Please ask Apple to provide an interface for sending follow-ups like Samsung's WiFi Aware.

I have added a Network Extension to my iOS project to use the WireGuard library. Everything was working fine up to Xcode 16, but after updating, I’m facing a build issue. The build fails with the following error: No such file or directory: '@rpath/WireGuardNetworkExtensioniOS.debug.dylib' I haven’t explicitly added any .dylib to my project. The Network Extension target builds and runs fine on Xcode 16.

We have observed an internet access issue after the device enters idle mode on iOS 26 beta 9. Although the Ivanti Secure Access Client appears connected, users are unable to access any resources (internet or intranet) after unlocking the device from idle. When we check the log socket connection looks not disrupted, packets are tunnelled but no resource access. Split tunnel enabled and proxy PAC configured. This was observed on both iOS and iPadOS 26 beta. Steps to reproduce: Connecting to the internet, launching the Ivanti client, locking the device, and then unlocking it after a brief period of idle. The issue occurs when the VPN remains connected but no resources are accessible.

Upgrade iOS to 18.5, then install app in Xcode and grant permissions to send UDP but it won't work. Then restart device, open this installed app and send UDP again and this time it becomes OK. Repeat these steps and it all goes well. The UDP pod I use in app is CocoaAsyncSocket. The same thing happens on iPhone 14 Plus and 16 Pro, both iOS 18.5. How to explain this phenomenon, thanks for your help in advance.

We’ve noticed an issue where after running a network extension, if the phone’s language is changed the Locale.preferredLanguages array is not updated and still returns the old array. It only returns the updated array when the app is reinstalled or the phone is restarted. This is unlike the app itself where using the same Locale.preferredLanguages API immediately returns the updated array. We think this issue is also the cause of notifications that are sent by the network extension being in the previous language as long as the app isn’t reinstalled or the phone is restarted, despite our Localizable file having localised strings for the new language. Feedback ID: FB20086051 The feedback report includes a sample project with steps on how to reproduce the issue.

I'm having a lot of trouble just getting a basic network extension startup, I have a main application that creates the configuration and requests the app extension based network extension to launch. The network extension implements a NEPacketTunnelProvider and the application doesn't receive an error when starting the tunnel but when I inspect the networkextension system logs, I keep getting errors and the network extension itself doesn't appear to start nor does it log anything. log stream --predicate 'subsystem == "com.apple.networkextension"' neagent: (NetworkExtension) [com.apple.networkextension:] Extension request with extension $(BUNDLE_ID) started with identifier (null) neagent: (NetworkExtension) [com.apple.networkextension:] Failed to start extension $(BUNDLE_ID): Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named $(BUNDLE_ID)" UserInfo={NSDebugDescription=connection to service named $(BUNDLE_ID)} nesessionmanager: [com.apple.networkextension:] Validation failed - no audit tokens nesessionmanager: [com.apple.networkextension:] NEVPNTunnelPlugin($(BUNDLE_ID)[inactive]): Validation of the extension failed The network extension is written in Objective-C as it needs to integrate with another language. It's not entirely clear what kind of executable the network extension is meant to be, is it meant to have a main entrypoint, or is it supposed to be a shared library / bundle?

Around 8/23/25, I installed macOS 15.6.1 on my work Mac. After this I can no longer log the application I am working on into our backend servers. My work Mac is running Palo Alto Global Protect VPN software along with a bunch of associated security software to lock down my computer. I had no issues with connecting to our backend servers behind the firewall before the macOS update and nothing has changed in the source code related to this. When I send the username the network call just hangs and never times out. On the other hand, if I turn off the VPN and point to the production environment the call succeeds with no problems. Any Ideas?

