We currently supporting proxy app with Tunnel.appEx and PacketTunnelProvider. Some users report about constant error "The VPN session failed because an internal error occurred." on VPN start (which fails rapidly). This error occur mostly after user updated app with active VPN. Rebooting device solves the problem and it doesnt come again, but it is still very frustrating. I can provide any required info about app setup to solve this issue if you need. Thanks

I have a Vision Pro app, which I intend to use Apple-Hosted Background Assets for some of my videos after watching: https://developer.apple.com/videos/play/wwdc2025/325 I added a Apple-Hosted, Managed extension. New Target -> Background Download -> Apple-Hosted, Managed After creating an Archive, I tried uploading it to TestFlight, it complains about a DTPlatformName error in my Info.plist. So I added the following : <key>DTPlatformName</key> <string>xros</string> With which, I managed to upload the app with the extension to TestFlight. However, when I tried installing the app on TestFlight to Vision Pro, it gives me an error that says the app cannot be verified. Any help or pointers is greatly appreciated. Info.plist Entitlements

When using the official Wi-Fi Aware demo app on iOS, with the iOS device configured as a NAN Subscriber, after successfully establishing a peer-to-peer connection with another device via Wi-Fi Aware (NAN), the network path object nwPath.availableInterfaces does not list the nan0 virtual network interface. The nan0 interface is the dedicated NAN (Neighbor Aware Networking) interface used for Wi-Fi Aware data communication. Its absence from availableInterfaces prevents the app from correctly identifying/using the NAN data path, breaking expected Wi-Fi Aware data transmission logic. log: iOS works as subscriber: [onPathUpdate] newPath.availableInterfaces: ["en0"] iOS works as publisher: [onPathUpdate] newPath.availableInterfaces: ["nan0"]

Hi, I see an interaction issue between a DNS Proxy system extension and MDM on macOS: after some time the device stops processing MDM commands until reboot, while DNS filtering continues to work. Environment: macOS: 15.x / 26.x (reproduced on multiple minor versions) App: /Applications/MyMacProxy.app System extension: NEDNSProxyProvider as system extension Bundle id: com.company.agent.MyMacProxy.dnsProxy Deployment: MDM (SimpleMDM) DNS proxy config via com.apple.dnsProxy.managed Devices: supervised Macs Steps to reproduce: Enrol Mac into MDM. Install MyMacProxy app + DNS proxy system extension via pkg and apply com.apple.dnsProxy.managed profile. DNS proxy starts, DNS is filtered correctly, user network works normally. After some hours, try to manage the device from MDM: push a new configuration profile, remove an existing profile, or install / remove an app. 5.MDM server shows commands as pending / not completed. On the Mac, DNS is still filtered via our DNS proxy, and general network access (Safari etc.) continues to work. After reboot, pending MDM commands are processed and we can remove the app, profile and system extension normally. This is reproducible on our test machines. What I see on the Mac in the “stuck” state apsd is running: sudo launchctl print system/com.apple.apsd # job state = running com.apple.mdmclient.daemon exists as a job but is not running: sudo launchctl print system/com.apple.mdmclient.daemon Abbreviated output: system/com.apple.mdmclient.daemon = { ... state = not running job state = exited runs = 5 last exit code = 0 ... } So the MDM client daemon has exited cleanly (exit code 0) and is currently not running; its APS endpoints are configured. Our DNS proxy system extension is still processing flows: we see continuous logging from our NEDNSProxyProvider, and DNS filtering is clearly active (requests go through our upstream). systemextensionsctl list still shows our DNS proxy system extension as active. From the user’s perspective, everything works (with filtered DNS). From the MDM server’s perspective, commands stay pending until the next reboot. After reboot, MDM behaviour is normal again. Uninstall / cleanup (current approach, simplified) We currently use an MDM‑delivered shell script that: disables our DNS proxy configuration for the console user by editing ~/Library/Preferences/com.apple.networkextension.plist and setting Enabled = false for our DNSProxyConfigurations entries; flushes DNS cache and restarts mDNSResponder; unloads our LaunchDaemon / LaunchAgent for the host app; kills the system extension process using pgrep -f "com.company.agent.MyMacProxy.dnsProxy" | xargs kill -9; removes the extension binary from /Library/SystemExtensions/.../com.company.agent.MyMacProxy.dnsProxy.systemextension; removes /Applications/MyMacProxy.app and related support files. We currently do not call systemextensionsctl uninstall <TEAMID> com.company.agent.MyMacProxy.dnsProxy from MDM, mainly because of SIP and because we understand that fully silent system extension uninstall is constrained. The MDM responsiveness issue, however, can appear even if we don’t run this aggressive uninstall script and just let the extension run for some hours. Questions Is it expected that a DNS Proxy system extension (managed via com.apple.dnsProxy.managed) can leave a device in a state where: apsd is running, com.apple.mdmclient.daemon is not running (last exit code 0), DNS proxy continues to filter traffic, but MDM commands remain pending until reboot? Are there known best practices or pitfalls when combining: DNS Proxy system extensions (NEDNSProxyProvider), MDM‑distributed com.apple.dnsProxy.managed profiles, and MDM app / profile management on recent macOS versions? For uninstall in an MDM environment, what pattern do you recommend? For example, is it better to: disable / remove the DNS proxy profile, stop the NE configuration via NEDNSProxyManager from the app, avoid killing the system extension or removing files from /Library/SystemExtensions immediately, and instead require a reboot for full removal? I can provide a sysdiagnose and unified logs (including nesessionmanager, mdmclient and our logs) from an affected machine if that would be helpful.

