Content Filter Permission Prompt Not Appearing in TestFlight

What platform is this for?

I suspect you’re targeting iOS, in which case you’re probably hitting the deployment limit for content filters on that platform. TN3134 Network Extension provider deployment discusses that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi,

I have the exact same issue and have followed the minimum iOS Deployment. I set it to 17 for now. But the issue still happens

Again, the key reference here is TN3134 Network Extension provider deployment.

I set it to 17 for now.

I’m not talking about the deployment target (the OS version), but rather the deployment channel (Development, Ad Hoc, or App Store, including TestFlight).

TN3134’s focus on deployment leads to an important subtlety that it doesn’t cover. During development, iOS allows you to save a NE filter configuration using NEFilterManager. This allows you to develop your content filter without messing around with configuration profiles. However, that affordance isn’t enabled during deployment, at which point you have to follow the rules in TN3134.

Network Extension determines whether your app is Development or Distribution sign based on the get-task-allow entitlement (com.apple.security.get-task-allow on macOS, get-task-allow on other platforms).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Do you mean that I need to add that line on my entitlements? I can't find the explanation on the link you shared TN3134: Network Extension provider deployment | Apple Developer Documentation Can you give me the step by step process?

Do you mean that I need to add that line on my entitlements?

I presume you’re referring to the get-task-allow entitlement. If so, then no, that’s not what I mean. That entitlement is managed by Xcode. It automatically adds it when you sign for development and omits it out when you sign for distribution.

Let’s ignore development signing for the moment, because shipping apps are necessarily distribution signed. In that case, you have the three options outlined by TN3134:

• On supervised devices, the device manager can install a configuration profile that enables your content filter system wide.
• On managed devices, the device manager can use MDM to install a configuration profile that enables your content filter for specific managed apps, also installed by MDM.
• If you’re building a Screen Time app, your app can programmatically enable its content filter. This is subject to very specific criteria, outlined in the Deploying a content filter provider section of TN3134.

Those are your only options. You can’t build a content filter that works on arbitrary devices without Screen Time restrictions.

If your goal is to target arbitrary devices, I recommend that you explore URL filter instead. We talked about that in great detail in WWDC 2025 Session 234 Filter and tunnel network traffic with NetworkExtension.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

How about NEDNSProxyProvider or NEFilterDataProvider? Can we use that? The URL Filters only support iOS 26+ right?

How about NEDNSProxyProvider … ?

That’s covered by the Deploying a DNS proxy provider section of TN3134 .

How about … NEFilterDataProvider?

NEFilterDataProvider and NEFilterControlProvider always comes as a pair [1]. Collectively they form a content filter, which is what we’ve been discussing here. You can’t have just a data provider.

The URL Filters only support iOS 26+ right?

Correct.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On iOS. The rules for content filters on macOS are very different, and one of the key changes is that there’s data/control provider separation.

Hi

Is there any resources that I can read and follow, like a guide. I checked this sample but the build failed https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url

I checked this sample but the build failed

Indeed. Sorry about that.

There are expected and unexpected steps here. On the expected front, to build the sample you must select your team in the Team popup in the Signing & Capabilities editor. Do this for both the app and the appex target.

The unexpected problems are caused by API tweaks during the iOS 26 beta cycle. To fix those:

• In URLFilterControlProvider.swift, replace this:

  func fetchPrefilter() async throws -> NEURLFilterPrefilter? {
  

  with this:

  func fetchPrefilter(existingPrefilterTag: String?) async throws -> NEURLFilterPrefilter? {
  

• Later on in the same file, change these lines:

  data: prefilterData,
  bitCount: numberOfBits,
  

  to this:

  data: prefilterData,
  tag: currentPrefilterTag,
  bitCount: numberOfBits,
  

You’ll need to come up with the currentPrefilterTag value yourself. See the doc comments for the fetchPrefilter(existingPrefilterTag:) method for more background on that.

Beyond that, there have been a number of threads about URL filter here on the forums. Specifically, this one has a bunch of useful titbits.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi

I read the thread you provided but it still doesn't really give me a clear picture for how to implement the URL Filter. It's more like there's a bug in the library before. And it has been fixed now? Can you give me some resources to start? I feel like the resources are still very minimal.

Hmmm. We have:

• A WWDC video that introduces the feature (WWDC 2025 Session 234 Filter and tunnel network traffic with NetworkExtension)
• Documentation (URL filters)
• Sample code (Filtering traffic by URL)
• Engineers helping in the forums

I’m not sure what else you’re looking for but if you have concrete suggestions you should definitely put them in an enhancement request (and post your bug number here, just for the record).

My advice is that you actually try this and see how far you get.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Oh, there’s one more thing I should add to the above list:

• Open source server sample (PIR Service Example)

The iOS sample code discusses this, but I can’t over-emphasise how useful it is. On that page you’ll find a link to the server’s documentation, which chock full of interesting info.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sorry if it's really basic. But I really don't know where to start. This is something new to me. For the PIR Service Example, can we run it on xcode and connect to our device locally? Just to test whether the code is working before deploying it on the server. And on the server we can just run in on docker?

Sorry if it's really basic.

This is definitely not basic. Getting all of these ducks to line up is a significant challenge. My point is that there are lots of resources to help you.

But I really don't know where to start.

I suggest you start with the documentation for the PIR Service Example package:

1. Go to the page I linked to above.
2. At the top right you’ll see a link to the documentation on the Swift Package Index. Click that.
3. Explore that documentation.

can we run it on xcode … ?

Quoting the read me for that package:

• macOS or Linux operating system
• Swift version 6.0 or later
• Optionally, XCode version 16.1 or later

can we … connect to our device locally?

Yes. The process is described in the Testing NEURLFilter article, which is part of the package documentation.

And on the server we can just run in on docker?

I expect so. In general, server-side Swift packages that build for Linux can be deployed via Docker. As to whether this specific one can be, I don’t have experience with that myself. But this is like any other open source project. You can either try it for yourself, or engage with the project community.

Oh, and speaking of Linux-based containers, there’s an Swift open source project for running those. If you’re interested, check out WWDC 2025 Session 346 Meet Containerization.

Finally, I want to be clear about a couple of things:

• DTS doesn’t support open source projects, and that includes open source projects from Apple. From our perspective open source code is your code.
• We also don’t support non-Apple platforms, like Linux or Docker. Those platforms have their own support processes.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I tried to follow https://swiftpackageindex.com/apple/pir-service-example/main/documentation/pirservice/testinginstructionsneurlfilter

But I get this error: keyNotFound(CodingKeys(stringValue: "databaseType", intValue: nil), Swift.DecodingError.Context(codingPath: [], debugDescription: "No value associated with key CodingKeys(stringValue: "databaseType", intValue: nil) ("databaseType").", underlyingError: nil))

On this step: