Note Much of this content has been rolled into URL Loading System documentation, but I’m leaving this doc here for my own reference. URLSession background sessions are optimised for transferring a small number of large resources. Moreover, it’s best if the transfer is resumable. This design makes the best use of client device resources and the available network bandwidth. If your app runs a lot of tasks in a background session, you should rethink its design. Below you’ll find a number of options you might consider. Most of these options require server-side support. If your server does not have this support, and you can’t add it — perhaps you’re writing a client app for a server you don’t control — you won’t be able to implement these options directly. In that case consider creating your own server that sits between your app and the final server and implements the necessary smarts required to optimise your app’s network usage. If that’s not possible, a final option is to not use a background session but instead take advantage of the Background Tasks framework. See Background Tasks Framework, below. Basics The basic strategy here is to have the sender (the server for a download, your app for an upload) pack the data into some sort of archive, transfer that archive over the network, and then have the receiver unpack it. There are, however, a number of complications, as described in the subsequent sections. Archive Format The obvious choices for the archive format are zip and tar. macOS has lots of options for handling these formats but none of that support is present on iOS (r. 22151959). OTOH, it’s easy to find third-party libraries to fill in this gap. Incremental Transfers It’s common to have a corpus of data at one end of the connection that you need to replicate at the other. If the data is large, you don’t want to transfer the whole thing every time there’s an update. Consider using the following strategies to deal with this: Catalogue diff — In this approach the receiver first downloads a catalogue from the sender, then diffs its current state against that catalogue, then requests all the things that are missing. Alternatively, the receiver passes a catalogue of what it has to the sender, at which point the sender does the diff and returns the things that are missing. The critical part is that, once the diff has been done, all of the missing resources are transferred in a single archive. The biggest drawback here is resume. If the sender is working with lots of different receivers, each of which has their own unique needs, the sender must keep a lot of unique archives around so it can resume a failed transfer. This can be a serious headache. Versions — In this approach you manage changes to the data as separate versions. The receiver passes the version number it has to the sender, at which point the sender knows exactly what data the receiver needs. This approach requires a bit more structure but it does avoid the above-mentioned problem with resume. The sender only needs to maintain a limited number of version diffs. In fact, you can balance the number of diffs against your desire to reduce network usage: Maintaining a lot of diffs means that you only have to transfer exactly what the receiver needs, while maintaining fewer diffs makes for a simpler server at the cost of a less efficient use of the network. Download versus Upload The discussion so far has applied equally to both downloads and uploads. Historically, however, there was one key difference: URLSession did not support resumable uploads. IMPORTANT Starting with iOS 17, URLSession supports resumable uploads. See WWDC 2023 Session 10006 Build robust and resumable file transfers for the details. The rest of this section assumes that you don’t have access to that support, either because you’re working on an older system or because the server you’re uploading to doesn’t support this feature. When doing a non-resumable upload you have to balance the number of tasks you submit to the session against the negative effects of a transfer failing. For example, if you do a single large upload then it’s annoying if the transfer fails when it’s 99% complete. On the other hand, if you do lots of tiny uploads, you’re working against the URLSession background session design. It is possible to support resumable uploads with sufficient server-side support. For example, you could implement an algorithm like this: Run an initial request to allocate an upload ID. Start the upload with that upload ID. If it completes successfully, you’re done. If it fails, make a request with the upload ID to find out how much the server received. Start a new upload for the remaining data. Indeed, this is kinda how the built-in resumable upload support works. If you’re going to implement something like this, it’s best to implement that protocol. (r. 22323347) Background Tasks Framework If you’re unable to use an URLSession background session effectively, you do have an alternative, namely, combining a standard session with the Background Tasks framework. There are two options that you might find useful. The first is a processing task. This allows you to request extended background processing time from the system. Once you’ve been granted that time, use it to run your many small network requests in a standard session. The main drawback to this approach is latency: The system may not grant your request for many hours. Indeed, it’s common for these requests to run overnight, once the user has connected their device to a power source. The second is a continued processing task. This allow you to request continued execution in the background to complete a user-visible task that the user has started in the foreground. This approach has some limitations: You have to start the work when your app is in the foreground. The task is visible to the user, who can cancel it. The system may expire the task for its own reasons. Background Assets Framework If you’re using URLSession to download assets for your app or game, check out the Background Assets framework. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision History 2026-05-27 Updated the Background Tasks Framework section to talk about continued processing task. 2023-09-27 Added information about the new resumable upload support. Added the Background Assets Framework section. Made significant editorial changes. 2022-01-31 Fixed the formatting and tags. Added a link to the official docs. 2018-03-24 Added the Background Tasks Framework section. Other editorial changes. 2015-08-18 First written.