As per : TN3120: Expected use cases for Network Extension packet tunnel providers | Apple Developer Documentation It is clear that Packets that are read from NEPacketTunnelFlow are meant to be sent over a tunnel connection to a remote server for injection into a remote network. They are not meant to be dropped or re-injected back into the system. In my usecase: NEPacketTunnelProvider is separate process. which reads the packet using packetFlow.readPacketObjects Send it over to other process i.e privileged helper(Non-bundle/command line tool/non sandboxed) via UDS IPC. Helpers send to to remote tunnel and return back the packet to NEPacketTunnelFlow via same IPC. NEPacketTunnelProvider uses packetFlow.writePacketObjects to inject packets. Things works fine. We don't distribute it via Appstore. We are now attempting to implement a on device bypass mechanism from helper tool side. Could you please suggest if there is any approach I could try, even if it involves proceeding at my own risk?

Hi, after upgrading to MacOS Sequoia, my connection to my local IP address does not work. The issue is with the PF (MacOS advanced firewall), as I confirmed that my local application works disabling it temporarily. Does anyone know how can I do to solve this problem? As APP developer, this is a big problem for me. Thanks in advance.

Good morning, I have been playing with he new Networking framework released in beta, and i think its amazing how powerful and simple it is. However i have been tackling some issues with it, it seems that the NetworkListener does not allow us to configure a specific endpoint for any of the protocols, UDP, TCP (QUIC, TLS) Is this intended or just not missing features as of the Beta ? I figured out how to use bonjour to get a port (as i am brand new to using Networking on macOS and Swift) I get that the use of this is mainly as a client to connect to servers, but it would make more sense to have a high level abstraction of what already exist, wouldn't it be more intuitive to configure a NetworkEndpoint that contains either a Bonjour Service or an endpoint with configured port that we can then configure on the Listener, instead of doing .service(...) ?

Description : Our app helps users connect to Wi-Fi hotspots. We are trying to adapt our code to iOS 26 Hotspot Authentication and Hotspot Evaluation application extensions. When filtering hotspots in the filterScanList callback, we need to fetch support information from a remote server to determine which hotspots are supported. However, attempts to use URLSession or NWTCPConnection in the extension always fail. When accessing a URL (e.g., https://www.example.com), the network log shows: Error Domain=NSURLErrorDomain Code=-1003 "A server with the specified hostname could not be found." When accessing a raw IP address, the log shows: [1: Operation not permitted] Interestingly, NWPathMonitor shows the network path as satisfied, indicating that the network is reachable. Question: Are there any missing permissions or misconfigurations on our side, or are we using the wrong approach? Is there an official recommended way to perform network requests from an NEHotspotEvaluationProvider extension?

Furuno AP(EW750) is sending EAPOL M1 message, but Iphone16 is not responding with EAPOL M2 message, Hence Iphone16 is unable to connect to Qualcomm based AP with MLO suiteb encryption. Issue impact: All the Iphone16 users cannot connect to WiFi7 AP with MLO suiteb encryption globally. Predominantly, Iphone users tend to connect to more secured wifi networks using WPA3 suiteb encryption, hence many of the iphone users will experience the connectivity issue significantly. Topology: AP Hardware: Furuno WiFi7 AP(EW770) The Furuno WiFi7 AP uses Miami IPQ5332 with waikiki radio QCN9274 (Qualcomm based chipset) AP software: SPF12.2 CSU3 IPhone16 software: (18.3.1 or 18.5 ) I phone16 wifi capabilities: 802.11 b/a/g/n/ac/ax/be Radius server details: Radius server: Laptop running with Ubuntu Radius package: 3.0.26dfsggit20220223.1.00ed0241fa-0ubuntu3.4 Version: 3.0.26 Steps: Power on the Wi-Fi 7 Access Point with the Miami chipset, and flash it with the SPF 12.2 CSU3 image. Enable both 5 GHz and 6 GHz radios on the AP. Enable MLO (Multi-Link Operation) in 6Ghz & 5Ghz, set MLD address different from radio address and configure Suite-B (192-bit) encryption On the Linux laptop, set up the RADIUS server with EAP-TLS authentication method. Once the above steps are completed, take the iPhone 16 and follow the steps below to install the RADIUS client certificates on the device. On the sniffer laptop, switch the Wi-Fi adapter to monitor mode, configure the required channel, and begin packet capture. Check SSID is broadcasting, then connect the iPhone 16 to . Verify if the client (iPhone 16) connects to the SSID using WPA3-Enterprise, MLO, and Suite-B encryption by checking the wireless capture on both the AP and iPhone sides. Support needed from Apple team: We would request Apple team to analyse and enable the IPhone16 users to connect to advanced security WPA3 Suiteb by resolving the issue. Below is our analysis and observation for your reference. As per IEEE, MLD mac address can be set to the same or different from radio address, Iphone16 is not accepting EAPOL M1 message if source address(MLD) is different from radio address. IPhone16 is accepting EAPOL M1 if the source address(MLD) is set to the same as the radio address and responds with M2 message IPhone16 is not accepting EAPOL M1 if source address(MLD) set to different from radio address and fails to respond with M2 message. sysdiagnose.log log-file log-file Please let us know additional logs are required.

