Hi, I'm developing a Packet Tunnel VPN in destination IP mode. Can I have this installed and running if an MDM has already deployed a per-app VPN, i.e. will the Packet Tunnel VPN get all the traffic not claimed by the per-app VPN? Thanks, Dave

My macOS application utilizing NEDNSProxyProvider. i have a requirement to intercept only DNS requests of a certain query type, while others are expected to continue to their respective origin. For TCP there are two kinds of extensions NEAppProxyProvider and NETransparentProxyProvider. The latter is capable of returning NO from handleNewFlow causing the flow to proceed to communicate directly with the flow’s ultimate destination, instead of closing the flow. Is there a way to configure NEDNSProxyProvider to work in transparent mode for letting the flow to proceed to communicate directly? Current NEDNSProxyProvider limitation of dropping the connection when NO is returned requies me to open new socket and proxy the requests which causes noticable performance degradation under load.

I need to scan nearby wifi to detect if I am nearby specific SSID or not, I don't need to connect to the wifi just I will use it to know if I am near to it or not . at Flutter I find wifi_scan Package but its documentations mention that to use this package you requires special entitlements from Apple

Platform: MacOS 12.0 I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store. I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges. So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension? One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.

Hi Team, We are using NETransparentProxyProvider and have observed that AirDrop is not functioning. I attempted to utilize protocolConfiguration in NETransparentProxyManager as mentioned below. manager.protocolConfiguration?.excludeLocalNetworks = true; but it did not work. Could you please provide guidance on how to exclude local network traffic in NETransparentProxyProvider?

The code I have is if (filterManager.providerConfiguration == nil) { NEFilterProviderConfiguration *providerConfiguration = [[NEFilterProviderConfiguration alloc] init]; providerConfiguration.filterPackets = YES; providerConfiguration.filterPacketProviderBundleIdentifier = filterBundle.bundleIdentifier; filterManager.providerConfiguration = providerConfiguration; NSString *appName = [NSBundle mainBundle].infoDictionary[@"CFBundleName"]; if (appName != nil) { filterManager.localizedDescription = [NSString stringWithFormat:@"%@ (packet filter)", appName]; } } if (filterManager.enabled) { NSLog(@"Packet filter already enabled, not doing so again"); return; } filterManager.enabled = YES; It's claiming the filter is already enabled. But System Settings > Network shows it there, with a yellow dot. My best guess is that it's showing up as already enabled in the preferences, even though it... isn't? I also log a message in the filter's init, and I don't see that showing up. I've got sysdiagnose from it and a working system, and I'm going over soooooooo many log lines. I don't know what might be causing this, however.

I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart. The only thing that I see is different is when I call systemextensionsctl list I get something like: 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] <TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category] * * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled] Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build. The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign. The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates. Is there another step required to make it work with a developer ID certificate?

