Hi, I saw that almost each OS version, on ios and macos, handles differently changing includeAllNetworks while the tunnel is running. On some the entire OS reports no-net, while others, specially latest versions, handle this fine. Can includeAllNetworks be changed while the tunnel is running, or the tunnel must be stopped and restarted with the new value? e.g. the tunnel is started with it set to false, but later is changed to true into VPN profile. And on the same note, regarding setTunnelNetworkSettings, can this be called multiple times while the tunnel is running? For example if the VPN server IP changes. Because what I've saw each call to setTunnelNetworkSettings after VPN connected results in at least DNS leaks, because the routing table is recreated. Let me know if it is easier to track to create separate questions. Thanks

We’re looking to implement a custom IPSec IKEv2 VPN using the Packet Tunnel Provider network extension on iOS because we need to add extra information to EAP, which the built-in IKEv2 VPN configuration does not support. Is it possible to handle the full IKEv2 negotiation and IPSec tunneling within the Packet Tunnel Provider extension? Or are there limitations that would prevent implementing a full IKEv2 stack this way? Any insights or alternative approaches would be appreciated. Thanks!

Hello, I'm having some problems starting my DNS proxy network extension. Even after I call NEDNSProxyManager.saveToPreference() successfully I don't see any logs from my dns proxy. This is the code from the user space app: import SwiftUI import NetworkExtension func configureDNSProxy() { let dnsProxyManager = NEDNSProxyManager.shared() dnsProxyManager.loadFromPreferences { error in if let error = error { print("Error loading DNS proxy preferences: \(error)") return } dnsProxyManager.localizedDescription = "my DNS proxy" let proto = NEDNSProxyProviderProtocol() proto.providerBundleIdentifier = "com.myteam.dns-proxy-tests.ne" dnsProxyManager.providerProtocol = proto // Enable the DNS proxy. dnsProxyManager.isEnabled = true dnsProxyManager.saveToPreferences { error in if let error = error { print("Error saving DNS proxy preferences: \(error)") } else { NSLog("DNS Proxy enabled successfully") } } } } @main struct dns_proxy_testsApp: App { var body: some Scene { WindowGroup { ContentView() } } init() { configureDNSProxy() } } This is the code for my network extension(DNSProxyProvider.swift): import NetworkExtension class DNSProxyProvider: NEDNSProxyProvider { override func startProxy(options:[String: Any]? = nil, completionHandler: @escaping (Error?) -> Void) { NSLog("dns proxy ne started") completionHandler(nil) } override func stopProxy(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { NSLog("dns proxy ne stopped") completionHandler() } override func sleep(completionHandler: @escaping () -> Void) { NSLog("dns proxy ne sleep") completionHandler() } override func wake() { NSLog("dns proxy ne wake") } override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { NSLog("dns proxy ne flow") return true } } The bundle identifier for my network extension is: com.myteam.dns-proxy-tests.ne and both the user space app and the network extension have the DNS Proxy capability. Both have the same app group capability with the same group name group.com.myteam.dns-proxy-test. The info.plist from the network extension look like this(I didn't really modify it from the default template created by xcode) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NetworkExtension</key> <dict> <key>NEMachServiceName</key> <string>$(TeamIdentifierPrefix)com.example.app-group.MySystemExtension</string> <key>NEProviderClasses</key> <dict> <key>com.apple.networkextension.dns-proxy</key> <string>$(PRODUCT_MODULE_NAME).DNSProxyProvider</string> </dict> </dict> </dict> </plist> In the logs I do see DNS Proxy enabled successfully and also I see: NESMDNSProxySession[Primary Tunnel:my DNS proxy:<...>:(null)] starting with configuration: { name = my DNS proxy identifier = <..> applicationName = dns-proxy-tests application = com.myteam.dns-proxy-tests grade = 1 dnsProxy = { enabled = YES protocol = { type = dnsProxy identifier = <...> identityDataImported = NO disconnectOnSleep = NO disconnectOnIdle = NO disconnectOnIdleTimeout = 0 disconnectOnWake = NO disconnectOnWakeTimeout = 0 disconnectOnUserSwitch = NO disconnectOnLogout = NO includeAllNetworks = NO excludeLocalNetworks = NO excludeCellularServices = YES excludeAPNs = YES excludeDeviceCommunication = YES enforceRoutes = NO pluginType = com.myteam.dns-proxy-tests providerBundleIdentifier = com.myteam.dns-proxy-tests.ne designatedRequirement = identifier "com.myteam.dns-proxy-tests.ne" <...> /* exists */ } } } But then I see: Checking for com.myteam.dns-proxy-tests.ne - com.apple.networkextension.dns-proxy But then finally Found 0 registrations for com.myteam.dns-proxy-tests.ne (com.apple.networkextension.dns-proxy) So I think that last log probably indicates the problem. I'm a bit lost at what I'm doing wrong so I'd be super thankful for any pointer!