This is a bit complicated to explain so bare with me. I am working on building an app that allows you to send real time video/camera captures from one Apple device to another. I am using a custom UDP protocol built on top of NWListener, NWBrowser, and NWConnection APIs. It works fine, but there are a few issues that seems to all be related to awdl: When transmitting via WiFi over the router (not using peer-to-peer), there are periodic interruptions when the wireless card on the device changes channels for awdl polling. This is resolved by changing the 5GHz WiFi channel on the router to channel 149 (or disabling AWDL altogether which is not really feasible). In order to work around number 1, I decided to build in an option to toggle/prefer peer-to-peer transmission in the app thinking that if everything goes over a peer-to-peer connection the jitter caused from the channel switching should go away. This also works, but with an important caveat. The default transmission is extremely choppy until you take an OS action that “elevates” the AWDL connection into “realtime” mode. I am using includePeerToPeer on the listener, browser, and connection as well as serviceClass interactiveVideo. For number 1, you can understand that asking users to change the channel on their router is not a great user experience, but the problem is the peer-to-peer connection workaround is also not great by default. For number 2, as an example of the behavior, I can send a stream from my Mac to my iPad over a peer-to-peer connection and it works but the video is very choppy until I move my cursor from my Mac to my iPad to trigger Universal Control. I captured the OS logs while doing this and can confirm that something happens to trigger “realtime” mode on the AWDL connection. After that, the streaming is totally smooth with zero latency. Some log samples: 2026-03-19 12:42:01.277968-0400 0x1ae294c Default 0x0 495 3 rapportd: (CoreUtils) [com.apple.rapport:CLinkD] Update client from UniversalControl:697 2026-03-19 12:42:01.278031-0400 0x1ae294c Default 0x0 495 0 rapportd: (CoreUtils) [com.apple.CoreUtils:AsyncCnx] CLinkCnx-6089: Connect start: 'CLink-ed3b9618b4e0._companion-link._tcp.local.%13' 2026-03-19 12:42:01.278149-0400 0x1ae294c Default 0x0 495 0 rapportd: (CoreUtils) [com.apple.CoreUtils:AsyncCnx] CLinkCnx-6089: Querying SRV CLink-ed3b9618b4e0._companion-link._tcp.local.%13 2026-03-19 12:42:01.279454-0400 0x1ae253a Info 0x0 382 0 wifip2pd: [com.apple.awdl:datapathInitiator] Created AWDLDatapathInitiator clink-ed3b9618b4e0._companion-link._tcp.local <To: 2e:f2:5a:15:76:52> 2026-03-19 12:42:01.279498-0400 0x1ae294c Default 0x0 495 0 rapportd: (CoreUtils) [com.apple.CoreUtils:AsyncCnx] CLinkCnx-6089: Resolving DNS f970afcc-1f1c-47af-a3f3-0236c9f9bbb0.local.%13 2026-03-19 12:42:01.279588-0400 0x1ae253a Default 0x0 382 0 wifip2pd: [com.apple.awdl:datapathInitiator] AWDLDatapathInitiator clink-ed3b9618b4e0._companion-link._tcp.local <To: 2e:f2:5a:15:76:52> was started 2026-03-19 12:42:01.282537-0400 0x1ae294c Default 0x0 495 0 rapportd: (Network) [com.apple.network:path] nw_path_evaluator_start [5C54D967-624D-4269-B080-6C7AE63218C7 IPv6#1e905043%awdl0.49154 generic, attribution: developer] path: satisfied (Path is satisfied), interface: awdl0[802.11], dns, uses wifi 2026-03-19 12:42:01.596450-0400 0x1ae253a Debug 0x0 382 0 wifip2pd: [com.apple.awdl:driver] Received event realtimeMode 2026-03-19 12:42:01.596589-0400 0x1ae253a Default 0x0 382 0 wifip2pd: [com.apple.awdl:interface] Realtime mode updated true I noticed that on iOS 26 and iPadOS 26 a realtime mode was added specifically to the Wi-Fi Aware API which I assume does what I want: https://developer.apple.com/documentation/wifiaware/waperformancemode/realtime, but I am looking for a solution that works with the existing network API and also on previous OS versions. I have already tried a lot of things, but is there any way to programmatically trigger “realtime” mode? For additional context, the goal here is to have extremely low latency that also works for gaming. The actual latency introduced in 1 is approximately 30-50ms around once a second… adding a buffer to the stream makes the video completely smooth, but the extra delay on the receiver end is not acceptable for this use case. Any help or ideas would be appreciated. I can’t easily share a reproduce case right now, and even if I could, getting multiple devices into the exact state along with the router configuration in order to reproduce is going to be pretty difficult anyway.

