Network is not working when over 50MB size file upload smb using NEFilterDataProvider in macOS The event received through NEFilterDataProvider is returned immediately without doing any other work. override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let auditToken = socketFlow.sourceAppAuditToken, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } return .filterDataVerdict(withFilterInbound: true, peekInboundBytes: Int.max, filterOutbound: true, peekOutboundBytes: Int.max) } override func handleInboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let auditToken = socketFlow.sourceAppAuditToken, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } return NEFilterDataVerdict(passBytes: readBytes.count, peekBytes: Int.max) } override func handleOutboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let auditToken = socketFlow.sourceAppAuditToken, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } return NEFilterDataVerdict(passBytes: readBytes.count, peekBytes: Int.max) } override func handleInboundDataComplete(for flow: NEFilterFlow) -> NEFilterDataVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let auditToken = socketFlow.sourceAppAuditToken, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } return .allow() } override func handleOutboundDataComplete(for flow: NEFilterFlow) -> NEFilterDataVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let auditToken = socketFlow.sourceAppAuditToken, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } return .allow() } how can i fix it?

I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension. Environment macOS: Sequoia (15.7.2) Xcode: 26.2 Distribution: Developer ID + notarization, deployed via MDM Host bundle ID: com.mydns.agent.MyDNSMacProxy DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy Host entitlements (Release): File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>B234657989.com.mydns.agent.MyDNSMacProxy</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>B234657989</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.mydns.MyDNSmac</string> </array> <key>keychain-access-groups</key> <array> <string>B234657989.*</string> </array> </dict> </plist> xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release : PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5 CODE_SIGN_IDENTITY = Developer ID Application Host Developer ID profile main_MyDNSMacProxy5.provisionprofile (via security cms -D): "Entitlements" => { "com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy" "com.apple.developer.team-identifier" => "B234657989" "com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ] "keychain-access-groups" => [ "B234657989.*" ] "com.apple.developer.system-extension.install" => 1 "com.apple.developer.networking.networkextension" => [ "packet-tunnel-provider-systemextension", "app-proxy-provider-systemextension", "content-filter-provider-systemextension", "dns-proxy-systemextension", "dns-settings", "relay", "url-filter-provider", "hotspot-provider" ] } So: App ID, team ID, keychain and system‑extension.install match. The profile’s com.apple.developer.networking.networkextension is a superset of what I request in the host entitlements (dns-proxy only). System extension (for context) DNS Proxy system extension target: NSExtensionPointIdentifier = com.apple.dns-proxy NetworkExtension → NEProviderClasses → com.apple.networkextension.dns-proxy → my provider class Entitlements: com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"] This target uses a separate Developer ID profile and builds successfully. Xcode error Release build of the host fails with: …MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy') Xcode UI also says: Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension. Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements. Questions: For com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here just dns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension: Host entitlements: ["dns-proxy"] System extension entitlements: ["dns-proxy-systemextension"] Host profile’s NE array includes the DNS Proxy system extension types. If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround? Thanks for any guidance.

Hi Apple Network Team, Good day. Recently we are experiencing some issues that when iOS or iPad OS connected to a Wi-Fi with captive portal, iOS sometimes failed to launch the full captive portal website. Based on TCPDump and WLAN dump logs, when this failure happened, we only see web client on iOS queried AAAA and HTTPS DNS queries without A query. Not all the websites are supporting and being hosted on both IPv4 and IPv6 servers. Is there a know bug on iOS and iPad OS side including OS version >= 36.2.