Summary I'm implementing NEURLFilter with the com.apple.developer.networking.networkextension.url-filter-provider entitlement for a system-wide URL filtering feature. The feature works perfectly in development-signed builds (connecting successfully to my PIR server over extended testing) but every production-signed build fails before any network call is made. NEURLFilterManager reports .serverSetupIncomplete (code 9). After installing the NetworkExtension debug profile, the unredacted com.apple.CipherML logs reveal the cause: no privacy proxy is provisioned for this bundle identifier, and the connection is configured proxy fail closed. Environment iOS 26 Entitlement: com.apple.developer.networking.networkextension.url-filter-provider Extension point: com.apple.networkextension.url-filter-control PIR server configured via NEURLFilterManager.setConfiguration(...) Privacy Pass issuer configured Dev-signed builds: working correctly, connecting to the PIR server Production-signed builds (both TestFlight and distribution): failing identically The Error Chain Surfaced to the app via NEURLFilterManager.lastDisconnectError: NEURLFilterManager.Error.serverSetupIncomplete (code 9) ← NEAgentURLFilterErrorDomain Code 3 ← com.apple.CipherML Code 1100 "Unable to query status" ← com.apple.CipherML Code 1800 (error details were logged and redacted) After installing the VPN (NetworkExtension) debug profile, the unredacted com.apple.CipherML subsystem shows: queryStatus(for:options:) threw an error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={ _NSURLErrorNWPathKey = satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey = https://<my-pir-server>/config, NSUnderlyingError = { Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" }, _NSURLErrorPrivacyProxyFailureKey = true, NSLocalizedDescription = "The Internet connection appears to be offline." } The critical diagnostic line in the com.apple.network subsystem is: nw_endpoint_proxy_handler_should_use_proxy Proxies not present, but required to fail closed And the connection setup shows the proxy fail closed flag is mandatory for the connection: [C... ... Hostname#...:443 quic, bundle id: <my-bundle-id>, attribution: developer, using ephemeral configuration, context: NWURLSession (sensitive), proxy fail closed] start The network path itself is healthy (Wi-Fi good, DNS resolves correctly), but the connection is explicitly configured to fail closed if no proxy is present, and no proxy is provisioned for this bundle identifier. The entire failure happens in approximately 18 ms, far too fast for any network round-trip, confirming no traffic ever leaves the device. What I've Verified The entitlement is present in the distribution build The NEURLFilterControlProvider extension loads and returns a valid Bloom filter prefilter (with a tag that round-trips correctly between extension and framework) NEURLFilterManager.setConfiguration(pirServerURL:pirPrivacyPassIssuerURL:pirAuthenticationToken:controlProviderBundleIdentifier:) accepts all four parameters without error Development-signed builds of the same bundle identifier connect successfully to the same PIR server On production-signed builds, zero requests reach the PIR server — failure is purely client-side, before any network activity The Question How does the OHTTP privacy proxy get provisioned for a bundle identifier so that production builds can successfully use NEURLFilter? Specifically: Is there a Capability Request form I need to submit for url-filter-provider? I cannot find one in the Capability Requests section of my developer portal. Should I be running my own OHTTP gateway (for example using swift-nio-oblivious-http), and if so, does Apple then need to provision routing from their OHTTP relay to my gateway URL? Is the OHTTP relay path meant to be automatic once the entitlement is active, and if so, is there a specific activation step I'm missing? Is there any way to verify the current provisioning state for a specific bundle identifier from the developer portal? I can provide the full sysdiagnose and unredacted bundle/server details privately to an Apple engineer if that would help diagnose. I'd prefer to keep them out of a public post. Thanks!