I'm seeking help troubleshooting a persistent com.apple.IdentityLookup.error.messagefilter Code=3 error when my Message Filter Extension tries to defer to network. I’ve exhausted Apple documentation and forum posts, and Apple Support has asked me to escalate this via the forums to reach engineering. ✅ My Setup: Xcode: 16.2 macOS: Sequoia 15.3.1 (Apple Silicon Mac mini) Device: iPhone 14 Pro iOS: 18.3.2 (Developer Mode enabled) Tested via: TestFlight install on real device 📦 App Structure: Main App Target (minimal "hello world" logic) Message Filter Extension Target Messages Extension Target Message Reporting Extension Target Notifications Extension Target ✅ Capabilities & Configurations Main App Capabilities: App Groups: group.com.example.shared Network Extensions: Content Filter Associated Domains: messagefilter:my-api.example.com applinks:my-api.example.com Message Filter Capabilities: App Groups: same as main app Network Extensions: Content Filter Associated Domains: same as above 📄 Info.plist Config Main App Info.plist: NSAppTransportSecurity with: NSAllowsArbitraryLoads = YES Exception domain my-api.example.com with: NSIncludesSubdomains = YES NSTemporaryExceptionAllowsInsecureHTTPLoads = YES NSTemporaryExceptionMinimumTLSVersion = TLSv1.2 MessageFilter Info.plist: Same ATS settings as above NSExtension block: <key>NSExtension</key> <dict> <key>NSExtensionAttributes</key> <dict> <key>ILMessageFilterExtensionNetworkURL</key> <string>https://my-api.example.com/api/sms-filter</string> <key>ILClassificationExtensionSMSReportDestination</key> <string>+10000000000</string> </dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.identitylookup.message-filter</string> <key>NSExtensionPrincipalClass</key> <string>$(PRODUCT_MODULE_NAME).MessageFilterExtension</string> </dict> 📜 Entitlements Main App Entitlements <key>com.apple.developer.associated-domains</key> <array> <string>messagefilter:my-api.example.com</string> <string>applinks:my-api.example.com</string> </array> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.shared</string> </array> Message Filter Extension Entitlements Identical to main app’s, scoped to the extension. 📄 AASA File (Hosted on https://my-api.example.com/.well-known/apple-app-site-association) Serves as application/json, returns 200 OK, and is reachable on device via Safari. Logs confirm AASA is downloaded and installed successfully during TestFlight install. { "applinks": { "apps": [], "details": [ { "appID": "TEAMID.com.example.app", "paths": ["*"] }, { "appID": "TEAMID.com.example.app.MessageFilter", "paths": ["*"] } ] }, "messagefilter": { "apps": [], "details": [ { "appID": "TEAMID.com.example.app", "filterType": "URL", "domains": ["my-api.example.com"] }, { "appID": "TEAMID.com.example.app.MessageFilter", "filterType": "URL", "domains": ["my-api.example.com"] } ] }, "classificationreport": { "apps": [], "details": [ { "appID": "TEAMID.com.example.app", "domains": ["my-api.example.com"] }, { "appID": "TEAMID.com.example.MessageReporting", "domains": ["my-api.example.com"] } ] } } ❌ The Problem When the extension launches and receives an SMS to classify, logs show: deferQueryRequestToNetwork failed: The operation couldn’t be completed. (com.apple.IdentityLookup.error.messagefilter error 3.) The extension loads, network URL is available, the AASA is installed, and yet the extension is not allowed to defer to network. This occurs every time. 🧪 Other Notes Tried rebuilding everything from scratch Archiving to TestFlight, not running via Xcode Clean entitlements verified using codesign -d --entitlements :- Console logs show no issues with AASA download or validation Any help or insights from Apple engineering or others in the community who have successfully deployed a working Message Filter Extension would be hugely appreciated. Thanks in advance 🙏

