I have a single ssid that I would like to connect users to, which I can do easily with the NetworkExtension api. The only additional feature I want to add is being able to detect the availability of the ssid before connecting to it. I have checked the forums and looked through things like the Hotspot Helper Docs. From what I can tell, this just isn't possible. So, two questions I have: Is this definitely impossible? Any recommended alternatives for simulating this type of behavior? Thanks!

Hi, I'm adding a Content Filtering (FilterDataProvider) on macOS to an existing app and using MDM to avoid user interaction. I start by pushing the following payloads to my machine: com.apple.system-extension-policy com.apple.webcontent-filter And then installing notarized pkg containing my app and the NE. Inspecting the system logs shows the following error: neagent Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon And calling submit(request: .activationRequest(forExtensionWithIdentifier: bundleId, queue: queue)) results in: Missing entitlement com.apple.developer.system-extension.install Installing from Xcode on a SIP disabled machine works fine and both NE and CF are working as expected. I followed the steps mentioned here https://developer.apple.com/forums/thread/737894 however the embedded entitlements already contained -systemextension suffix so I'm not sure if re signing and the subsequent steps are needed. I also double checked that com.apple.developer.system-extension.install is present, certificates are not expired and that get-task-allow is not present in the embedded profile. Here is what my release entitlement file looks like: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> </array> <key>com.apple.security.application-groups</key> <array> <string>com.company_name.app_name.network-extension.content-filter</string> </array> </dict> and my release app entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> </dict> </plist> redacted logs @eskimo may I ask for your help here!

Hi everyone! I'm developing a system where an application running in a VM communicates with the host operating system's components using vsock sockets (VZVirtioSocketDevice in Virtualization.framework). Both systems are running macOS. There may be multiple guests, and the existing implementation for other OSes relies on VM's CID to differentiate them. In macOS, getting the CID from inside the guest VM is straightforward—it is returned by IOCTL_VM_SOCKETS_GET_LOCAL_CID. However, in macOS the regular vsock API is not available on the host side, replaced by Virtualization.framework. I could not find anything in the Virtualization.framework's documentation that could be used to query (or set?) the CID for the specific virtual machine instance (which is certainly possible on other platforms utilizing Virtio drivers, e.g. Linux/QEMU). Am I overlooking something?

We have product for network monitoring and we are't able to add support auto-instrumenting the networking requests for URLSession async/wait methods as these methods are't exposed to dynamic environment or not exposed to ObjC and we con't use any of the run-time functionality and we con't override these methods as these methods are't public. looking for a way to add some kind of logic so that when customers use our product they don't have to add any code from there end to monitor this system.

I want to configure one aspect of my networking configuration (the QUIC keepalive interval). This only seems to be configurable via Network.framework’s nw_quic_set_keepalive_interval. Is there any way to apply this to a URLSession? Or do I need to implement the whole connection management myself using Network.framework?

1、Does Captive Portal documentation for IOS exist for developers? If so, please provide a link.

Hi everyone, I’ve been working with the NEPacketTunnelProvider class and came across the cancelTunnelWithError() method. The documentation mentions its general purpose but doesn’t provide much clarity on how and when it should be called. From what I’ve gathered in other forum posts, it seems that cancelTunnelWithError() should be called within my own implementation of the stopTunnel() method, but I’m not entirely sure if that’s the correct usage or whether there are specific scenarios where this applies. Here are my specific questions: Is it correct to always call cancelTunnelWithError() in my implementation of stopTunnel()? Are there specific conditions or scenarios where cancelTunnelWithError() is the preferred way to terminate a tunnel session, rather than other termination methods? What does the system do with the error that I pass to cancelTunnelWithError()? Does it have an impact on how the session termination is handled? Are there best practices or common pitfalls to avoid when using cancelTunnelWithError()? Any insights, examples, or guidance would be greatly appreciated! Thanks in advance for your help!

I have granted local network permissions, but sometimes I get a second confirmation popup, what is the timing of the secondary popup?