We have an iOS and MacOS VPN app that both use a PacketTunnelProvider app extension. Right now we are trying to replace our MacOS app with a Mac Catalyst version of our iOS app using the same bundle identifiers as the old MacOS app so it can read existing configurations. One issue we run into while testing the Mac Catalyst application through TestFlight is that if a user has an existing VPN profile that was created using the old MacOS app and is now running the new version, the app extension that is bundled with the Mac Catalyst app does not load. default 2024-01-16 23:35:57.642543 -0500 neagent Looking for an extension with identifier org.outline.macos.client.VpnExtension and extension point com.apple.networkextension.packet-tunnel info 2024-01-16 23:35:57.642774 -0500 neagent [d <private>] <PKHost:0x7f79e9a06080> Query: { "LS:ExtensionPlatforms" = ( 1, 6 ); NSExtensionIdentifier = "org.outline.macos.client.VpnExtension"; NSExtensionPointName = "com.apple.networkextension.packet-tunnel"; } default 2024-01-16 23:35:57.644424 -0500 neagent Found 1 extension(s) with identifier org.outline.macos.client.VpnExtension and extension point com.apple.networkextension.packet-tunnel default 2024-01-16 23:35:57.645454 -0500 neagent Beginning extension request with extension org.outline.macos.client.VpnExtension error 2024-01-16 23:35:57.645714 -0500 neagent Plugin <id<PKPlugIn>: 0x7f79e9915c50; core = <[u 7C82B460-9B3B-460E-939D-45837EC68385] [org.outline.macos.client.VpnExtension(0.0.0-debug)],[d 07098DE9-4C17-4D0D-A4D4-8B399A374D8C] [/Users/sbruens/Library/Developer/Xcode/DerivedData/ios-hevczjegdwwzgfauwbictbyosask/Build/Products/Debug-maccatalyst/Outline.app/Contents/PlugIns/VpnExtension.appex]>, instance = [(null)], state = 0, useCount = 0> must have pid! Extension request will fail error 2024-01-16 23:35:57.645771 -0500 neagent Failed to acquire assertion for plugin: <id<PKPlugIn>: 0x7f79e9915c50; core = <[u 7C82B460-9B3B-460E-939D-45837EC68385] [org.outline.macos.client.VpnExtension(0.0.0-debug)],[d 07098DE9-4C17-4D0D-A4D4-8B399A374D8C] [/Users/sbruens/Library/Developer/Xcode/DerivedData/ios-hevczjegdwwzgfauwbictbyosask/Build/Products/Debug-maccatalyst/Outline.app/Contents/PlugIns/VpnExtension.appex]>, instance = [(null)], state = 0, useCount = 0> pid: 0 error 2024-01-16 23:35:57.645812 -0500 neagent Unable to acquire process assertion in beginUsing: with plugin identifier: org.outline.macos.client.VpnExtension, killing plugin error 2024-01-16 23:35:57.645840 -0500 neagent PlugInKit error in beginUsing: with plugin identifier: org.outline.macos.client.VpnExtension, killing plugin error 2024-01-16 23:35:57.645879 -0500 neagent begin extension request <EXExtensionRequest: 0x7f79e9c13130> Request PK UUID: 35311654-AC47-428C-90BD-E90625A2215D with item count 0 complete with error: Error Domain=PlugInKit Code=16 "other version in use: <id<PKPlugIn>: 0x7f79eb50d9a0; core = <[u B6730DEE-7340-40B1-AEE5-42BE0AA48831] [org.outline.macos.client.VpnExtension(0.0.0-debug)],[d 27607659-3EB5-425C-A1EB-B450209E124A] [/Users/sbruens/Library/Developer/Xcode/DerivedData/ios-hevczjegdwwzgfauwbictbyosask/Build/Products/Debug-maccatalyst/Outline.app/Contents/PlugIns/VpnExtension.appex]>, instance = [(null)], state = 1, useCount = 1>" UserInfo={NSLocalizedDescription=other version in use: <id<PKPlugIn>: 0x7f79eb50d9a0; core = <[u B6730DEE-7340-40B1-AEE5-42BE0AA48831] [org.outline.macos.client.VpnExtension(0.0.0-debug)],[d 27607659-3EB5-425C-A1EB-B450209E124A] [/Users/sbruens/Library/Developer/Xcode/DerivedData/ios-hevczjegdwwzgfauwbictbyosask/Build/Products/Debug-maccatalyst/Outline.app/Contents/PlugIns/VpnExtension.appex]>, instance = [(null)], state = 1, useCount = 1>} default 2024-01-16 23:35:57.645944 -0500 neagent Extension request with extension org.outline.macos.client.VpnExtension started with identifier (null) error 2024-01-16 23:35:57.646121 -0500 neagent Failed to start extension org.outline.macos.client.VpnExtension: Error Domain=PlugInKit Code=16 "other version in use: <id<PKPlugIn>: 0x7f79eb50d9a0; core = <[u B6730DEE-7340-40B1-AEE5-42BE0AA48831] [org.outline.macos.client.VpnExtension(0.0.0-debug)],[d 27607659-3EB5-425C-A1EB-B450209E124A] [/Users/sbruens/Library/Developer/Xcode/DerivedData/ios-hevczjegdwwzgfauwbictbyosask/Build/Products/Debug-maccatalyst/Outline.app/Contents/PlugIns/VpnExtension.appex]>, instance = [(null)], state = 1, useCount = 1>" UserInfo={NSLocalizedDescription=other version in use: <id<PKPlugIn>: 0x7f79eb50d9a0; core = <[u B6730DEE-7340-40B1-AEE5-42BE0AA48831] [org.outline.macos.client.VpnExtension(0.0.0-debug)],[d 27607659-3EB5-425C-A1EB-B450209E124A] [/Users/sbruens/Library/Developer/Xcode/DerivedData/ios-hevczjegdwwzgfauwbictbyosask/Build/Products/Debug-maccatalyst/Outline.app/Contents/PlugIns/VpnExtension.appex]>, instance = [(null)], state = 1, useCount = 1>} The only way around that seems to be to manually remove the app's VPN configuration under Network > VPN & Filter and restart the machine. Then the Mac Catalyst app can start a tunnel with a new profile (after asking the user for permissions) without issue. However, this is not a great user experience and I've been trying to fix this properly. I read Debugging a Network Extension Provider and all related forum posts and developer docs, and could use some help at this point.