We are currently experiencing an issue that occurs only on iPhone 17 models. In our app, after connecting to an external device, users can download multiple video files stored on the device. When downloading several videos consecutively, the device consistently stops receiving responses midway through the process. As a result, no response is returned, and the connection between the app and the device is eventually lost. This issue does not occur on any iPhone models prior to iPhone 17. It is reproducible across all iPhone 17 devices within our company. This is a critical issue, and we need urgent assistance. The main error logs show two patterns: • Connection loss • Timeout At the OS level, the only error codes we receive are: • -1005 (Network connection lost) • -1001 (Request timed out) Unfortunately, we are unable to obtain more detailed error information beyond these codes, which makes further debugging difficult. We have attached the relevant logs below. We would greatly appreciate any guidance on how to further investigate or resolve this issue. 310.0 / :: 81 % ::: 251.21481481481482 310.0 / :: 82 % ::: 254.23280423280423 310.0 / :: 83 % ::: 257.3820105820106 310.0 / :: 84 % ::: 260.4 KeepAlive SEND id=423F1336-6239-4B3B-9414-5A987D85D564 at=2026-02-24T12:56:43Z timeout=60.000000s current: D20-Q2-PLUS, ssid: D20-Q2-PLUS_136a63 KeepAlive SKIP (in-flight) tcp_output [C10.1.1:3] flags=[R.] seq=4017430266, ack=4146413113, win=2048 state=CLOSED rcv_nxt=4146413113, snd_una=4017429847 nw_read_request_report [C10] Receive failed with error "Operation timed out" nw_flow_add_write_request [C10 192.168.000.0:443 failed parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good)] cannot accept write requests nw_write_request_report [C10] Send failed with error "Socket is not connected" Task <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7> HTTP load failed, 361/0 bytes (error code: -1005 [4:-4]) Task <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7> finished with error [-1005] Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x13e632160 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x14cfe5a90 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7>" ), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://192.168.000.0/keepalive, NSErrorFailingURLKey=https://192.168.000.0/keepalive, _kCFStreamErrorDomainKey=4} KeepAlive FAIL id=423F1336-6239-4B3B-9414-5A987D85D564 elapsed=29.203s status=-1 error=Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x13e632160 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x14cfe5a90 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, ), NSLocalizedDescription=The network connection was lost., KeepAlive FAIL 1001 Log KeepAlive SEND id=FC433405-C1F7-47EF-AF9E-D12E67B071FA at=2026-02-24T12:22:38Z timeout=60.000000s current: D20-Q2-PLUS, ssid: VUEROID_D20-Q2-PLUS_136a63 KeepAlive FAIL id=FC433405-C1F7-47EF-AF9E-D12E67B071FA elapsed=7.834s status=-1 error=Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=60, NSUnderlyingError=0x135e612f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, _kCFStreamErrorCodeKey=60, _kCFStreamErrorDomainKey=1}}, ), NSLocalizedDescription=The request timed out., NSErrorFailingURLKey=https://192.168.000.0/keepalive, _kCFStreamErrorDomainKey=1})) KeepAlive FAIL ignored count=1 error=Server error : Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=60, KeepAlive SEND id=A64AE4C0-28B4-41E3-AAC9-422C41D99D15 at=2026-02-24T12:22:58Z timeout=60.000000s KeepAlive FAIL id=110B96DA-4D88-45E0-B8F7-D0A9798593AE elapsed=43.605s status=-1 error=Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x135e60f60 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x144dfee40 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, ), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://192.168.000.0/keepalive, NSErrorFailingURLKey=https://192.168.000.0/keepalive, _kCFStreamErrorDomainKey=4})) KeepAlive FAIL ignored count=2 error=Server error : Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x135e60f60 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x144dfee40 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, Network type changed, hasWiFiInterface :false We are sending a keepalive request every 30 seconds to maintain the connection state with the device. Most of the issues occur during this keepalive process, and this is when the logs mentioned earlier are generated. Based on our debugging so far, the keepalive function itself is being called as expected. However, the execution appears to stall while waiting for a response from the device. After remaining in that state for some time, the session eventually ends with either a timeout or a connection loss error. We are use almofire 4.0.1. According to the firmware developer, when this issue occurs, there are no corresponding values or logs received on the device side. Therefore, we are currently investigating whether this might be related to a networking issue on the iPhone side. All other features are functioning normally. The problem occurs only when downloading VOD video files, and the reproduction rate is 100% under that condition.