The newly introduced enum value NEProviderStopReasonInternalError (macOS 15.1) is not documented (assuming being documented means having at least a sentence describing the enum value). [Q] What kind of situation is the NEProviderStopReasonInternalError enum value supposed to describe? An internal error that requires to try to restart the provider? A fatal error that requires to reinstall macOS? A fatal error that requires to purchase a new Mac? Something less serious but with a human friendly description in the headers (I'm using Xcode 16.2) and online documentation.

We have developed a DNS filter based on NEDNSProxyProvider. It works great for a minute, then it stops responding. Our logs indicate that during the outage our extension gets DNS requests and formulates DNS responses that it hands back to the OS, but from outside of our code it is as though our extension is not responding.

Hi everyone, I developed an Android version of a VPN app built with Flutter using OpenVPN, and it works perfectly on Android. However, when porting it to iOS, I’ve encountered an issue: the app connects successfully but then automatically disconnects when tested via TestFlight. We’ve already added all the necessary network extensions. Despite this, we decided to submit the app to the App Store. It’s been five days now, and the app is still 'Waiting for Review.' Could anyone share their experience deploying and working on an iOS version of a VPN app? I’d really appreciate your insights!

We are developing a macOS application for distribution outside the Mac App Store. This application requires additional entitlements, including Keychain access groups, Network Extension, App Groups, and Sandbox. Both the app and the network extension import a custom framework. After creating the .app via Xcode, I ensured that a new Developer ID Application provisioning profile was generated. These profiles were then injected into the Contents folder of the .app and Plugins/.netappex as embedded.provisionprofile. Next, .entitlements files were created with the necessary "-systemextension" entitlement for the network extension and used for code signing. When inspecting the extracted entitlements from the .provisioningprofile as described in TN3125, everything appears correct. Code signing flow: codesign --force --options runtime --timestamp --sign "Developer ID Application: <team>" <.app>/Contents/Frameworks/<sdk>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <team>" <.app>/Contents/PlugIns/vpn.appex/Contents/Frameworks/<sdk>.framework/Versions/A/<sdk> codesign --force --options runtime --entitlements <vpn-plist>.entitlements --timestamp --sign "Developer ID Application: <team>" <.app>/Contents/PlugIns/vpn.appex/ codesign --force --options runtime --entitlements <app-plist>.entitlements --timestamp --sign "Developer ID Application: <team>" <.app> The .app is then zipped with ditto -c -k --keepParent and set off for notarization, which is succesful and the .app is stapled. After that, a .dmg or .pkg is created, which is then sent for notarization and subsequently stapled. The problem occurs when the app is distributed to the client. Opening the extracted .app fails, as Gatekeeper refuses to launch it with the following error message: 661 debug staticCode syspolicyd Security 0x88d68d818 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string><teamid.bundleid></string><key>com.apple.developer.networking.networkextension</key><array><string>packet-tunnel-provider-systemextension</string></array><key>com.apple.developer.team-identifier</key><string>team-id</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.application-groups</key><array><string>teamid.group.appgroup</string></array><key>com.apple.security.files.user-selected.read-write</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>keychain-access-groups</key><array><string>teamid.group.appgroup</string></array></dict></plist> com.apple.securityd 22207 debug ProvisioningProfiles taskgated-helper ConfigurationProfiles entitlements: { "com.apple.developer.networking.networkextension" = ( "packet-tunnel-provider-systemextension" ); "com.apple.developer.team-identifier" = team-id; "keychain-access-groups" = ( “teamid.group.appgroup” ); } com.apple.ManagedClient 22207 error ProvisioningProfiles taskgated-helper ConfigurationProfiles <bundle-id>: Unsatisfied entitlements: com.apple.developer.team-identifier, com.apple.developer.networking.networkextension, keychain-access-groups com.apple.ManagedClient After encountering this problem every time, we tried using a different development team with a new bundle ID, app groups, developer ID, developer ID certificate, and provisioning profiles. The .entitlements file remained the same (with different IDs), as did the capabilities for the App IDs in App Store Connect. With this new development team, we were successful, and the gatekeeper did not block the launch job. From a configuration standpoint, everything appears identical. Updating the App Store Connect App ID capabilities and generating new provisioning profiles for the first development team did not resolve the issue. Thank you for your help.