I’m building an app on macOS 26.4 with Xcode 26.4. When I build and run my app it started prompting me for network access, which it didn’t do before with Xcode 26. It did that repeatedly, and I had been approving the prompts and the app had been working. Now the app’s network features are not working, and I assume its because its being blocked by macOS, even though I accepted the network requests each time. In System Settings - Privacy and Security - Local Network, the app has many repeated entries, like 20, and all of them are turned on.

Hello, I am currently developing a headless macOS daemon (HarmonBridge) that requires extremely low-latency, high-bandwidth UDP video streaming between a Mac and a Linux host over a dedicated 2.5GbE/5GbE local network link. We are utilizing widely available Realtek RTL8156 / RTL8156B based USB 2.5G network adapters. Under macOS, these adapters default to the generic com.apple.DriverKit.AppleUserECM driver. The hardware itself natively supports Jumbo Frames (MTU 9000), but the DriverKit implementation artificially restricts the MTU cap to 1500 bytes. Because we are forced through MTU 1500, we are incurring significant performance penalties: Excessive IP fragmentation for our large UDP video payloads. Unnecessary CPU overhead due to increased hardware interrupts and header processing at 2.5Gbps speeds. For a latency-critical application like ours, reducing CPU interrupts and utilizing true hardware-level Jumbo Frames is essential. My Questions: Is there an undocumented boot-arg or network sysctl parameter that permits overriding the AppleUserECM 1500 MTU hard-limit for 2.5G USB adapters on Apple Silicon? Are there any roadmap plans from the DriverKit/Networking team to re-enable standard Jumbo Frame negotiation for RTL8156 hardware using the generic ECM driver? If the answer to both is no, does Apple grant NetworkingDriverKit Entitlements to independent developers specifically for the purpose of writing custom hardware overrides to patch missing MTU features in the default ECM stack? Because AppleUserECM effectively acts as a gatekeeper to the underlying MAC/PHY capabilities of these modern USB NICs, any guidance on achieving wire-native MTU 9000 under the current DriverKit paradigm would be hugely appreciated. Thank you!

Hello! I have an accessory, which is paired already with an iPhone, and am attempting to upgrade its SSID permission to Wi-Fi Aware. In ideal conditions, it works perfectly. However, if I dismiss the picker at the time of pin-code entry, I am unable to re-initialize an upgrade authorization picker. Even though the authorization is not completed a WAPairedDeviceID is assigned to the object of 18446744073709551615. Any subsequent attempts to start the picker up again spits out when treated as a failure serves: [ERROR] updateAuthorization error=Error Domain=ASErrorDomain Code=450 "No new updates detected from existing accessory descriptor." Attempting with a mutated descriptor serves: [ERROR] updateAuthorization error=Error Domain=ASErrorDomain Code=450 "Accessory cannot be upgraded with given descriptor." If I try using failAuthorization i get a 550 "Invalid State" error and furthermore if I try finishAuthorization to attempt to clear the descriptor/paired device ID it fails to clear it. If I could be pointed to the intended behavior on how to handle this, or this can be acknowledged as a bug, that would be incredibly appreciated. Thank you!