Hi All, I am currently working on a Network Extension App for MacOS using 3 types of extensions provided by Apple's Network Extension Framework. Content Filter, App Proxy (Want to get/capture/log all HTTP/HTTPS traffic), DNS Proxy (Want to get/capture/log all DNS records). Later parse into human readable format. Is my selection of network extension types correct for the intended logs I need? I am able to run with one extension: Main App(Xcode Target1) <-> Content Filter Extension. Here there is a singleton class IPCConnection between App(ViewController.swift) which is working fine with NEMachServiceName from Info.plist of ContentFilter Extension(Xcode Target2) However, when I add an App Proxy extension as a new Xcode Target3, I think the App and extension's communication getting messed up and App not getting started/Crashing. Here, In the same Main App, I am adding new separate IPCConnection for this extension. Here is the project organization/folder structure. MyNetworkExtension ├──MyNetworkExtension(Xcode Target1) │ ├── AppDelegate.swift │ ├── Assets.xcassets │ ├── Info.plist │ ├── MyNetworkExtension.entitlement │ | ── Main │ |-----ViewController.swift │ └── Base.lproj │ └── Main.storyboard ├── ContentFilterExtension(Xcode Target2) │ ├── ContentFilterExtension.entitlement │ │ ├── FilterDataProvider.swift │ │ ├── Info.plist │ │ ├── IPCConnection.swift │ │ └── main.swift ├── AppProxyProviderExtension(Xcode Target3) │ ├── AppProxyProviderExtension.entitlement │ │ ├── AppProxyIPCConnection.swift │ │ ├── AppProxyProvider.swift │ │ ├── Info.plist │ │ └── main.swift └── Frameworks ├── libbsm.tbd └── NetworkExtension.framework Is my Approach for creating a single Network Extension App with Multiple extensions correct or is there any better approach of project organization that will make future modifications/working easier and makes the maintenance better? I want to keep the logic for each extension separate while having the same, single Main App that manages everything(installing, activating, managing identifiers, extensions, etc). What's the best approach to establish a Communication from MainApp to each extension separately, without affecting one another? Is it good idea to establish 3 separate IPC Connections(each is a singleton class) for each extension? Are there any suggestions you can provide that relates to my use case of capturing all the network traffic logs(including HTTP/HTTPS, DNS Records, etc), especially on App to Extension Communication, where my app unable to keep multiple IPC Connections and maintain them separately? I've been working on it for a while, and still unable to make the Network Extension App work with multiple extensions(each as a new Xcode target). Main App with single extension is working fine, but if I add new extension, App getting crashed. I suspect it's due to XPC/IPC connection things! I really appreciate any support on this either directly or by any suggestions/resources that will help me get better understand and make some progress. Please reach out if in case any clarifications or specific information that's needed to better understand my questions. Thank you very much