We have a NEFilterDataProvider extension that intercepts all TCP and UDP IPv4/6 traffic. At times just after wakeup from sleep, it causes internet access issues, such as showing "This site can't be reached" when opening websites. The traffic is not being dropped by the extension. According to the logs, the connection is being closed after approximately 4 minutes. During the issue, the flow logs are as follows: Flow 515129771 is connecting New flow: NEFlow type = stream, app = com.google.Chrome.helper... Detaching, ref count = 2 (logged after ~4 minutes) Sending close, how = 2 Removing from group 2, ref count = 2 Destroying, app tx 0, tunnel tx 0, tunnel rx 0 Closing reads, not closed by plugin Closing writes, not sending close Any suggestions on the possible cause and how to further debug it?

I'm developing a per-app VPN iOS app with Wireguard. For that, I created a configuration file with payload type "com.apple.vpn.managed.applayer". Using the MDM server I installed some apps which need to use the VPN connection. But when I open these apps, I could see the VPN getting enabled in the device. The VPN icon appears on the notification bar but no internet connection. The VPN and internet is working correctly if I change the payload type to "com.apple.vpn.managed" in configuration file.

When handleNewUDPFlow in NETransparentProxyProvider is used to handle UDP data from port 53, at the same time, run the script continuously to execute nslookup or dig, about tens of thousands of times later, the nslookup shows the error "isc_socket_bind: address not available". So I check the system port status, and find all of the ports from 49152 to 65535 are occupied. The number of net.inet.udp.pcbcount is also very high. net.inet.udp.pcbcount: 91433 Then I made the following attempts: handleNewUDPFlow function return false directly, the nslookup script runs with no problems. I write a simple network extension that use handleNewUDPFlow to reply the mock data directly, and only hijack the UDP data from my test program (HelloWorld-5555). My network exntension code: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint) -> Bool { guard let tokenData = flow.metaData.sourceAppAuditToken, tokenData.count == MemoryLayout<audit_token_t>.size else { return false } let audit_token = tokenData.withUnsafeBytes { buf in buf.baseAddress?.assumingMemoryBound(to: audit_token_t.self).pointee } let pid = audit_token_to_pid(audit_token ?? audit_token_t()) if (!flow.metaData.sourceAppSigningIdentifier.starts(with: "HelloWorld-5555")) { return false } Logger.statistics.log("handleNewUDPFlow \(remoteEndpoint.debugDescription, privacy: .public) \(flow.hash), pid:\(pid), \(flow.metaData.sourceAppSigningIdentifier, privacy: .public)") flow.open(withLocalEndpoint: nil) { error in if let error { os_log("flow open error: %@", error.localizedDescription) return } flow.readDatagrams { data_grams, remote_endpoints, read_err in guard let read_data_grams = data_grams, let read_endpoints = remote_endpoints, read_err == nil else { os_log("readDatagrams failed") flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } let mockData = Data([0x01,0x02,0x03]) let datagrams = [ mockData ] guard let remoteEnd = remoteEndpoint as? NWHostEndpoint else { os_log("Not the NWHostENdpoint") flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } let endpoints = [ NWHostEndpoint(hostname: remoteEnd.hostname, port: remoteEnd.port) ] flow.writeDatagrams(datagrams, sentBy: endpoints) { error in if let error { os_log("writeDatagrams error: %@", error.localizedDescription) } os_log("writeDatagrams close") flow.closeReadWithError(nil) flow.closeWriteWithError(nil) } } } return true } My test program code: void send_udp() { int sockfd; struct sockaddr_in server_addr; char buffer[BUFFER_SIZE]; int bytes_sent; // create socket if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("socket create failed"); exit(EXIT_FAILURE); } struct sockaddr_in local_addr; memset(&local_addr, 0, sizeof(local_addr)); local_addr.sin_family = AF_INET; local_addr.sin_addr.s_addr = htonl(INADDR_ANY); local_addr.sin_port = htonl(0); // bind if (bind(sockfd, (struct sockaddr*)&local_addr, sizeof(local_addr)) < 0) { printf("IPV4 bind errno:%d\n", errno); close(sockfd); return; } // server addr memset(&server_addr, 0, sizeof(server_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(SERVER_PORT); server_addr.sin_addr.s_addr = inet_addr(SERVER_IP); // send & recv strcpy(buffer, "Hello, UDP server!"); bytes_sent = sendto(sockfd, buffer, strlen(buffer), 0, (struct sockaddr *)&server_addr, sizeof(server_addr)); if (bytes_sent < 0) { perror("sendto failed"); close(sockfd); exit(EXIT_FAILURE); } printf("sendto ok\n"); char recvbuf[128] = {0}; socklen_t len = sizeof(server_addr); int sz = recvfrom(sockfd, recvbuf, sizeof(recvbuf), MSG_WAITALL, (struct sockaddr *) &server_addr, &len); printf("recv sz: %d\n", sz); close(sockfd); return; } int main() { send_udp(); return 0; } 2.1 When I use bind in my program, after the program running tens of thousands of times, the ports are exhausted, and nslookup return the error "isc_socket_bind: address not available". The case looks like running the nslookup script, because the nslookup will call the bind. 2.2 When I remove the bind from my program, all the tests are go. I have made the above experiments on different systems: 13.x, 14.x, 15.x, and read the kernel source code about bind and port assignment, bsd/netinet/in_pcb.c bsd/netinet/udp_usrreq.c and find kernel will do different action for network extension by call necp_socket_should_use_flow_divert I have checked my network extension process by lsof and netstat, its sockets or flows are all closed properly. I don't know how I can avoid this problem to ensure my network extension to work long time properly. Apparently, the port exhaustion is related to the use of bind function and network extension. I doubt there is a port leak problem in system when use network extension. Hope for your help.

When setting up a packet tunnel with a profile that has includeAllNetworks set to true, we seemingly cannot send any traffic inside the tunnel using any kind of an API. We've tried using BSD sockets, as we ping a host only reachable within the tunnel to establish whether we have connectivity - this does not work. When using NWConnection from the Network framework and specifying the required interface via virtualInterface from the packet tunnel, the connection state never reaches ready. Our interim solution is to, as ridiculous as it sounds, include a whole userspace networking stack so we can produce valid TCP packets just to send into our own tunnel. We require a TCP connection within our own tunnel to do some configuration during tunnel setup. Is there no better solution?