Hello Apple Developer Forums, We are evaluating AccessorySetupKit for onboarding a custom Wi-Fi smart-home accessory. Our main goal is to achieve password-less Wi-Fi provisioning, meaning the user would not need to manually type a Wi-Fi password or setup/pairing code during onboarding. We would like to understand whether ASK currently supports, or is intended to support: Secure Wi-Fi credential provisioning through system APIs Fully system-mediated onboarding flows Provisioning for headless/no-display accessories More specifically: Can password-less Wi-Fi provisioning be implemented using only public ASK APIs? Is a pairing/setup code always required? Or are developers still expected to use temporary AP mode and custom credential transfer flows? We are trying to determine the recommended onboarding architecture for future products. Thank you.

Hello, I'm currently developing a NAC agent and, based on my research so far, it seems macOS does not allow the use of a custom 802.1X supplicant. Is there any roadmap or indication that Apple may support third-party/custom 802.1X supplicants in future macOS releases? I'd appreciate any clarification or insight on this topic.

Hi, Has the get-task-allow development bypass for NEFilterDataProvider been intentionally removed or changed in iOS 26? Previous DTS guidance in thread/31109 confirmed this bypass existed. I note that WWDC 2025 Session 234 states "iOS system-wide content filter is supported on supervised devices only" without mentioning it. My production deployment is supervised MDM devices — I am purely asking about the development testing path, which is not working for me on iOS 26.4.2. All I get is NEConfigurationErrorDomain Code=10 "permission denied" before my app code even runs. Thank you!

I need to programmatically configure TLSv1.3 control parameters like cipher suites, Named Groups Signature Scheme I can see in the apple development documentation, there is a option to configure cipher suites but no way to configure Named Groups and Signature Scheme. Does anyone know a way to configure "Named Groups" & "Signature Schemes" also ? or If it is not possible in iOS then also Do we have anywhere written in documentation (evidence) ?

Hi Apple team, Could you please let us know the estimated timeline for approval of our OHTTP relay request? We’d appreciate any updates on the current status or next steps from your side. My request number is GZ8425KHD9. Thanks in advance.

One thing I wanted to confirm, suppose i submit one request to onboard OHTTP relay for one organisation app and it gets approved, so can I re submit the request with different bundle ID for other organisation and same PIR server, same OHTTP server ? Or do we need different domain name ?

Hi everyone, I’m working with UDP Multicasting on iOS (iOS 15+) using Network.framework and facing a confusing issue. Setup: Multicast IP: 239.255.0.1 Port: 45454 Using NWConnectionGroup / NWMulticastGroup NSLocalNetworkUsageDescription is present in Info.plist Devices are on the same Wi-Fi network Problem: Receiving multicast packets works perfectly Sending multicast packets does NOT work No errors are thrown send() completion handler reports success stateUpdateHandler sometimes doesn’t transition to .ready No packets are actually transmitted on the network Observations: The app can receive data from other multicast senders Sending appears to be silently blocked Reinstalling the app fixes the issue This points to a Local Network permission problem If permission was denied once, iOS does not re-prompt Inbound multicast works, outbound multicast is blocked Questions: Is it expected on iOS that receiving multicast works even when sending is blocked? Is reinstalling the app the only way to recover if Local Network permission was denied? Is there any reliable runtime way to detect that outbound multicast is blocked? Is NWConnectionGroup the correct and only supported way to send multicast on iOS? Any clarification or official guidance would really help. Thanks in advance!

Hi, I developed a network extension program on macOS. I tried to update the program by changing the version number. My update process was to first turn off network filtering via "NEFilterManager.sharedManager.enabled = NO", and then use "[OSSystemExtensionRequest activationRequestForExtension:bundleid queue:dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0)];" to let the system replace the old network extension program. However, sometimes the old network extension process will become a zombie process like pid=86621 in the figure. As long as the zombie process exists, the network cannot be used. After about 10 minutes, it will be cleared and the network will be available. Restarting Wi-Fi can also clear the zombie process immediately. Why is this? How to avoid this problem?

In my basement I have a couple of raspberry PIs that are collecting sensor data. They cannot send the data to any server because there is no signal in the basement. So my idea was to develop an app that would host a web server so that I can take my phone, go into the basement and enable the hotspot so that the raspberrys can connect to my phones Wifi and send their sensor data via API calls to the web server that is running on the phone. I have read about Vapor but somehow that feels like overkill for this problem. Do you guys have any recommendations how to solve this problem or better ideas than running a web server on the iPhone (and no, extending the wifi signal into the basement is not an option here)?

MacOS (15.7) local host (expressjs: light weight REST API server) NOT able to configure to access from my iPhone physically connected via thunderbolt BUT I am able to access it from localhost via Browser of the Macbook (locally), But NOT from iPhone server running at '0.0.0.0' Firewall is turned off(by default) I hope someone can get me the steps in enabling the port

Hi In the "CaptiveNetwork.h", the "CNCopyCurrentNetworkInfo" is marked as "API_TO_BE_DEPRECATED" CFDictionaryRef __nullable CNCopyCurrentNetworkInfo (CFStringRef interfaceName) API_DEPRECATED_WITH_REPLACEMENT("[NEHotspotNetwork fetchCurrentWithCompletionHandler:]", ios(4.1, API_TO_BE_DEPRECATED), macCatalyst(14.0, API_TO_BE_DEPRECATED)) API_UNAVAILABLE(macos, tvos, watchos, visionos); But in developer documents, it is marked as "DEPRECATED"： https://developer.apple.com/documentation/systemconfiguration/cncopycurrentnetworkinfo Before we use Xcode 16.2 to archive app, this interface still work on iOS 26 device. But after we changed to Xcode 26.2, this interface return nothing on iOS 26 and we need to use "NEHotspotNetwork" related interface. My question is： Why there are difference between the documents and framework sdk how we can know that a interface marked "API_TO_BE_DEPRECATED" or "DEPRECATED", when will they not work totally. Is there a accurate timeline or standard for them? Some interface marked deprecated after 12.0 is still working Now. After knowing the accurate timeline we can plan the interfaces migration.

Dear Team, We are trying to implement universal linking app to app redirection for our banking application. We have configured the associated domains in our application as can be seen below in the info plist of our IPA <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>application-identifier</key><string>2TK5X82C47.com.bankalbilad.NewRMB</string><key>aps-environment</key><string>production</string><key>beta-reports-active</key><true/><key>com.apple.developer.associated-domains</key><array><string>applinks:rob-auth.bankalbilad.com</string></array><key>com.apple.developer.icloud-container-identifiers</key><array></array><key>com.apple.developer.pass-type-identifiers</key><array><string>2TK5X82C47.*</string></array><key>com.apple.developer.payment-pass-provisioning</key><true/><key>com.apple.developer.team-identifier</key><string>2TK5X82C47</string><key>com.apple.developer.ubiquity-kvstore-identifier</key><string>2TK5X82C47.com.bankalbilad.NewRMB</string><key>com.apple.security.application-groups</key><array><string>group.com.NewRMB</string></array><key>get-task-allow</key><false/><key>keychain-access-groups</key><array><string>2TK5X82C47.com.bankalbilad.NewRMB.keychain</string></array></dict></plist> We are unable to see the call made from IOS reaching the endpoint which is https://rob-auth.bankalbilad.com/.well-known/apple-app-site-association We performed curl of our domain and get the below error. curl -i https://app-site-association.cdn-apple.com/a/v1/rob-auth.bankalbilad.com HTTP/1.1 404 Not Found Server: AppleHttpServer/2caa77a6bc2e755fca0e0f63e4d67e53390f9184 Date: Thu, 14 May 2026 11:42:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 10 Apple-Failure-Details: {"cause":"Connection failed"} Apple-Failure-Reason: SWCERR00305 Network error Apple-From: https://rob-auth.bankalbilad.com/.well-known/apple-app-site-association Apple-Try-Direct: false Cache-Control: max-age=3600,public Vary: Accept-Encoding X-B3-TraceId: bfafe8fa87a6828f Strict-Transport-Security: max-age=31536000 Age: 21 Via: https/1.1 defra2-vp-vst-017.ts.apple.com (acdn/302.16436), https/1.1 defra2-vp-vfe-006.ts.apple.com (acdn/302.16436), http/1.1 defra2-xdc-mx-023.ts.apple.com (acdn/302.16436), http/1.1 defra1-edge-fx-060.ts.apple.com (acdn/302.16436) X-Cache: hit-stale, hit-stale, hit-fresh, hit-fresh CDNUUID: 6fb88181-f58a-4059-a770-26a43e1f32d0-16071773867 Expires: Thu, 14 May 2026 11:42:26 GMT Connection: keep-alive Not Found curl -v https://app-site-association.cdn-apple.com/a/v1/rob-auth.bankalbilad.com * Host app-site-association.cdn-apple.com:443 was resolved. * IPv6: (none) * IPv4: 17.253.15.159, 17.253.63.204, 17.253.63.201, 17.253.29.140, 17.253.29.162, 17.253.39.133, 17.253.39.145, 17.253.15.162 * Trying 17.253.15.159:443... * schannel: disabled automatic use of client certificate * ALPN: curl offers http/1.1 * ALPN: server accepted http/1.1 * Connected to app-site-association.cdn-apple.com (17.253.15.159) port 443 * using HTTP/1.x > GET /a/v1/rob-auth.bankalbilad.com HTTP/1.1 > Host: app-site-association.cdn-apple.com > User-Agent: curl/8.13.0 > Accept: */* > < HTTP/1.1 404 Not Found < Server: AppleHttpServer/2caa77a6bc2e755fca0e0f63e4d67e53390f9184 < Date: Thu, 14 May 2026 11:42:16 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 10 < Apple-Failure-Details: {"cause":"Connection failed"} < Apple-Failure-Reason: SWCERR00305 Network error < Apple-From: https://rob-auth.bankalbilad.com/.well-known/apple-app-site-association < Apple-Try-Direct: false < Cache-Control: max-age=3600,public < Vary: Accept-Encoding < X-B3-TraceId: bfafe8fa87a6828f < Strict-Transport-Security: max-age=31536000 < Age: 33 < Via: https/1.1 defra2-vp-vst-017.ts.apple.com (acdn/302.16436), https/1.1 defra2-vp-vfe-006.ts.apple.com (acdn/302.16436), http/1.1 defra2-xdc-mx-023.ts.apple.com (acdn/302.16436), http/1.1 defra1-edge-fx-058.ts.apple.com (acdn/302.16436) < X-Cache: hit-stale, hit-stale, hit-fresh, hit-fresh < CDNUUID: 77d7de5e-f827-44b1-bbf5-ae2d8e36e104-16053052830 < Expires: Thu, 14 May 2026 11:42:26 GMT < Connection: keep-alive We also don't see any blocks in our firewall or in WAF or any network level Load balancers. Can you please help in troubleshooting the same.