Hi, I have created an application for NFC tag scanning and read the tag data. For that, i enabled the capability: NearField Communication Tag reading. Then I added 2 tag formats in the entitlement then i added info.plist: NFCReaderUsageDescription We need to use NFC com.apple.developer.nfc.readersession.felica.systemcodes 8005 8008 0003 fe00 90b7 927a 12FC 86a7 com.apple.developer.nfc.readersession.iso7816.select-identifiers D2760000850100 D2760000850101 but even though when i run the app and tap the nfc card im getting some error: NFCTag didBecomeActive 2025-08-29 19:08:12.272278+0530 SAFRAN_NFC[894:113090] NFCTag didDetectTags 2025-08-29 19:08:12.282869+0530 SAFRAN_NFC[894:113520] [CoreNFC] -[NFCTagReaderSession _connectTag:error:]:730 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} 2025-08-29 19:08:12.284044+0530 SAFRAN_NFC[894:113090] NFCTag restarting polling 2025-08-29 19:08:12.372116+0530 SAFRAN_NFC[894:113090] NFCTag didDetectTags 2025-08-29 19:08:12.381535+0530 SAFRAN_NFC[894:113378] [CoreNFC] -[NFCTagReaderSession _connectTag:error:]:730 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} 2025-08-29 19:08:12.382246+0530 SAFRAN_NFC[894:113090] NFCTag restarting polling 2025-08-29 19:08:12.470667+0530 SAFRAN_NFC[894:113090] NFCTag didDetectTags 2025-08-29 19:08:12.479336+0530 SAFRAN_NFC[894:113378] [CoreNFC] -[NFCTagReaderSession _connectTag:error:]:730 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} 2025-08-29 19:08:12.480101+0530 SAFRAN_NFC[894:113090] NFCTag restarting polling Could you please help me wha tis the issue and give solution for that?

Hello, I've been experimenting with the new NEURLFilter API and so far the results are kind of strange. SimpleURLFilter sample contains a bloom filter that seems to be built from this dataset in pir-service-example. I was able to run SimpleURLFilter sample and configure it to use PIRService from the example repo. I also observed the requests that iOS has been sending: requesting config and then sending /queries request. What I haven't seen is any .deny verdict for any URL. Even when calling NEURLFilter.verdict(for: url) directly I cannot see a .deny verdict. Is there anything wrong with the sample or is there a known issue with NEURLFilter in the current beta (beta 8) that prevents it from working?

Hello Apple Developer Community, We are developing a full-tunnel VPN app for macOS that utilizes a packet tunnel network system extension (via NEPacketTunnelProvider). We're committed to using a system extension for this purpose, as it aligns with our requirements for system-wide tunneling. The app is sandboxed and intended for distribution on the Mac App Store. Here's the workflow: The app (running in user context) downloads a VPN profile from our server. It generates private keys, appends them to the profile, and attempts to save this enhanced profile securely in the keychain. The packet tunnel system extension (running in root context) needs to access this profile, including the private keys, to establish the VPN connection. We've encountered challenges in securely sharing this data across the user-root boundary due to sandbox restrictions and keychain access limitations. Here's what we've tried so far, along with the issues: Writing from the App to the System Keychain: Attempted to store the profile in the system keychain for root access. This fails because the sandboxed app lacks permissions to write to the system keychain. (We're avoiding non-sandboxed approaches for App Store compliance.) Extension Reading Directly from the User Login Keychain: Tried having the extension access the user's login keychain by its path. We manually added the network extension (located in /Library/SystemExtensions//bundle.systemextension) to the keychain item's Access Control List (ACL) via Keychain Access.app for testing. This results in "item not found" errors, likely due to the root context not seamlessly accessing user-keychain items without additional setup. Using Persistent References in NETunnelProviderProtocol: The app stores the profile in the user keychain and saves a persistent reference (as Data) in the NETunnelProviderProtocol's identityReference or similar fields. The extension then attempts to retrieve the item using this reference. We manually added the network extension (located in /Library/SystemExtensions//bundle.systemextension) to the keychain item's Access Control List (ACL) via Keychain Access.app for testing. However, this leads to error -25308 (errSecInteractionNotAllowed) when the extension tries to access it, possibly because of the root-user context mismatch or interaction requirements. Programmatically Adding the Extension to the ACL: Explored using SecAccess and SecACL APIs to add the extension as a trusted application. This requires SecTrustedApplicationCreateFromPath to create a SecTrustedApplicationRef from the extension's path. Issue 1: The sandboxed app can't reliably obtain the installed extension's path (e.g., via scanning /Library/SystemExtensions or systemextensionsctl), as sandbox restrictions block access. Issue 2: SecTrustedApplicationCreateFromPath is deprecated since macOS 10.15, and we're hesitant to rely on it for future compatibility. We've reviewed documentation on keychain sharing, access groups (including com.apple.managed.vpn.shared, but we're not using managed profiles/MDM) as the profiles are download from a server, and alternatives like XPC for on-demand communication, but we're unsure if XPC is suitable for sensitive data like private keys during tunnel creation. And if this is recommended what is going to be the approach here. What is the recommended, modern approach for this scenario? Is there a non-deprecated way to handle ACLs or share persistent references across contexts? Should we pursue a special entitlement for a custom access group, or is there a better pattern using NetworkExtension APIs? Any insights, code snippets, or references to similar implementations would be greatly appreciated. We're targeting macOS 15+. Thanks in advance!