I’m working on an iOS Network Extension where a NEPacketTunnelProviderconfigures a local HTTP/HTTPS proxy usingNEPacketTunnelNetworkSettings.proxySettings. Per NEProxySettings.exceptionList docs: If the destination host name of an HTTP connection matches one of these patterns then the proxy settings will not be used for the connection. However, I’m seeing two distinct issues: Issue A (exception bypass not working): HTTPS traffic to a host that matches exceptionList still reaches the proxy. Issue B (domain-scoped proxy not applied): When matchDomains is set to match a specific domain (example: ["googlevideo.com"]), I still observe its traffic in some apps is not proxied. If I remove the domain from matchDomains, the same traffic is proxied. Environment OS: iOS (reproduced with 26.4 and other versions) Devices: Reproduced with several iPhones (likely iPads as well) Xcode: 26.3 Extension: NEPacketTunnelProvider Minimal Repro (code) This is the minimal configuration. Toggle between CONFIG A / CONFIG B to reproduce each issue. import NetworkExtension final class PacketTunnelProvider: NEPacketTunnelProvider { override func startTunnel( options: [String : NSObject]? = nil, completionHandler: @escaping (Error?) -> Void ) { let proxyPort = 12345 // proxy listening port let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "8.8.8.8") let proxySettings = NEProxySettings() proxySettings.httpEnabled = true proxySettings.httpsEnabled = true proxySettings.httpServer = NEProxyServer(address: "1.2.3.4", port: proxyPort) // proxy listening address proxySettings.httpsServer = NEProxyServer(address: "1.2.3.4", port: proxyPort) // proxy listening address // CONFIG A: proxy all domains, but exclude some domains // proxySettings.matchDomains can be set to match all domains // proxySettings.exceptionList = ["*.cdninstagram.com", "cdninstagram.com"] // CONFIG B: proxy only a specific domain // proxySettings.matchDomains = ["googlevideo.com"] settings.proxySettings = proxySettings setTunnelNetworkSettings(settings) { error in completionHandler(error) } } } Repro steps Issue A (exceptionList bypass not working) Enable the VPN configuration and start the tunnel with CONFIG A (exceptionList = ["*.cdninstagram.com", "cdninstagram.com"]). Open the Instagram app to trigger HTTPS connections to *.cdninstagram.com Inspect proxy logs: cdninstagram.com traffic is still received by the proxy. Safari comparison: If I access URLs that trigger the same *.cdninstagram.com hosts from Safari, it can behave as expected. When the traffic is triggered from the Instagram app, the excluded host still reaches the proxy as CONNECT, which is unexpected. Issue B (matchDomains not applied for YouTube traffic) Start the tunnel with CONFIG B (matchDomains = ["googlevideo.com"]). Open the YouTube app and start playing a video (traffic typically targets *.googlevideo.com). Inspect proxy logs: googlevideo.com traffic is not received by the proxy. Remove the host from matchDomains and observe that googlevideo.com traffic is received by the proxy. Safari comparison: If I access a googlevideo.com host from Safari while matchDomains = ["googlevideo.com"], it behaves as expected (proxied). In contrast, the YouTube app’s googlevideo.com traffic is not proxied unless I match all domains. Expected Issue A Connections to *.cdninstagram.com in the Instagram app should not use the proxy and should not reach the local proxy server. Issue B With matchDomains = ["googlevideo.com"], traffic to *.googlevideo.com (YouTube video traffic) should be proxied and therefore reach the local proxy. Actual Issue A The local proxy still receives the request as: CONNECT scontent-mad1-1.cdninstagram.com:443 HTTP/1.1 So the bypass does not happen. Issue B With matchDomains = ["googlevideo.com"], I still observe googlevideo.com traffic in the YouTube app that is not delivered to the proxy. When all traffic is proxied, the same traffic is delivered to the proxy.