I would like to develop a macOS app that would automatically switch Network Locations based on certain criteria. I want to publish this on the Mac App Store, but I'm unsure if this functionality is permitted. I've searched through the App Store Review Guidelines and documentation on NetworkExtension and SystemConfiguration frameworks, but I haven't found clear information on whether: Programmatically changing Network Locations is allowed in sandboxed App Store apps What specific entitlements would be required If there are any API-approved ways to do this without shell commands I'd like to avoid investing significant development time if this type of functionality would ultimately be rejected. As a relatively new Apple platform developer, any guidance on: The appropriate frameworks/APIs to use Required entitlements Whether this functionality is even permitted for App Store distribution would be incredibly helpful. Thank you in advance for any insights!

When I used the iPhone 11 to scan the wifi connection, the system reported an error,   ‘’’ let config = NEHotspotConfiguration(ssid: name, passphrase: passwd, isWEP: false) let manager = NEHotspotConfigurationManager() manager.apply(config) { error in      } ’’’ NEHotspotConfigurationErrorDomain Code=8 “internal error.” , the only thins that fixes this issue it restarting the iPhone. What is the reason for this and how to solve it? Reference link: https://developer.apple.com/forums/thread/111638 https://cloud.tencent.com/developer/ask/sof/114654981

I am developing "local push" VoIP application. I have a question about issues I found while testing this app. After repeating a test for 24 hours in which a incoming call followed by an immediate disconnect 0.1 seconds later, the iPhone of incommig call side encountered a 0xBAADCA11 error, causing iOS to force-close the app. (The incidence is low, occurring three times in 17280 times incoming call(24 hours.)) This problem found on iOS17.6.1 (iPhone11Pro). When the same test was performed on iOS18.2 (iPhoneSE3), the problem did not occur. Did iOS take something measures against the 0xBAADCA11 error between iOS17.6.1 and iOS18.2? If yes, I want to encourage customers to upgrade to the latest iOS version, please tell me about it? ※I have attached an ips files and sysdiagnose file of the 0xBAADCA11 error occurring. (please refer sysdiagnose also if you need.) FjSoftPhone-2025-01-16-113049.ips FjSoftPhone-2025-01-16-175253.ips FjSoftPhone-2025-01-17-070449.ips [sysdiagnose_2025.01.17_14-24-48+0900_iPhone-OS_iPhone_21G93.tar.gz] https://drive.google.com/file/d/1CV8laKzdnQxvwaAIOwMcXL8rAYL2jq35/view?usp=sharing

I am working on a macos application that uses NetworkExtension and works fine in the debug environment. However, when I use the Release package, I am always prompted that my description file does not contain NetworkExtension. I am sure that my description file does contain NetworkExtension. How to solve this problem

Hi there, I'm trying to build a MacOS VPN application from scratch. My VPN application is slightly from normal ones, It will include an authentication token and underlying process information (pid, application path etc.) in each connection made to the VPN gateway. Consider it a poor man's zerotrust implementation. NetworkExtension and PacketTunnel is a must, thus to retrieve process information via audit tokens. However, I'm unable to find any working examples that can be built on MacOS 15.X. I tried to open an TSI case but didn't receive anything useful. Anyone?

I am developing an App based on Network Extension that lets all network requests on device access the Internet through a private Relay. I created an empty iOS App and only the entitlements file and ViewController.swift(Main.storyboard) file have been modified. The code was copied from the official video https://developer.apple.com/videos/play/wwdc2023/10002/ But, running the App on iPhone, the saveToPreferences API reported Error Domain=NERelayErrorDomain Code=3 "(null)" and the App doesn't look like it's changed at all (it doesn't jump to the Settings - VPN&Relay). Does anyone know why？Any reply would be greatly appreciated. The contents of the entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>relay</string> </array> </dict> </plist> ViewController.swift: import UIKit import NetworkExtension class ViewController: UIViewController { override func viewDidLoad() { super.viewDidLoad() // Do any additional setup after loading the view. } @IBAction func tap(_ sender: Any) { let newRelay = NERelay() let relayURL = URL(string: "https://relay.example.com:443/") newRelay.http3RelayURL = relayURL newRelay.http2RelayURL = relayURL newRelay.additionalHTTPHeaderFields = ["Authorization" : "PrivateToken=123"] let manager = NERelayManager.shared() manager.relays = [newRelay] manager.matchDomains = ["internal.example.com"] manager.isEnabled = false manager.saveToPreferences { err in print(err) } } }