As part of the OpenJDK testing we run several regression tests, including for Java SE networking APIs. These APIs ultimately end up calling BSD socket functions. On macos, starting macos 26, including on recent 26.2 version, we have started seeing some unexplained but consistent exception from one of these BSD socket APIs. We receive a "ENOBUFS" errno (No buffer space available) when trying to construct a socket(). These exact same tests continue to pass on many other older versions of macos (including 15.7.x). After looking into this more, we have been able to narrow this down to a very trivial C code which is as follows (also attached): #include <stdio.h> #include <sys/socket.h> #include <string.h> #include <unistd.h> #include <sys/errno.h> static int create_socket(const int attempt_number) { const int fd = socket(AF_INET6, SOCK_STREAM, 0); if (fd < 0) { fprintf(stderr, "socket creation failed on attempt %d," " due to: %s\n", attempt_number, strerror(errno)); return fd; } return fd; } int main() { const unsigned int num_times = 250000; for (unsigned int i = 1; i <= num_times; i++) { const int fd = create_socket(i); if (fd < 0) { return -1; } close(fd); } fprintf(stderr, "successfully created and closed %d sockets\n", num_times); } The code very trivially creates a socket() and close()s it. It does this repeatedly in a loop for a certain number of iterations. Compiling this as: clang sockbufspaceerr.c -o sockbufspaceerr.o and running it as: ./sockbufspaceerr.o consistently generates an error as follows on macos 26.x: socket creation failed on attempt 160995, due to: No buffer space available The iteration number on which the socket() creation fails varies, but the issue does reproduce. Running the same on older versions of macos doesn't reproduce the issue and the program terminates normally after those many iterations. Looking at the xnu source that is made available for each macos release here https://opensource.apple.com/releases/, I see that for macos 26.x there have been changes in this kernel code and there appears to be some kind of memory accountability code introduced in this code path. However, looking at the reproducer/application code in question, I believe it uses the right set of functions to both create as well as release the resources, so I can't see why this should cause the above error in macos 26.x. Does this look like some issue that needs attention in the macos kernel and should I report it through feedback assitant tool?

Hi everyone, I'm developing an iOS app using Swift (Foundation, Network, and Combine) that communicates via TCP with a weighing scale. The scale uses an internal ESP32 module acting as a Wi-Fi Access Point (no internet access) specifically for data transmission. The app connects to this network and opens a socket to receive weight data and send command strings. I’m currently facing two main issues: Socket Management: The socket isn't closing properly. Occasionally, the app opens multiple simultaneous connections instead of maintaining a single one. Since the ESP32 has a client limit, these ghost connections eventually hang the communication module. Invalid Outbound Data: The connection drops frequently because the scale receives invalid strings from the app. My logs show strange character sequences (like "gggggggggfdhj" or "vfgdddddddddddtty") being sent involuntarily. I haven't programmed these strings, and they cause the scale to terminate the session due to protocol violations. How can I ensure proper socket closure and prevent these random data packets? Additionally, a technical question: Is it possible to keep this TCP connection active in the background indefinitely on iOS while the user interacts with other apps?

We have a VPN app that uses NEPacketTunnelProvider with includeAllNetworks = true. We've encountered an issue where push notifications are not delivered over Wi-Fi while the tunnel is active in a pre-MFA quarantine state (tunnel is up but traffic is blocked on server side), regardless of whether excludeAPNS is set to true or false. Observed behavior Wi-Fi excludeAPNS = true - Notifications not delivered Wi-Fi excludeAPNS = false - Notifications not delivered Cellular excludeAPNS = true - Notifications delivered Cellular excludeAPNS = false - Notifications not delivered On cellular, the behavior matches our expectations: setting excludeAPNS = true allows APNS traffic to bypass the tunnel and notifications arrive; setting it to false routes APNS through the tunnel and notifications are blocked (as expected for a non-forwarding tunnel). On Wi-Fi, notifications fail to deliver in both cases. Our question Is this expected behavior when includeAllNetworks is enabled on Wi-Fi, or is this a known issue / bug with APNS delivery? Is there something else in the Wi-Fi networking path that includeAllNetworks affects beyond routing, which could prevent APNS from functioning even when the traffic is excluded from the tunnel? Sample Project Below is the minimal code that reproduces this issue. The project has two targets: a main app and a Network Extension. The tunnel provider captures all IPv4 and IPv6 traffic via default routes but does not forward packets — simulating a pre-MFA quarantine state. The main app configures the tunnel with includeAllNetworks = true and provides a UI toggle for excludeAPNS. PacketTunnelProvider.swift (Network Extension target): import NetworkExtension class PacketTunnelProvider: NEPacketTunnelProvider { override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "127.0.0.1") let ipv4 = NEIPv4Settings(addresses: ["198.51.100.1"], subnetMasks: ["255.255.255.0"]) ipv4.includedRoutes = [NEIPv4Route.default()] settings.ipv4Settings = ipv4 let ipv6 = NEIPv6Settings(addresses: ["fd00::1"], networkPrefixLengths: [64]) ipv6.includedRoutes = [NEIPv6Route.default()] settings.ipv6Settings = ipv6 let dns = NEDNSSettings(servers: ["198.51.100.1"]) settings.dnsSettings = dns settings.mtu = 1400 setTunnelNetworkSettings(settings) { error in if let error = error { completionHandler(error) return } self.readPackets() completionHandler(nil) } } private func readPackets() { packetFlow.readPackets { [weak self] packets, protocols in self?.readPackets() } } override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { completionHandler() } override func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)?) { if let handler = completionHandler { handler(messageData) } } override func sleep(completionHandler: @escaping () -> Void) { completionHandler() } override func wake() { } } ContentView.swift (Main app target) — trimmed to essentials: import SwiftUI import NetworkExtension struct ContentView: View { @State private var excludeAPNs = false @State private var manager: NETunnelProviderManager? var body: some View { VStack { Toggle("Exclude APNs", isOn: $excludeAPNs) .onChange(of: excludeAPNs) { Task { await saveAndReload() } } Button("Connect") { Task { await toggleVPN() } } } .padding() .task { await loadManager() } } private func loadManager() async { let managers = try? await NETunnelProviderManager.loadAllFromPreferences() if let existing = managers?.first { manager = existing } else { let m = NETunnelProviderManager() let proto = NETunnelProviderProtocol() proto.providerBundleIdentifier = "<your-extension-bundle-id>" proto.serverAddress = "127.0.0.1" proto.includeAllNetworks = true proto.excludeAPNs = excludeAPNs m.protocolConfiguration = proto m.localizedDescription = "TestVPN" m.isEnabled = true try? await m.saveToPreferences() try? await m.loadFromPreferences() manager = m } if let proto = manager?.protocolConfiguration as? NETunnelProviderProtocol { excludeAPNs = proto.excludeAPNs } } private func saveAndReload() async { guard let manager else { return } if let proto = manager.protocolConfiguration as? NETunnelProviderProtocol { proto.includeAllNetworks = true proto.excludeAPNs = excludeAPNs } manager.isEnabled = true try? await manager.saveToPreferences() try? await manager.loadFromPreferences() } private func toggleVPN() async { guard let manager else { return } if manager.connection.status == .connected { manager.connection.stopVPNTunnel() } else { await saveAndReload() try? manager.connection.startVPNTunnel() } } } Steps to reproduce Build and run the sample project with above code on a physical iOS device. Connect to a Wi-Fi network. Set excludeAPNS = true using the toggle and tap Connect. Send a push notification to the device to a test app with remote notification capability (e.g., via a test push service or the push notification console). Observe that the notification is not delivered. Disconnect. Switch to cellular. Reconnect with the same settings. Send the same push notification — observe that it is delivered. Environment iOS 26.2 Xcode 26.2 Physical device (iPhone 15 Pro)