We found that when we only set one App Category and one Traffic Category in Xcode entitlements, the built application will contain all App Categories and Traffic Categories in the embedded.mobileprovision file, is it expected? Entitlements file: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.developer.networking.slicing.appcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;streaming-9001&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.developer.networking.slicing.trafficcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;avstreaming-7&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; embedded.mobileprovision: &lt;key&gt;Entitlements&lt;/key&gt; &lt;dict&gt; &lt;key&gt;com.apple.developer.networking.slicing.appcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;communication-9000&lt;/string&gt; &lt;string&gt;games-6014&lt;/string&gt; &lt;string&gt;streaming-9001&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.developer.networking.slicing.trafficcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;defaultslice-1&lt;/string&gt; &lt;string&gt;video-2&lt;/string&gt; &lt;string&gt;background-3&lt;/string&gt; &lt;string&gt;voice-4&lt;/string&gt; &lt;string&gt;callsignaling-5&lt;/string&gt; &lt;string&gt;responsivedata-6&lt;/string&gt; &lt;string&gt;avstreaming-7&lt;/string&gt; &lt;string&gt;responsiveav-8&lt;/string&gt; &lt;/array&gt;

I accidentally used -f and now Private Relay is not working with firewall active, but if i disable it, it works. Need the /etc/pf.conf original data

I've implemented a custom system extension VPN for macOS, using Packet Tunnel Provider. I have a XPC connection, from the containing app to the (system) extension. What is the expected behavior after the Mac's sleep/wake? Will the same XPC remain valid? Should I start a new connection?

​ I developed a Content Filter using the Network Extension, and when deployed to a batch of hosts (50 +), the installation worked for most of them, but there were six exceptions: five of them were macOS 10.15 and one of them was macOS 12.5. ​ The phenomenon of these 6 hosts is: in the System Settings->Network, two content filters with the same name appear. When one of the content filters with the same name is clicked, shows "Please use 'X Agent Extension' to control this content filter configuration" ('X Agent Extension' is the program I developed, this content filter can be deleted by clicking the minus sign in the lower left corner). Click on another content filter with the same name, shows 'Please use 'null' to control this content filter configuration', (but this content filter can't be removed by clicking the minus sign in the bottom left corner). ​ These systems are clean, use CLI 'systemextensionsctl list', and have only one systemextension in the output (this systemextension is my content filter). Online reference "https://forums.macrumors.com/threads/how-to-delete-custom-dns-profile-from-network-preference.2293322/" this paper, by closing the SIP, and delete file '/Library/Preferences/com.apple.networkextension.plist', then restart the system can remove the abnormal content filters with the same name. After restarting the system and reinstalling my content filter, the two content filters with the same name disappear (only the Content Filter I reinstalled) and the exception scenario cannot be repeated. ​ I would like to know, why do I have two content filters with the same name, how can I avoid this phenomenon, is there a way to remove the wrong content filter without closing SIP.

WiFi and Bluetooth are both enabled on Mac and iPhone, neither device is connected to a network Running MultipeerConnectivity on the Mac as Advertiser and iPhone as Browser, the invitation is sent from the phone and accepted by the mac, but the connection is then dropped. This doesn’t happen when the Advertiser is another iOS device. STEPS TO REPRODUCE THE PROBLEM We have created a small sample project that demonstrates the problem. It can be found at: https://github.com/eidria/Multipeer-Progress-Demo.git. It contains both a Mac app and a iOS app. Run the Mac app and start Advertising Run iOS app and start Browsing The iOS app automatically issues an invitation to the browser (Mac) which accepts. Shortly after the connection is dropped.