This issue has cropped up many times here on DevForums. Someone recently opened a DTS tech support incident about it, and I used that as an opportunity to post a definitive response here. If you have questions or comments about this, start a new thread and tag it with Network so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" iOS Network Signal Strength The iOS SDK has no general-purpose API that returns Wi-Fi or cellular signal strength in real time. Given that this has been the case for more than 10 years, it’s safe to assume that it’s not an accidental omission but a deliberate design choice. For information about the Wi-Fi APIs that are available on iOS, see TN3111 iOS Wi-Fi API overview. Network performance Most folks who ask about this are trying to use the signal strength to estimate network performance. This is a technique that I specifically recommend against. That’s because it produces both false positives and false negatives: The network signal might be weak and yet your app has excellent connectivity. For example, an iOS device on stage at WWDC might have terrible WWAN and Wi-Fi signal but that doesn’t matter because it’s connected to the Ethernet. The network signal might be strong and yet your app has very poor connectivity. For example, if you’re on a train, Wi-Fi signal might be strong in each carriage but the overall connection to the Internet is poor because it’s provided by a single over-stretched WWAN. The only good way to determine whether connectivity is good is to run a network request and see how it performs. If you’re issuing a lot of requests, use the performance of those requests to build a running estimate of how well the network is doing. Indeed, Apple practices what we preach here: This is exactly how HTTP Live Streaming works. Keep in mind that network performance can change from moment to moment. The user’s train might enter or leave a tunnel, the user might walk into a lift, and so on. If you build code to estimate the network performance, make sure it reacts to such changes. But what about this code I found on the ’net? Over the years various folks have used various unsupported techniques to get around this limitation. If you find code on the ’net that, say, uses KVC to read undocumented properties, or grovels through system logs, or walks the view hierarchy of the status bar, don’t use it. Such techniques are unsupported and, assuming they haven’t broken yet, are likely to break in the future. But what about Hotspot Helper? Hotspot Helper does have an API to read Wi-Fi signal strength, namely, the signalStrength property. However, this is not a general-purpose API. Like the rest of Hotspot Helper, this is tied to the specific use case for which it was designed. This value only updates in real time for networks that your hotspot helper is managing, as indicated by the isChosenHelper property. But what about MetricKit? MetricKit is so cool. Amongst other things, it supports the MXCellularConditionMetric payload, which holds a summary of the cellular conditions while your app was running. However, this is not a real-time signal strength value. But what if I’m working for a carrier? This post is about APIs in the iOS SDK. If you’re working for a carrier, discuss your requirements with your carrier’s contact at Apple.