Development environment Xcode 26.0 Beta 6 iOS 26 Simulator macOS 15.6.1 To verify TLS 1.3 session resumption behavior in URLSession, I configured URLSessionConfiguration as follows and sent an HTTP GET request: let config = URLSessionConfiguration.ephemeral config.tlsMinimumSupportedProtocolVersion = .TLSv13 config.tlsMaximumSupportedProtocolVersion = .TLSv13 config.httpMaximumConnectionsPerHost = 1 config.httpAdditionalHeaders = ["Connection": "close"] config.enablesEarlyData = true let session = URLSession(configuration: config, delegate: nil, delegateQueue: nil) let url = URL(string: "https://www.google.com")! var request = URLRequest(url: url) request.assumesHTTP3Capable = true request.httpMethod = "GET" let task = session.dataTask(with: request) { data, response, error in if let error = error { print("Error during URLSession data task: \(error)") return } if let data = data, let responseString = String(data: data, encoding: .utf8) { print("Received data via URLSession: \(responseString)") } else { print("No data received or data is not UTF-8 encoded") } } task.resume() However, after capturing the packets, I found that the ClientHello packet did not include the early_data extension. It seems that enablesEarlyData on URLSessionConfiguration is not being applied. How can I make this work properly?

Dear Apple App Store Review Team, We are currently developing an application focused on user data asset management, aimed at helping users better protect and manage their personal data. One of the core features of our application is to allow users to access files stored on their mobile devices from other devices within the same local network. At present, our implementation works as follows: once the application is launched, it starts an HTTP service in the background to support access from other devices within the local network. However, we have encountered a technical challenge in the iOS environment: when the application is moved to the background or the device screen is turned off, the system imposes strict limitations on the runtime of background tasks. Our testing has shown that, typically after about 30 seconds, the background HTTP service is suspended by the system, which prevents other devices from continuing to access the files. As developers, we would like to clarify the following: What specific technical steps are required to enable a continuous background HTTP service under iOS? During development, which aspects (e.g., system permission configurations, App Store review guidelines) need to be addressed to support such functionality? What qualifications or requirements (e.g., entitlement requests, compliance documentation) are necessary for an application to provide unrestricted HTTP service in the background? If such behavior is not officially supported, we kindly request that you provide the relevant official guidelines and documentation so that we can fully understand the applicable policies and requirements. Thank you very much for your time and guidance.

