NEAppPushProvider blocked from local network access even when container app has permission

Hi everyone,

I’m encountering what appears to be a system-level issue with NEAppPushProvider extensions being unable to communicate with other devices on the local network, even when the main app has already been granted Local Network permission by the user.

Context

The following problem occurs in an iPad app running iOS 18.5. The main app successfully requests and is granted Local Network access via NSLocalNetworkUsageDescription in its Info.plist configuration. It can connect to a WebSocket server hosted on the local network without any issues, resolving its address by name.

The extension (NEAppPushProvider) uses the same networking code as the app, extended via target membership of a controller class. It attempts to connect to the same hostname and port but consistently fails to establish a connection. The system log shows it properly resolving DNS but being stopped due to "local network prohibited". An extract of the logs from the Unified Logging System:

12:34:10.086064+0200	PushProvider	[C526 Hostname#fd7b1452:8443 initial parent-flow ((null))] event: path:start @0.000s
12:34:10.087363+0200	PushProvider	[C526 Hostname#fd7b1452:8443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: path:satisfied @0.005s
12:34:10.090074+0200	PushProvider	[C526 Hostname#fd7b1452:8443 in_progress parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: flow:start_connect @0.006s
12:34:10.093190+0200	PushProvider	[C526.1 Hostname#fd7b1452:8443 in_progress resolver (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: resolver:start_dns @0.009s
12:34:10.094403+0200	PushProvider	[C526.1.1 IPv4#f261a0dc:8443 waiting path (unsatisfied (Local network prohibited), interface: en0[802.11], ipv4, uses wifi)] event: path:unsatisfied @0.010s
12:34:10.098370+0200	PushProvider	[C526.1.1.1 IPv4#f261a0dc:8443 failed path (unsatisfied (Local network prohibited), interface: en0[802.11], ipv4, uses wifi)] event: null:null @0.014s
12:34:10.098716+0200	PushProvider	[C526.1 Hostname#fd7b1452:8443 failed resolver (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: resolver:children_failed @0.015s
12:34:10.099297+0200	PushProvider	[C526 Hostname#fd7b1452:8443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: flow:child_failed @0.016s

What I’ve Confirmed:

• The extension works perfectly if the DNS is changed to resolve the name to a public IP instead of a local one. The extension always connects by hostname.
• Devices on the local network can resolve each other’s IP addresses correctly and respond to pings.

What I’ve Tried

• Adding NSLocalNetworkUsageDescription to the main app’s Info.plist, as recommended.
• Clean building the project again.
• Removing and reinstalling the app to ensure permission prompts are triggered fresh.
• Restarting the iPad.
• Ensuring main app cannot access the local network until the permission is granted.
• Ensuring the main app has connected to the same hostname and port before the extension attempts a connection
• Toggling the permission manually in Settings.

Apple’s documentation states (TN3179):

“In general, app extensions share the Local Network privilege state of their container app.”

It also notes that some background-running extension types may be denied access if the privilege is undetermined. But in my case, the main app clearly has Local Network access, and the extension never receives it, even after repeated successful connections by the main app.

Question

Is this a known limitation with NEAppPushProvider? Is there a recommended way to ensure the extension is able to use the local network permission once the user has granted it on the app?

Any feedback, suggestions, or confirmation would be greatly appreciated. Thanks in advance.