Hello everyone, I'm encountering an issue while trying to publish an app on TestFlight. The app in question is Home Assistant, which I've compiled from the source. I am able to compile and install the app on my device without any problems. My company's developer account is properly configured, and I have set Xcode to automatically manage the provisioning profile. The archive is also created successfully, but when I attempt to upload it to Apple Store Connect for testing via TestFlight, I receive the following error: ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013) I've made several attempts to resolve this issue to no avail. For instance, if I add the missing capability manually, then I am informed that the provisioning profile is incorrect. However, checking the network extension settings on my company's dev account, I see nothing related to push notifications, which are located elsewhere. Thus, I am stuck in a loop where either the provisioning file is correct but the entitlement is missing, or if the entitlement is present, then the provisioning profile is deemed incorrect. URL:https://contentdelivery.itunes.apple.com status code: 409 (conflict) httpBody: { "errors" : [ { "id" : "ceac6dcc-9c76-412e-8ea7-f2d2845f8013", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90525", "title" : "Asset validation failed", "detail" : "Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'." }, { "id" : "9ff2143b-3c00-4912-b59f-8342fa6fe5c0", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90525", "title" : "Asset validation failed", "detail" : "Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'." } ] } ======================================= 2024-01-10 23:19:35.506 ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013) 2024-01-10 23:19:35.506 DEBUG: [ContentDelivery.Uploader] Error Domain=ContentDelivery Code=90525 "Asset validation failed" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013), NSUnderlyingError=0x6000022b6430 {Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., id=ceac6dcc-9c76-412e-8ea7-f2d2845f8013, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed} 2024-01-10 23:19:35.507 ERROR: [ContentDelivery.Uploader] Asset validation failed (90525) Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0) 2024-01-10 23:19:35.507 DEBUG: [ContentDelivery.Uploader] Error Domain=ContentDelivery Code=90525 "Asset validation failed" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0), NSUnderlyingError=0x6000022b6640 {Error Domain=IrisAPI Code=-19241 "Asset validation failed" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., id=9ff2143b-3c00-4912-b59f-8342fa6fe5c0, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed} 2024-01-10 23:19:35.507 DEBUG: [ContentDelivery.Uploader] swinfo errors: ( "Error Domain=ContentDelivery Code=90525 \"Asset validation failed\" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: ceac6dcc-9c76-412e-8ea7-f2d2845f8013), NSUnderlyingError=0x6000022b6430 {Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., id=ceac6dcc-9c76-412e-8ea7-f2d2845f8013, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app/PlugIns/HomeAssistant-Extensions-PushProvider.appex' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed}", "Error Domain=ContentDelivery Code=90525 \"Asset validation failed\" UserInfo={NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'. (ID: 9ff2143b-3c00-4912-b59f-8342fa6fe5c0), NSUnderlyingError=0x6000022b6640 {Error Domain=IrisAPI Code=-19241 \"Asset validation failed\" UserInfo={status=409, detail=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., id=9ff2143b-3c00-4912-b59f-8342fa6fe5c0, code=STATE_ERROR.VALIDATION_ERROR.90525, title=Asset validation failed, NSLocalizedFailureReason=Missing Entitlement. The bundle 'Home Assistant.app' is missing entitlement 'com.apple.developer.networking.networkextension'., NSLocalizedDescription=Asset validation failed}}, iris-code=STATE_ERROR.VALIDATION_ERROR.90525, NSLocalizedDescription=Asset validation failed}" )

<array> <string>dns-settings</string> <string>packet-tunnel-provider</string> </array> <key>com.apple.security.application-groups</key> <array/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.personal-information.location</key> <true/> <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)</string> </array> ⚠️ Could not save VPN Configuration: Missing protocol or protocol has invalid type vpn connection error started with error : Missing protocol or protocol has invalid type

Hi, I'm looking into the per-app VPN on iOS and I see its for managed apps installed from a MDM. Can it be used for Apple apps, i.e. Safari, so the traffic can be inspected to decide if it should go via the VPN backend or direct to the internet? Thanks, Dave

Hey, I have a free radius server that support eap tls 1.3. I send an eap tls authentication using Windows 11 and see by wireshark that packet are really eap tls 1.3. but then when i do it using MacOS / iphone that support eap tls 1.3 by default (as wrote in forums - macOS 14.2.1 and IOS 17.2.1) i see an Client hello of 1.2 without the extension of support version and the authentication is by eap tls 1.2. Anyone saw this issue/ know if they are really support authentication of eap tls 1.3 ? I use same certificates for all of the clients and install them. Thanks, Nir.

Hi, Some questions about how to use NEFilterDataProvider. Context: My extension has network rules (NENetworkRule) to filter most of HTTP/HTTPS trafic (port 80 et 443). Allowing a flow is a decision made by consulting custom rules (no NENetworkRule here) that the user can change at any moment. Questions: 1/ By modifying a custom rule, the decision for a flow can change. It is possible to retrieve currently allowed flows (for an application) and change the decision about it ? Can NSFilterFlow be cache to later change a decision ? Is there a way to know when a flow is no longer used ? 2/ An accepted flow seems never filtered again (except by quitting the application). The only way I found to apply new custom rules on currently allowed flow is by restarting the filter (load, NSFilterManager.isEnable=false, save, NSFilterManager.isEnable=true, save). Is it the correct method ? Thanks for you attention.