Based on https://developer.apple.com/documentation/networkextension/nednssettings/searchdomains , we expect the values mentioned in searchDomains to be appended to a single label DNS query. However, we are not seeing this behavior. We have a packetTunnelProvider VPN, where we set searchDomains to a dns suffix (for ex: test.com) and we set matchDomains to applications and suffix (for ex: abc.com and test.com) . When a user tries to access https://myapp , we expect to see a DNS query packet for myapp.test.com . However, this is not happening when matchDomainsNoSearch is set to true. https://developer.apple.com/documentation/networkextension/nednssettings/matchdomainsnosearch When matchDomainsNoSearch is set to false, we see dns queries for myapp.test.com and myapp.abc.com. What is the expected behavior of searchDomains?

iOS Development environment Xcode 16.4, macOS 15.6.1 (24G90) Run-time configuration: iOS 17.2+ Short Description After having successfully established an NWConnection (either as UDP or TCP), and subsequently receiving the error code: UDP Connection failed: 57 The operation couldn't be completed. (Network.NWError error 57 - Socket is not connected), available Interfaces: [enO] via NWConnection.stateUpdateHandler = { (newState) in ... } while newState == .failed the data connection does not restart by itself once cellular (RF) telephony coverage is established again. Detailed Description Context: my app has a continuous cellular data connection while in use. Either a UDP or a TCP connection is established depending on the user settings. The setup data connection works fine until the data connection gets disconnected by loss of connection to a available cellular phone base station. This disconnection simply occurs in very poor UMTS or GSM cellular phone coverage. This is totally normal behavior in bad reception areas like in mountains with signal loss. STEPS TO REPRODUCE Pre-condition App is running with active data connection. Action iPhone does loss the cellular data connection previously setup. Typically reported as network error code 57. Observed The programmed connection.stateUpdateHandler() is called in network connection state '.failed' (OK). The self-programmed data re-connection includes: a call to self.connection.cancel() a call to self.setupUDPConnection() or self.setupConnection() depending on the user settings to re-establish an operative data connection. However, the iPhone's UMTS/GSM network data (re-)connection state is not properly identified/notified via NWConnection API. There's no further network state notification by means of NWConnection even though the iPhone has recovered a cellular data network. Expected The iPhone or any other means automatically reconnects the interrupted data connection on its own. The connection.stateUpdateHandler() is called at time of the device's networking data connection (RF) recovering, subsequently to a connection state failed with error code 57, as the RF module is continuously (independently from the app) for available telephony networks. QUESTION How to systematically/properly detect a cellular phone data network reconnection readiness in order to causally reinitialize the NWConnection data connection available used in app. Relevant code extract Setup UDP connection (or similarly setup a TCP connection) func setupUDPConnection() { let udp = NWProtocolUDP.Options.init() udp.preferNoChecksum = false let params = NWParameters.init(dtls: nil, udp: udp) params.serviceClass = .responsiveData // service type for medium-delay tolerant, elastic and inelastic flow, bursty, and long-lived connections connection = NWConnection(host: NWEndpoint.Host.name(AppConstant.Web.urlWebSafeSky, nil), port: NWEndpoint.Port(rawValue: AppConstant.Web.urlWebSafeSkyPort)!, using: params) connection.stateUpdateHandler = { (newState) in switch (newState) { case .ready: //print("UDP Socket State: Ready") self.receiveUDPConnection(). // data reception works fine until network loss break case .setup: //print("UDP Socket State: Setup") break case .cancelled: //print("UDP Socket State: Cancelled") break case .preparing: //print("UDP Socket State: Preparing") break case .waiting(let error): Logger.logMessage(message: "UDP Connection waiting: "+error.errorCode.description+" \(error.localizedDescription), available Interfaces: \(self.connection.currentPath!.availableInterfaces.description)", LoggerLevels.Error) break case .failed(let error): Logger.logMessage(message: "UDP Connection failed: "+error.errorCode.description+" \(error.localizedDescription), available Interfaces: \(self.connection.currentPath!.availableInterfaces.description)", LoggerLevels.Error) // data connection retry (expecting network transport layer to be available) self.reConnectionServer() break default: //print("UDP Socket State: Waiting or Failed") break } self.handleStateChange() } connection.start(queue: queue) } Handling of network data connection loss private func reConnectionServer() { self.connection.cancel() // Re Init Connection - Give a little time to network recovery let delayInSec = 30.0. // expecting actually a notification for network data connection availability, instead of a time-triggered retry self.queue.asyncAfter(deadline: .now() + delayInSec) { switch NetworkConnectionType { case 1: self.setupUDPConnection() // UDP break case 2: self.setupConnection() // TCP break default: break } } } Does it necessarily require the use of CoreTelephony class CTTelephonyNetworkInfo or class CTCellularData to get notifications of changes to the user’s cellular service provider?