I’m using Network Framework with UDP and calling: connection.receive(minimumIncompleteLength: 1, maximumLength: 1500) { data, context, isComplete, error in ... // Some Logic } Is it possible for this completion handler to be called with data==nil if I haven't received any kind of error, i.e., error==nil and the connection is still in the .ready state?

Hello team, I am trying to find out a way to block urls in the chrome browser if it is found in local blocked list cache. I found URL Filter Network very much suitable for my requirement. But I see at multiple places that this solution is only for Enterprise level or MDM or supervised device. So can I run this for normal user ? as my targeting audience would be bank users. One more thing how can I test this in development environment if we need supervised devices and do we need special entitlement ? When trying to run sample project in the simulator then getting below error

Hi, After the release of macOS Tahoe 26.2. We are seeing memory leaks if our Network Protection Extension is used alongside the Apple Built In Firewall, a second Security Solution that does Network Protection and a VPN. Our NEXT, socketfilterfw and the other security solution consume instead of a few MB of Memory now multiple Gigabytes of Memory. This issue started with the public release of macOS Tahoe 26.2, this issue was not present in earlier versions of macOS and the same set of Software. Just testing our solution by itself will not show this behavior. I unfortunately can't try to reproduce the issue on my test device that runs the latest 26.3 beta as I do not have the third party software installed there and I can't get it. Our Network extension implements depending on the license and enabled features: NEFilterDataProvider NEDNSProxyProvider NETransparentProxyProvider For all man in the middle Use Cases we are using Network Framework, to communicate with the peers. And leaks suggest that the there is a memory leak within internals of the Network Framework. Here is a shortened sample of the leaks output of our Network extension. However, the third party NEXT does show the same leaks. More details can be found on the Feedback with the ID FB21649104 snippet is blocking post? sensitive language Does anyone see similar issues or has an idea what could cause this issue, except a regression of the Network.framework introduced with macOS Tahoe 26.2? Best Regards, Timo

I'm building a HomeKit app that discovers Thread devices and visualizes the mesh topology. I can detect device roles (Router vs End Device via characteristic 0x0703) and identify Border Routers (via _meshcop._udp), but I cannot determine which Router is the parent of a given End Device. Any Thread device can act as a Router (a Nanoleaf bulb, an Eve plug, not just HomePods), and End Devices attach to these Routers as children. That parent-child relationship is what I'm trying to map, but there's no RLOC16, neighbor table, or parent identifier exposed through any available API. I've tested every path I can find. Here's what I've tried on a network with 44 Thread devices and 6 Border Routers: What works (partially) HAP Thread Management Service (0x0701) gives me the device role from characteristic 0x0703, the OpenThread version from 0x0706, and node capabilities from 0x0702. That's the complete set of characteristics on that service. None of them contain RLOC16, parent Router, or neighbor data. This service also only exists on HAP-native Thread devices. My 20 Matter-over-Thread devices (Aqara, Eve Door, SmartWings, Onvis S4) don't have it at all. MeshCoP Bonjour (_meshcop._udp) identifies Border Routers and the network name/Extended PAN ID. No topology data about other mesh nodes. What doesn't work ThreadNetwork framework (THClient) - retrieveAllCredentials() returns error Code 3 because the app can't access credentials stored by Apple Home. Even if it worked, THCredentials only contains network config (name, PAN ID, channel), not topology. Direct CoAP queries - Border Routers don't route traffic from WiFi to Thread management ports. Mesh-local addresses aren't reachable. No Thread NWInterface in Network.framework. Network.framework - No visibility into the Thread mesh from the WiFi side. The only remaining path I can see (but it's not practical) Matter cluster 0x0035 (Thread Network Diagnostics) appears to have exactly what I need: RLOC16, NeighborTable with isChild boolean, RouteTable. I haven't implemented this because it requires commissioning each device individually onto my app's own Matter fabric via Multi-Admin. That's 21 separate user-initiated pairing actions on my network. I can't ask end users to do that. The core issue Every Thread Router (whether it's a HomePod acting as a Border Router or a Nanoleaf bulb acting as a mesh Router) knows its own children and neighbors. The Border Routers also maintain route tables covering the mesh backbone. This data exists on the user's own devices but none of it is exposed to third-party apps. Even something minimal would help. HMAccessory already exposes matterNodeID as a cross-protocol identifier. Exposing RLOC16 the same way would be enough, since parent-child relationships are encoded in the address itself (ParentRLOC = ChildRLOC & 0xFC00). Has anyone found another approach I'm missing? Thanks in advance for any pointers.