Hello, Sometimes I need to send a message via sendMessageToProvider to tell the proxy service in NetworkExtension that it should be restarted It looks like this: self.sendMessageToProvider("restart"...) { resp if resp != "ok" { // stopVPNTunnel()... } } Then accept the request in NetworkExtension, which looks like: open override func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)?) { reasserting = true setTunnelNetworkSettings(nil) { error in startTunnel() { reasserting = false completionHandler("ok"...) } } } But NetworkExtension crashes occasionally and I spent a long time looking for the cause but found nothing. Where should I start? Date/Time: 2023-06-17 08:01:38.2104 +0800 Launch Time: 2023-06-17 08:01:06.5706 +0800 OS Version: iPhone OS 16.5 (20F66) Release Type: User Baseband Version: 3.70.01 Report Version: 104 Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x000000022a76b2d0 Termination Reason: SIGNAL 5 Trace/BPT trap: 5 Terminating Process: exc handler [38097] Triggered by Thread: 0 Thread 0 name: Thread 0 Crashed: 0 libxpc.dylib 0x000000022a76b2d0 _xpc_api_misuse + 80 (debug.c:71) 1 libxpc.dylib 0x000000022a75c918 xpc_dictionary_set_value + 128 (dictionary.c:1849) 2 libxpc.dylib 0x000000022a75d888 xpc_dictionary_set_data + 60 (dictionary.c:1983) 3 NetworkExtension 0x00000001e1d69978 __35-[NEIPC handleMessage:withHandler:]_block_invoke + 112 (NEIPC.m:47) 4 PacketTunnel 0x0000000104f5be7c thunk for @escaping @callee_unowned @convention(block) (@unowned NSData?) -> () + 60 (<compiler-generated>:0) 5 PacketTunnel 0x0000000104f5bd4c MyPacketTunnelProvider.responseMessage(msg:completionHandler:) + 96 (MyPacketTunnelProvider.swift:188) 6 PacketTunnel 0x0000000104f5bd4c closure #1 in closure #1 in MyPacketTunnelProvider.handleAppMessage(_:completionHandler:) + 244 (MyPacketTunnelProvider.swift:178) 7 PacketTunnel 0x0000000104f5d808 closure #1 in closure #1 in closure #1 in MyPacketTunnelProvider.startTunnel(config:completionHandler:) + 12 (MyPacketTunnelProvider.swift:54) 8 PacketTunnel 0x0000000104f5d808 partial apply for closure #1 in closure #1 in closure #1 in MyPacketTunnelProvider.startTunnel(config:completionHandler:) + 32 (<compiler-generated>:0) 9 PacketTunnel 0x0000000104f5f720 closure #1 in closure #1 in xxxx.start(config:packetFlow:startCompletion:stoppedCompletion:) + 188 (xxxx.swift:140) 10 PacketTunnel 0x0000000104f5b4f0 thunk for @escaping @callee_guaranteed () -> () + 28 (<compiler-generated>:0) 11 libdispatch.dylib 0x00000001d1e21320 _dispatch_call_block_and_release + 32 (init.c:1518) 12 libdispatch.dylib 0x00000001d1e22eac _dispatch_client_callout + 20 (object.m:560) 13 libdispatch.dylib 0x00000001d1e316a4 _dispatch_main_queue_drain + 928 (queue.c:7794) 14 libdispatch.dylib 0x00000001d1e312f4 _dispatch_main_queue_callback_4CF + 44 (queue.c:7954) 15 CoreFoundation 0x00000001ca9ebc28 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16 (CFRunLoop.c:1780) 16 CoreFoundation 0x00000001ca9cd560 __CFRunLoopRun + 1992 (CFRunLoop.c:3147) 17 CoreFoundation 0x00000001ca9d23ec CFRunLoopRunSpecific + 612 (CFRunLoop.c:3418) 18 Foundation 0x00000001c4c52fd4 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 (NSRunLoop.m:373) 19 Foundation 0x00000001c4c52e68 -[NSRunLoop(NSRunLoop) run] + 64 (NSRunLoop.m:398) 20 libxpc.dylib 0x000000022a761678 _xpc_objc_main + 496 (main.m:246) 21 libxpc.dylib 0x000000022a763924 xpc_main + 156 (init.c:1258) 22 Foundation 0x00000001c4c9a930 -[NSXPCListener resume] + 312 (NSXPCListener.m:460) 23 PlugInKit 0x00000001f1177e90 -[PKService run] + 356 (PKService.m:197) 24 PlugInKit 0x00000001f1164628 +[PKService main] + 536 (PKService.m:119) 25 PlugInKit 0x00000001f116393c +[PKService _defaultRun:arguments:] + 16 (PKService.m:244) 26 ExtensionFoundation 0x00000001d7fa5540 EXExtensionMain + 252 (EXExtensionMain.m:34) 27 Foundation 0x00000001c4cdee00 NSExtensionMain + 204 (NSExtensionMain.m:21) 28 dyld 0x00000001e9ed2dec start + 2220 (dyldMain.cpp:1165)

