3. Which apps are involved on each device? Only my app (which includes an embedded web server) and Safari are involved. 4. What actions do users take to trigger HTTP[S] requests? When the user clicks a button, the Mongoose server starts, loads an HTML file stored within the app, and displays the page to the user via Safari. I hope my explanation is clear. Thank you! 😄

@DTS Engineer Thank you so much for your response! Here is my situation: I am running an older version of Mongoose Server (an embedded web server) to serve files. The web server uses a loopback address (127.0.0.x) and is primarily used to download necessary files for my app. However, recently, accessing this web server has started triggering security warnings, which negatively impact the user experience (UX). I am looking for a solution to this issue. I have a few questions: "If you must support web browsers, you have to live with the dire security warnings that they’ll present when you connect to a local server" > Does this mean there is no possible solution to remove these security warnings? I found a method online to bypass certificate validation. Would this affect security even though I am using a loopback address? func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { print("[Gyeom] HTTPS Host: \(challenge.protectionSpace.host)") if challenge.protectionSpace.host.contains("127.0.0") { let urlCredential = URLCredential(trust: challenge.protectionSpace.serverTrust!) completionHandler(.useCredential, urlCredential) } else { completionHandler(.performDefaultHandling, nil) } } Are there any other possible solutions to this problem? Thank you!! 😊

Please note that I am using the loopback address (127.0.0.1)!