I'm debugging an app I'm building and everything I'm seeing suggests I need to put in a request to Apple to turn on NetworkExtension → Packet Tunnel Provider entitlement for our Team ID and bundle IDs. 1: Is this true? 2: Doesn't the option in xcode handle this?

Dear Apple Carrier Relations / Engineering Team, I am writing to you from MKSmart, a leading smart card and digital security solution provider. We have successfully deployed our SM-DP+ (Subscription Management Data Preparation+) system, which is fully compliant with GSMA standards. Furthermore, MKSmart has officially achieved the GSMA SAS-SM (Security Accreditation Scheme for Subscription Management) certification. Currently, we are facing technical difficulties when attempting to download eSIM profiles onto iPhone devices. The download process fails, and we believe our SM-DP+ server address (FQDN) or Root Certificates may not yet be whitelisted or recognized by Apple’s ecosystem. To ensure a seamless experience for our customers on iOS devices, we would like to request your guidance on the following: Onboarding Process: What are the formal steps for MKSmart to have our SM-DP+ server recognized and trusted by Apple devices? Whitelisting: How can we submit our SM-DP+ FQDN and Root Certificates for Apple’s review and inclusion in the trusted list? Carrier Bundle: Does MKSmart need to coordinate with specific carrier partners to update the Carrier Bundle, or is there a direct integration path for our infrastructure? We have attached our GSMA SAS-SM certification and technical specifications for your reference. We are ready to provide any additional documentation or perform interoperability testing as required. We look forward to your guidance and a successful collaboration. Best regards, Nguyen Do Khanh Software Engineer MKSmart Joint Stock Company https:\mksmart.com.vn

Apple is encouraging VPN apps on macOS to transition to Network Extension APIs, if they haven't done so yet, see: TN3165: Packet Filter is not API WWDC25: Filter and tunnel network traffic with NetworkExtension Using Network Extension is fine for VPN apps that are distributed via the Mac App Store. Users get one pop-up requesting permission to add VPN configurations and that's it. However, VPN apps that are distributed outside of the App Store (using Developer ID) cannot use Network Extension in the same way, such apps need to install a System Extension first (see TN3134: Network Extension provider deployment). Installing a System Extension is a very poor user experience. There is a pop-up informing about a system extension, which the user has to manually enable. The main button is "OK", which only dismisses the pop-up and in such case there is little chance that the user will be able to find the correct place to enable the extension. The other button in that pop-up navigates to the correct screen in System Settings, where the user has to enable a toggle. Then there is a password prompt. Then the user has to close the System Settings and return to the app. This whole dance is not necessary for VPN apps on the Mac App Store, because they work with "app extensions" rather than "system extensions". As a developer of a VPN app that is distributed outside of the App Store, my options are: Implement VPN functionality in an alternative way, without Network Extension. This is discouraged by Apple. Use a System Extension with Network Extension. This is going to discourage my users. I have submitted feedback to Apple: FB19631390. But I wonder, why did Apple create this difference in the first place? Is there a chance that they will either improve the System Extension installation process or even allow "app extensions" outside of the Mac App Store?

We create custom VPN tunnel by overriding PacketTunnelProvider on MacOS. Normal VPN connection works seamlessly. But if we enable onDemand rules on VPN manager, intemittently during tunnel creation via OnDemand, internet goes away on machine leading to a connection stuck state. Why does internet goes away during tunnel creation?