I am writing to seek clarification on two technical issues related to iOS frameworks (CoreBluetooth and NetworkExtension). These observations are critical for optimizing our app's performance, and I would appreciate any official guidance or documentation references. CoreBluetooth Scanning Frequency and Cycle Issue: We noticed inconsistent BLE device discovery times (ranging from 0.5s to 1.5s) despite the peripheral advertising at 2Hz (500ms interval). Questions: Does iOS regulate the BLE scan interval or duty cycle internally? If yes, what factors affect this behavior (e.g., foreground/background state, connected devices)? Are there recommended practices to reduce discovery latency for peripherals with fixed advertising intervals? Is there a way to configure scan parameters (e.g., scan window/interval) programmatically, similar to Android's BluetoothLeScanner? Test Context: Device: iPhone 13 mini (iOS 17.6.1) Code: CBCentralManager.scanForPeripherals(withServices: nil, options: [CBCentralManagerScanOptionAllowDuplicatesKey: true]) NEHotspotConfigurationManager Workflow and Latency Issue: Using NEHotspotConfigurationManager.shared.apply(_:) to connect to Wi-Fi occasionally takes up to 8 seconds to complete. Questions: What is the internal workflow of the apply method? Does it include user permission checks, SSID scanning, authentication, or IP assignment steps? Are there known scenarios where this method would block for extended periods (e.g., waiting for user interaction, network timeouts)? Is the latency related to system-level retries or radio coexistence with other wireless activities (e.g., Bluetooth)? Test Context: Configuration: NEHotspotConfiguration(ssid: "TestSSID") Behavior: Delay occurs even when the Wi-Fi network is in range and credentials are correct.

I am writing to seek clarification on two technical issues related to iOS frameworks (CoreBluetooth and NetworkExtension). These observations are critical for optimizing our app's performance, and I would appreciate any official guidance or documentation references. CoreBluetooth Scanning Frequency and Cycle Issue: We noticed inconsistent BLE device discovery times (ranging from 0.5s to 1.5s) despite the peripheral advertising at 2Hz (500ms interval). Questions: Does iOS regulate the BLE scan interval or duty cycle internally? If yes, what factors affect this behavior (e.g., foreground/background state, connected devices)? Are there recommended practices to reduce discovery latency for peripherals with fixed advertising intervals? Is there a way to configure scan parameters (e.g., scan window/interval) programmatically, similar to Android's BluetoothLeScanner? Test Context: Device: iPhone 13 mini (iOS 17.6.1) Code: CBCentralManager.scanForPeripherals(withServices: nil, options: [CBCentralManagerScanOptionAllowDuplicatesKey: true]) NEHotspotConfigurationManager Workflow and Latency Issue: Using NEHotspotConfigurationManager.shared.apply(_:) to connect to Wi-Fi occasionally takes up to 8 seconds to complete. Questions: What is the internal workflow of the apply method? Does it include user permission checks, SSID scanning, authentication, or IP assignment steps? Are there known scenarios where this method would block for extended periods (e.g., waiting for user interaction, network timeouts)? Is the latency related to system-level retries or radio coexistence with other wireless activities (e.g., Bluetooth)? Test Context: Configuration: NEHotspotConfiguration(ssid: "TestSSID") Behavior: Delay occurs even when the Wi-Fi network is in range and credentials are correct.