iOS Development environment Xcode 16.4, macOS 15.6.1 (24G90) Run-time configuration: iOS 17.2+ Short Description After having successfully established an NWConnection (either as UDP or TCP), and subsequently receiving the error code: UDP Connection failed: 57 The operation couldn't be completed. (Network.NWError error 57 - Socket is not connected), available Interfaces: [enO] via NWConnection.stateUpdateHandler = { (newState) in ... } while newState == .failed the data connection does not restart by itself once cellular (RF) telephony coverage is established again. Detailed Description Context: my app has a continuous cellular data connection while in use. Either a UDP or a TCP connection is established depending on the user settings. The setup data connection works fine until the data connection gets disconnected by loss of connection to a available cellular phone base station. This disconnection simply occurs in very poor UMTS or GSM cellular phone coverage. This is totally normal behavior in bad reception areas like in mountains with signal loss. STEPS TO REPRODUCE Pre-condition App is running with active data connection. Action iPhone does loss the cellular data connection previously setup. Typically reported as network error code 57. Observed The programmed connection.stateUpdateHandler() is called in network connection state '.failed' (OK). The self-programmed data re-connection includes: a call to self.connection.cancel() a call to self.setupUDPConnection() or self.setupConnection() depending on the user settings to re-establish an operative data connection. However, the iPhone's UMTS/GSM network data (re-)connection state is not properly identified/notified via NWConnection API. There's no further network state notification by means of NWConnection even though the iPhone has recovered a cellular data network. Expected The iPhone or any other means automatically reconnects the interrupted data connection on its own. The connection.stateUpdateHandler() is called at time of the device's networking data connection (RF) recovering, subsequently to a connection state failed with error code 57, as the RF module is continuously (independently from the app) for available telephony networks. QUESTION How to systematically/properly detect a cellular phone data network reconnection readiness in order to causally reinitialize the NWConnection data connection available used in app. Relevant code extract Setup UDP connection (or similarly setup a TCP connection) func setupUDPConnection() { let udp = NWProtocolUDP.Options.init() udp.preferNoChecksum = false let params = NWParameters.init(dtls: nil, udp: udp) params.serviceClass = .responsiveData // service type for medium-delay tolerant, elastic and inelastic flow, bursty, and long-lived connections connection = NWConnection(host: NWEndpoint.Host.name(AppConstant.Web.urlWebSafeSky, nil), port: NWEndpoint.Port(rawValue: AppConstant.Web.urlWebSafeSkyPort)!, using: params) connection.stateUpdateHandler = { (newState) in switch (newState) { case .ready: //print("UDP Socket State: Ready") self.receiveUDPConnection(). // data reception works fine until network loss break case .setup: //print("UDP Socket State: Setup") break case .cancelled: //print("UDP Socket State: Cancelled") break case .preparing: //print("UDP Socket State: Preparing") break case .waiting(let error): Logger.logMessage(message: "UDP Connection waiting: "+error.errorCode.description+" \(error.localizedDescription), available Interfaces: \(self.connection.currentPath!.availableInterfaces.description)", LoggerLevels.Error) break case .failed(let error): Logger.logMessage(message: "UDP Connection failed: "+error.errorCode.description+" \(error.localizedDescription), available Interfaces: \(self.connection.currentPath!.availableInterfaces.description)", LoggerLevels.Error) // data connection retry (expecting network transport layer to be available) self.reConnectionServer() break default: //print("UDP Socket State: Waiting or Failed") break } self.handleStateChange() } connection.start(queue: queue) } Handling of network data connection loss private func reConnectionServer() { self.connection.cancel() // Re Init Connection - Give a little time to network recovery let delayInSec = 30.0. // expecting actually a notification for network data connection availability, instead of a time-triggered retry self.queue.asyncAfter(deadline: .now() + delayInSec) { switch NetworkConnectionType { case 1: self.setupUDPConnection() // UDP break case 2: self.setupConnection() // TCP break default: break } } } Does it necessarily require the use of CoreTelephony class CTTelephonyNetworkInfo or class CTCellularData to get notifications of changes to the user’s cellular service provider?

Hi, I am having a ton of issues with the new multicast/network entitlements requirements on MacOS. Basically, since my app didn't request these new entitlements until recently, if the app had been installed without these permissions enabled, it will not pick up the new permissions once they are enabled. The only options I had were to create a new user, and install the app under the new user, which works, but is not a real solution for users. This is really problematic, as there is no way currently to remove or change these network permissions once they are established. Is there a way to fix this? Or some other workarounds I am missing? Thanks Also via the documentation: TN3179: Understanding local network privacy | Apple Developer Documentation "There's no guarantee that it'll actually trigger the alert” And "On macOS there’s no way to reset your program’s Local Network privilege to the undetermined state (FB14944392). One alternative is to run your program in a virtual machine (VM). To retest, restore the VM from a snapshot taken before you installed your program.”