Hi everyone, We are working on an app that requires access to devices on the local network (Bonjour / LAN discovery + direct socket communication). We are currently struggling with the Local Network privacy permission flow introduced by Apple. From our understanding, there is no dedicated public API to explicitly request Local Network permission or to reliably determine the current authorization state before attempting network activity. We have tried several commonly suggested approaches to trigger the permission dialog, including: Bonjour browsing via NWBrowser Publishing/listening with NetService UDP/TCP socket attempts on local subnet NWConnection / NWListener Triggering discovery after app launch and after foreground transitions We already added the required entries in: NSLocalNetworkUsageDescription NSBonjourServices However, the behavior is inconsistent across devices and OS versions: Sometimes the popup appears immediately Sometimes it never appears Sometimes network operations silently fail without callback clarity In some cases callbacks are delayed or ambiguous Reinstalling/resetting permissions changes behavior unpredictably Our main challenges are: What is currently considered the most reliable Apple-approved method to trigger the Local Network permission prompt? Is there any officially recommended way to determine whether permission is: not determined denied granted Is there any reliable callback or state transition API developers should use? Are there known differences between: NWBrowser NetService BSD sockets NWConnection when it comes to triggering the permission dialog? Are there recommended retry/timing patterns to avoid race conditions during app launch? Is Apple planning to introduce a dedicated authorization API similar to: AVAuthorizationStatus CLAuthorizationStatus PHPhotoLibrary.authorizationStatus() Right now it feels difficult to provide a reliable UX because there is no deterministic way to: proactively request access observe authorization state recover gracefully when the prompt does not appear Any guidance, DTS references, WWDC sessions, or recommended implementation patterns would be greatly appreciated. Thanks!

model : iphone 17 ios version: 26.2 app used: https://developer.apple.com/documentation/wifiaware/building-peer-to-peer-apps Here is our observation when we tried to make wifi aware connection between iphone and our wifi device. note : we used iphone as subscriber ( view simulation) 1.pairing & bootstrapping was successfully done 2.Data path was successfully established between iphone and our device. after data path establishment ,within few seconds , DATA PATH TERMINATION was sent from iphone which leads to pairing verification with new NMI address. Same behaviour is noticed even when we try to establish connection between two iphone devices. Here we have few questions. Once we establish data path , Why iphone initiates data path termination instead using the same service for data path exchange. 2.Why do we go for PAIRING VERIFICATION everytime.

I want to track down which part of an app contacts a given domain listed in its App Privacy Report. Following the instructions given here I am able to capture a packet trace, but traffic to the domain in question is encrypted using QUIC. Is there a way to insert e.g. mitmproxy into the capture process in order to get hold of the SSLKEYLOGFILE so that I can decrypt the traffic?