Hi, I'v got the error by using NEHotspotConfiguration to connect a wifi spot but get:NEHotspotConfigurationErrorDomain code=8. I hope to get the same result as when scanning the code with the system camera. A pop-up window will appear, and I just need to click "Join" to successfully connect. Here's the logs: [OneAppWifi][iOS] handleCheckWifiEnabled start (iOS 12+) [OneAppWifi][iOS] handleCheckWifiEnabled pathUpdateHandler status=satisfied [OneAppWifi][iOS] handleConnectWifi start, ssid=OPPO Find X6 Pro, pwd=len=16, authType=Optional("sae"), hidden=false [OneAppWifi][iOS] handleConnectWifi cancelPendingConnection before new request ssid=OPPO Find X6 Pro [OneAppWifi][iOS] cancelPendingConnection called, errorCode=nil, currentSsid=nil [OneAppWifi][iOS] cancelPendingConnection silent cancel, just clear pendingConnectResult [OneAppWifi][iOS] handleConnectWifi apply completion with error, domain=NEHotspotConfigurationErrorDomain, code=8, userInfo=["NSLocalizedDescription": internal error.] [OneAppWifi][iOS] resolveNEError NEHotspotConfigurationErrorDomain code=8 [OneAppWifi][iOS] resolveNEError systemConfiguration / internal, map to connection_failed [OneAppWifi][iOS] handleConnectWifi resolved as failure errorCode=Optional("connection_failed") for ssid=OPPO Find X6 Pro [OneAppWifi][iOS] firePendingResult value=["success": false, "errorCode": Optional("connection_failed")], currentSsid=Optional("OPPO Find X6 Pro")

Is it somehow possible to get the transport layer (UDP and TCP) payload amounts for TLS or QUIC connections established via the Network framework? (From within the app itself that establishes the connections.) I am currently using the ntstat.h kernel socket calls, but I hope there is a simpler solution. With ntstat, I have not yet been able to observe a specific connection. I have to search for the connection I am looking in all (userspace) connections.

On my iPhone 16 Pro and iPhone 16 Pro Max devices, running iOS 26.0, 26.0.1, and 26.1, Wi-Fi raw socket communication works flawlessly. Even after keeping the connection active for over 40 minutes, there are no disconnections during data transmission. However, on the iPhone 17 and iPhone 17 Pro, the raw socket connection drops within 20 seconds. Once it disconnects, the socket cannot reconnect unless the Wi-Fi module itself is reset. I believe this issue is caused by a bug in the iPhone 17 series’ communication module. I have looked into many cases, and it appears to be related to a bug in the N1 chipset. Are there any possible solutions or workarounds for this issue?

I haven’t come across any official documentation regarding the limit on the number of Network Extensions macOS can run. However, I did see some discussions suggesting that Apple might restrict this to 5 extensions in macOS Tahoe. Is there any official confirmation on this?

Since updating to macOS 26.4 developerbeta 2 I've been getting full loss of dns resolution. I am not running a VPN or any network extensions that I am aware of. I'm not sure how to report this in the feedback utility as I cannot find an appropriate category for it. Happy to file it if someone can give an appropriate suggestion - the closest I could see was Wi-Fi but that wanted Wi-Fi logs for the issue, which I do not believe to be needed as this is not a Wi-Fi connectivity issue. Running dig example.com +short nslookup example.com ping example.com Gives the following output 104.18.27.120 104.18.26.120 Server: 10.0.1.1 Address: 10.0.1.1#53 \ Non-authoritative answer: Name: example.com Address: 104.18.26.120 Name: example.com Address: 104.18.27.120 \ ping: cannot resolve example.com: Unknown host This shows it's not an issue with my local network and that core networking is working, but something in the mDNSResponder/dns stack of macOS is failing. This causes all apps/browsers that do not implement their own DNS lookups to fail (Chrome still works). Sometimes the issue clears after running the following commands (for a period), sometimes it does not. A restart always resolves the issue temporarily. sudo killall -9 mDNSResponder sudo killall -9 mDNSResponderHelper sudo dscacheutil -flushcache sudo ifconfig en0 down sudo ifconfig en0 up

Hi, On macOS 26.4 Beta (25E5218f) （macOS Tahoe 26 Developer Beta ）, the network filter causes network failures or slowdowns. This manifests as Chrome failing to access websites, while Safari can access the same websites without issue. The affected websites can be pinged locally. My situation is similar to this situation.The same question link is: https://github.com/objective-see/LuLu/issues/836 Have you been paying attention to this issue? Hopefully, it can be fixed in the official release. Thank you.