Starting in iOS 26.4, PushKit has introduced a new "didReceiveIncomingVoIPPushWithPayload" delegate, making it explicit whether or not an app is required to report a call for any given push. The new delegate passes in a PKVoIPPushMetadata object which includes a "mustReport" property. We have not documented the exact criteria that will cause a mustReport to return false, but those criteria currently include: The app being in the foreground at the point the push is received. The app being on an active call at the point the push is received. The system determines that delivery delays have made the call old enough that it may no longer be viable. When mustReport is false, apps should call the PushKit completion handler (as they previously have) but are otherwise not required to take any other action. __ Kevin Elliott DTS Engineer, CoreOS/Hardware

Hello, We are facing an issue with performing a DTLS handshake when our iOS application is in the background. Our app (Vocera Collaboration Suite – VCS) uses secure DTLS-encrypted communication for incoming VoIP calls. Problem Summary: When the app is in the background and a VoIP PushKit notification arrives, we attempt to establish a DTLS handshake over our existing socket. However, the handshake consistently fails unless the app is already in the foreground. Once the app is foregrounded, the same DTLS handshake logic succeeds immediately. Key Questions: Is performing a DTLS handshake while the app is in the background technically supported by iOS? Or is this an OS-level limitation by design? If not supported, what is the Apple-recommended alternative to establish secure DTLS communication for VoIP flows without bringing the app to the foreground? Any guidance or clarification from Apple engineers or anyone who has solved a similar problem would be greatly appreciated. Thank you.

I've been able to run this sample project with the PIRServer. But the urls are still not blocked. https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url https://github.com/apple/pir-service-example I got this on the log Received filter status change: <FilterStatus: 'running'>

I'm using a Mac Studio in a homelab context and use Homebrew to manage the installed services. The services include things that access the local network, for example Prometheus which monitors some other servers, a reverse proxy which fronts other web services on the network, and a DNS server which can use another as upstream. Local Network Access permissions make it impossible to reliably perform unattended updates of services because an updated binary requires a GUI login to grant local network permissions (again). I use brew services to manage the services as launchd agents, i.e. they run in a non-root GUI context. I know that I can also use sudo brew services which instead installs the services as launchd daemons, but running services as root has negative security implication and generally doesn't look like a good idea to me. If only there was a way to disable local network access checks altogether…