Hi, We are developing an app using PacketTunnelProvider from Network Extension framework. It is packaged as a system extension. We are trying to implement an "always-on" functionality, but cannot manage to start the extension before user login, with or without on-demand enabled. However we see in other posts (1, 2) that a network extension packaged as sysex should automatically start before user login. Are we missing something? Is it a limitation of PacketTunnelProvider? Thanks

I have an iOS app which contains a Network Extension that subclasses the NEPacketTunnelProvider, acting as a packet-tunnel VPN. After deploying the app on the device as a regular app, it runs the following code fragment: NETunnelProviderManager.loadAllFromPreferences { managers, _ in self.manager = managers?.first ?? NETunnelProviderManager() self.manager.protocolConfiguration = getConfiguration() self.manager.saveToPreferences { error in // Handle errors or show a "Connect" button in the UI } } This asks the user to install the extension as a "Device VPN". I can then use try? self.manager?.connection.startVPNTunnel() to start the VPN (and later stop it when needed). So far, this works fine. Now, I want to deploy the app with an MDM and set it up as the "custom VPN" of a "Per-App VPN". I have tested the setup using a real MDM, AND using the "development" setup described in NETunnelProviderManager. In both cases, the "Per-App VPN" shows up as a VPN in the "Settings" app. However, in both cases I am unable to retrieve, configure or use the "Per-App VPN". The code fragment posted above returns no NETunnelProviderManager at all. When instantiating one on my own and triggering self.manager.saveToPreferences(), it queries the user to install a "Device VPN". While I can control and use the latter, this is clearly not what I want after having gone through the pain of installing the "Per-App VPN". How can I retrieve the NETunnelProviderManager of the "Per-App VPN"? And then use it to configure and control the VPN connection? (Ideally, I would like to use the same app and the same Network Extension for both use cases, leaving the choice of which VPN type to use to the user or the user's MDM administrator.)

hi all. I’m working on a content filter system extension on MacOS. I try to disable the filtering in system settings, and it will cause smb shared folder connection interrupted. what I do in stopFilterWithReason:completionHandler: is waiting for the connection that is being filtered be allowed, then invoked the completionHandler. did I do something wrong here? is there a way to avoid the connection interruption?

Dear Team, I was previously able to access a non-secure HTTP API in my Ionic-built app. However, I am now encountering an error where the API requests are being rejected. Interestingly, this API works perfectly on Android and web platforms without any issues. As part of my troubleshooting, I have already added the following lines to my Info.plist file: `&lt;key&gt;NSAppTransportSecurity&lt;/key&gt; &lt;dict&gt; &lt;key&gt;NSAllowsArbitraryLoads&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt;` Could you kindly suggest any alternative solutions or additional settings required to access this HTTP API? Your help would be greatly appreciated. Thank you, Mozib

I am developing an App for iOS/iPhone that communicates with an external hardware. The external hardware is a hotspot to which the iPhone connects and every 10 seconds this hardware sends data to the iPhone by opening a TCP connection on the local network to the indicated port. On the iPhone side I use NWListener to retrieve the connections. When a connection is opened, I retrieve the data sent by the hardware and I close the connection. Because I also need to have the exact position of the user I have activated the Location background mode using the CoreLocation framework. If I put my application in the background everything works correctly. I retrieve the data every 10s as well as the changes in the user's positions. After 15 minutes however, and it is very precise, the server (NWListener) no longer accepts connections as if there was a timeout or a limitation to having a server running in the background in an iOS application. Can you help me? Thanks

None of my app's functionalities make use of local network. However, on launching the app on an iPad running iOS 18.2.1, I see an iOS prompt asking for local network permission by the app with a null usage description. I know since the app does not have Privacy string for local network, I see the null message. But my app does not use of local network so I am confused why I see this alert.

Hi, I have couple of inquiries regarding the vmnet framework: Incorporating Global Variables: How should we integrate the new global variables in macOS 15.0+ vmnet_read_max_packets_key and vmnet_write_max_packets_key into our configuration to optimize packet transmission? Are those values populated dynamically or manually if so any recommended value ranges ? Buffer Allocation Issue: What strategies can we employ to mitigate this buffer allocation error and ensure more reliable packet transmission? We occasionally encounter the following error during packet writes: Error Domain=NSCocoaErrorDomain Code=512 "The file couldn’t be saved." Error Domain=NSPOSIXErrorDomain Code=55 "No buffer space available" Your insights on these matters would be greatly appreciated.