This is a topic that comes up regularly, both in my Day Job™ with DTS and here on DevForums. This situation is a bit subtle, and it’s long past the time I should have written a proper explanation of it. If you have questions or comments, put them in a new thread here on DevForums. To ensure that I see your thread, tag it based on the technology you’re using. For example: If you’re working with Endpoint Security, use the Endpoint Security tag. If you’re building a Network Extension provider, use the Network Extension tag. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Inferring High-Level Semantics from Low-Level Operations Apple supports a number of APIs that let you observe low-level operations. For example: An Endpoint Security (ES) client can learn about low-level file system operations, like open and close. A Network Extension (NE) filter provider can learn about outgoing and incoming network packets. Folks using these APIs often want to infer high-level semantics from these low-level operations. For example: An ES client might want to prevent the Finder from copying files to an external drive. An NE filter provider might want to block Safari from fetching specific URLs. While DTS supports these APIs, we don’t support this sort of low-to-high inference. That’s because our goal is to help developers use Apple’s APIs in a sustainable way, and it’s impossible to do this inference in a way that will be binary compatible in the long term. Let me illustrate this with an example. Consider the NE scenario above. It’s easy for an NE packet filter to drop packets being sent to a specific host. However, that approach is very brittle. If something changes in the implementation path from Safari requesting a URL to how that’s rendered as IP packets, your product will break. A great example of such a change is iCloud Private Relay. This isn’t to say that such inference can’t be done at all, just that it’s not possible to do it in a sustainable way. Given that, here’s my advice: Try to work with high-level operations where possible. For example, ES recently added high-level log in and log out notifications, which means you no longer need to infer such events from lower-level ones. If the system doesn’t support the necessary high-level operations, file an enhancement request that describes your requirements. In the meantime, you can have a go at doing this inference yourself, but be aware that DTS can’t support you in that task.

Hello all. I noticed, that NSE living more than 30 seconds ( that described in doc ). When app receive notification, it created process NSE, and send notification to didReceive function, after this, app have 30 seconds to call contentHandler closure, after contentHandler is called, I expected that NSE process is killed, but it's not. If app using singletons in NSE, they won't dealloc after contentHandler is called, so, after new notification received, singletons still alive. Does it legal to not drop connection to websocket after contentHandler closure get called? For example, notification received, NSE process is loaded, websocket manager signleton is initialzied and started session, after few seconds contentHandler closure get called, so, system won't kill NSE because of 30 seconds timer, and my web socket connection will alive so long as possible, so, I not need to open it each 30 seconds, is that legal or not?)

iPhone X running iOS 15.6 failed to connect to WPA3 Wifi using NEHotspotConfigurationManager API, however device running 16.3.1 can connect to WPA3 Wifi using the same NEHotspotConfigurationManager API. Can someone help me out?

I have a recurring problem with software updates by Apple killing all networking when I have a network system extension distributed by TestFlight installed on my Mac. Any pointers on how to resolve this would be greatly appreciated! I don't know if it is my network system extension, the fact that it is distributed via TestFlight, or something else. The latest example is updating to macOS 14.2 today. I think the relevant Console message is: Code has restricted entitlements, but the validation of its code signature failed. The full message for that console message is. mac_vnode_check_signature: /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: code signature validation failed fatally: When validating /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Deleting the app (with its network system extension) immediately restores networking. I can reinstall the exact same program via TestFlight, and everything runs fine. The feedback ID (which includes additional details, a screenshot, and a video) is: FB13458972

Hi Team, We are registering Network Extension on application launch. The application shows this dialog [Dialog attached]. The failing case User press OK and hence, dismissing the user approval User click on Apps UI -&gt; Register Register call the same API again i.e. let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main) 4. This time, the dialog is not launched for the user. Whereas, we have observed, it does launch the dialog again on some of the machines. 5. User reboot the machine 6. Click App -&gt; Register. Stil the same case, the dialog is not launched for user. When I check the status using systemextensionsctl list  *  [TeamId]  com.company.extensionname (1.0.100/1.0.100)  ExtensioName  [activated waiting for user] How can I force the launch of this dialog in API, so that, user can be guided to act upon it.