I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension. Environment macOS: Sequoia (15.7.2) Xcode: 26.2 Distribution: Developer ID + notarization, deployed via MDM Host bundle ID: com.mydns.agent.MyDNSMacProxy DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy Host entitlements (Release): File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>B234657989.com.mydns.agent.MyDNSMacProxy</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>B234657989</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.mydns.MyDNSmac</string> </array> <key>keychain-access-groups</key> <array> <string>B234657989.*</string> </array> </dict> </plist> xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release : PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5 CODE_SIGN_IDENTITY = Developer ID Application Host Developer ID profile main_MyDNSMacProxy5.provisionprofile (via security cms -D): "Entitlements" => { "com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy" "com.apple.developer.team-identifier" => "B234657989" "com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ] "keychain-access-groups" => [ "B234657989.*" ] "com.apple.developer.system-extension.install" => 1 "com.apple.developer.networking.networkextension" => [ "packet-tunnel-provider-systemextension", "app-proxy-provider-systemextension", "content-filter-provider-systemextension", "dns-proxy-systemextension", "dns-settings", "relay", "url-filter-provider", "hotspot-provider" ] } So: App ID, team ID, keychain and system‑extension.install match. The profile’s com.apple.developer.networking.networkextension is a superset of what I request in the host entitlements (dns-proxy only). System extension (for context) DNS Proxy system extension target: NSExtensionPointIdentifier = com.apple.dns-proxy NetworkExtension → NEProviderClasses → com.apple.networkextension.dns-proxy → my provider class Entitlements: com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"] This target uses a separate Developer ID profile and builds successfully. Xcode error Release build of the host fails with: …MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy') Xcode UI also says: Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension. Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements. Questions: For com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here just dns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension: Host entitlements: ["dns-proxy"] System extension entitlements: ["dns-proxy-systemextension"] Host profile’s NE array includes the DNS Proxy system extension types. If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround? Thanks for any guidance.

I'm using a Mac Studio in a homelab context and use Homebrew to manage the installed services. The services include things that access the local network, for example Prometheus which monitors some other servers, a reverse proxy which fronts other web services on the network, and a DNS server which can use another as upstream. Local Network Access permissions make it impossible to reliably perform unattended updates of services because an updated binary requires a GUI login to grant local network permissions (again). I use brew services to manage the services as launchd agents, i.e. they run in a non-root GUI context. I know that I can also use sudo brew services which instead installs the services as launchd daemons, but running services as root has negative security implication and generally doesn't look like a good idea to me. If only there was a way to disable local network access checks altogether…

We have an application which is written in Swift, which activates Transparent Proxy network extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We are using JAMF MDM profile for installing our transparent proxy in customer environment. We are using VPN payload(https://developer.apple.com/documentation/devicemanagement/vpn) for this network system extension. This payload does not have any field for order. As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy-data.dictionary documentation there is another payload for TransparentProxy and we could create a Transparent Proxy profile using iMazingProfile Editor. Noticed that, if we add the Order attribute to the VPN/TransparentProxy payload, while installing the extension, the save to preferences fails with "Error in saving TP configuration in updateOnDemandRule permission denied" error. Can we use this Order field to ordering the installed Transparent Proxy extension in a machine? Customer devices will likely have other Transparent Proxy network extensions as well. We want to allow the Customer to control the order in which each Transparent Proxy network extension receives the network traffic. How can we set the order of the Transparent proxy extension that can be deployed using MDM profile with VPN/TransparentProxy payload? Attached the TransparentProxy payload profile for the reference. DGWebProxy_TransparentProxy_iMazing