iOS mTLS Client Certificate Authentication Fails in TestFlight with Error -25303 Problem I'm building an iOS app that uses mTLS (client certificates received from server at runtime). Storing SecCertificate to keychain fails with error -25303 in both development and TestFlight builds, preventing SecIdentity creation needed for URLSession authentication. Environment: iOS 18.2, iPad Pro, TestFlight internal testing, keychain-access-groups properly configured Diagnostic Results Testing keychain operations shows an interesting pattern: ✅ Generic Password - Works: let addQuery: [CFString: Any] = [ kSecClass: kSecClassGenericPassword, kSecAttrAccount: "test", kSecValueData: "password".data(using: .utf8)! ] SecItemAdd(addQuery as CFDictionary, nil) // Returns: 0 (success) ✅ SecKey - Works: let addKeyQuery: [CFString: Any] = [ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tag ] SecItemAdd(addKeyQuery as CFDictionary, nil) // Returns: 0 (success) ❌ SecCertificate - Fails: let addCertQuery: [CFString: Any] = [ kSecClass: kSecClassCertificate, kSecValueRef: certificate, // Created from server-provided PEM kSecAttrApplicationTag: tag ] SecItemAdd(addCertQuery as CFDictionary, nil) // Returns: -25303 Code Context Attempting to create SecIdentity for mTLS: private func createIdentity(fromCert certPEM: String, key keyPEM: String) throws -> SecIdentity { // 1. Parse PEM to DER and create SecCertificate - succeeds guard let certData = extractPEMData(from: certPEM, type: "CERTIFICATE"), let certificate = SecCertificateCreateWithData(nil, certData as CFData) else { throw CertificateError.invalidCertificate } // 2. Parse PEM key and create SecKey - succeeds guard let keyData = extractPEMData(from: keyPEM, type: "PRIVATE KEY"), let privateKey = SecKeyCreateWithData(keyData as CFData, attrs as CFDictionary, &error) else { throw CertificateError.invalidKey } // 3. Add key to keychain - SUCCEEDS (errSecSuccess) let tempTag = UUID().uuidString.data(using: .utf8)! SecItemAdd([ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ✅ Works // 4. Add certificate to keychain - FAILS (-25303) let status = SecItemAdd([ kSecClass: kSecClassCertificate, kSecValueRef: certificate, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ❌ Fails with -25303 guard status == errSecSuccess else { throw CertificateError.keychainError(status) } // 5. Would query for SecIdentity (never reached) // ... } Network Behavior When mTLS fails, console shows: Connection: asked for TLS Client Certificates Connection: received response for client certificates (-1 elements) Connection: providing TLS Client Identity (-1 elements) Task received response, status 403 The -1 elements indicates no certificates were provided. Entitlements <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.ellin.tshios</string> </array> Keychain Sharing capability is enabled. What I've Tried Both kSecValueRef and kSecValueData approaches - same error Various kSecAttrAccessible values - same error Different keychain access groups - same error TestFlight build (vs dev build) - same error PKCS#12 creation - requires complex ASN.1/DER encoding, no iOS API Questions Is error -25303 expected when adding SecCertificate in development/TestFlight builds? Will App Store distribution resolve this? Or is there a fundamental limitation? Why does SecKey succeed but SecCertificate fails with identical entitlements? Is there an alternative to create SecIdentity without keychain access? Constraints Certificates come from server at runtime (cannot bundle) Need SecIdentity for URLSession client certificate authentication Server provides PEM format certificates Tested on: Simulator (dev), iPad Pro (dev), iPad Pro (TestFlight) - all fail Any insights appreciated - specifically whether this is a provisioning profile limitation that App Store distribution would resolve.

Hi, I tried to follow this guide: https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url And this: https://github.com/apple/pir-service-example I already deploy the pir service on my server. And set the configuration on the app like this: { name = SimpleURLFilter identifier = xxxxx applicationName = SimpleURLFilter application = com.xxxx.SimpleURLFilter grade = 2 urlFilter = { Enabled = YES FailClosed = NO AppBundleIdentifier = com.mastersystem.SimpleURLFilter ControlProviderBundleIdentifier = com.xxxx.SimpleURLFilter.SimpleURLFilterExtension PrefilterFetchFrequency = 2700 pirServerURL = https://xxxxx/pir pirPrivacyPassIssuerURL = https://xxxxx/pir AuthenticationToken = AAAA pirPrivacyProxyFailOpen = NO pirSkipRegistration = NO } } But I got this error when I tried to enable the service on the app: Received filter status change: <FilterStatus: 'stopped' errorMessage: 'The operation couldn’t be completed. (NetworkExtension.NEURLFilterManager.Error error 9.)'> What does that error mean? And how to fix it?

My team is developing an enterprise VPN application that needs to respond to Mobile Device Management (MDM) profile installations and removals in real-time. Our app uses the NetworkExtension framework and needs to update the UI immediately when VPN configurations are added or removed via MDM. We are currently observing NEVPNConfigurationChangeNotification to detect VPN configuration changes: While NEVPNConfigurationChangeNotification fires reliably when users manually remove VPN profiles through Settings > General > VPN & Device Management, it appears to have inconsistent behavior when MDM profiles containing VPN configurations are installed programmatically via MDM systems. STEPS TO REPRODUCE From MDM Admin Console: Deploy a new VPN profile to the test device On Device: Wait for MDM profile installation (usually silent, no user interaction required) Check Device Settings: Go to Settings > General > VPN & Device Management to confirm profile is installed Return to App: Check if the UI shows the new VPN profile

I have been toying around with the URL filter API, and now a few installed configurations have piled up. I can't seem to remove them. I swear a few betas ago I could tap on one and then delete it. But now no tap, swipe, or long press does anything. Is this a bug?