Hello, Title states it basically. I have a java program (launched via shell script) running as a service using launchd which is running as a user (not root) and it does not request Local Network permissions ever. I feel like i'm missing something here. I combed through all of the Local Network FAQs and don't really see this use case addressed. I do see that there is an open ticket for an API to trigger the request, but no update on that and the ticket is not visible publicly. Is there is a way to accomplish this for java or other programs running via launchd with a user other than root? something like an entitlement or an API to seed the permission of Local Network when installing the service via launchctl etc?

We are migrating our iOS app to macOS. On iOS, it works fine. But when I try and run on macOS and connect to the VPN, I am getting an error like failed to fetch /Users/stuart/Library/Developer/Xcode/DerivedData/app-byzvshkqegwzqxgervfswmsughkm/Build/Products/Debug/<app_name>.app/Contents/PlugIns/<network_extension_name>.appex/Contents/_CodeSignature/CodeRequirements-1 error=-10. If I have Settings -> VPN open, it rapidly is connecting and disconnecting. Is there anything I need to do specific to macOS to make this work? Or is this related to a broken code signature? Thanks in advance!

I did watch WWDC 2019 Session 716 and understand that an active audio session is key to unlocking low‑level networking on watchOS. I’m configuring my audio session and engine as follows: private func configureAudioSession(completion: @escaping (Bool) -> Void) { let audioSession = AVAudioSession.sharedInstance() do { try audioSession.setCategory(.playAndRecord, mode: .voiceChat, options: []) try audioSession.setActive(true, options: .notifyOthersOnDeactivation) // Retrieve sample rate and configure the audio format. let sampleRate = audioSession.sampleRate print("Active hardware sample rate: \(sampleRate)") audioFormat = AVAudioFormat(standardFormatWithSampleRate: sampleRate, channels: 1) // Configure the audio engine. audioInputNode = audioEngine.inputNode audioEngine.attach(audioPlayerNode) audioEngine.connect(audioPlayerNode, to: audioEngine.mainMixerNode, format: audioFormat) try audioEngine.start() completion(true) } catch { print("Error configuring audio session: \(error.localizedDescription)") completion(false) } } private func setupUDPConnection() { let parameters = NWParameters.udp parameters.includePeerToPeer = true connection = NWConnection(host: "***.***.xxxxx.***", port: 0000, using: parameters) setupNWConnectionHandlers() } private func setupTCPConnection() { let parameters = NWParameters.tcp connection = NWConnection(host: "***.***.xxxxx.***", port: 0000, using: parameters) setupNWConnectionHandlers() } private func setupWebSocketConnection() { guard let url = URL(string: "ws://***.***.xxxxx.***:0000") else { print("Invalid WebSocket URL") return } let session = URLSession(configuration: .default) webSocketTask = session.webSocketTask(with: url) webSocketTask?.resume() print("WebSocket connection initiated") sendAudioToServer() receiveDataFromServer() sendWebSocketPing(after: 0.6) } private func setupNWConnectionHandlers() { connection?.stateUpdateHandler = { [weak self] state in DispatchQueue.main.async { switch state { case .ready: print("Connected (NWConnection)") self?.isConnected = true self?.failToConnect = false self?.receiveDataFromServer() self?.sendAudioToServer() case .waiting(let error), .failed(let error): print("Connection error: \(error.localizedDescription)") DispatchQueue.main.asyncAfter(deadline: .now() + 2) { self?.setupNetwork() } case .cancelled: print("NWConnection cancelled") self?.isConnected = false default: break } } } connection?.start(queue: .main) } I am reaching out to seek further assistance regarding the challenges I've been experiencing with establishing a UDP, TCP & web socket connection on watchOS using NWConnection for duplex audio streaming. Despite implementing the recommendations provided earlier, I am still encountering difficulties. Or duplex audio streaming not possible on apple watch?

I'm working on a game that uses NWBrowser and NWListener to create a connection between an iOS and tvOS app. I've got the initial networking up and running and it works perfectly when running in the simulator(s). However, when I run on-device(s), I've found that browseResultsChangedHandler gets called multiple times for what is ostensibly the same service. My browser handler (which runs on iOS) looks like this: browser.browseResultsChangedHandler = { [weak self] results, changes in if let result = browser.browseResults.first { self?.onPeerConnected?(PeerConnection(endpoint: result.endpoint)) } } The first time it gets called, the interface in the NWBrowser.Result is en0, but the 2nd time it gets called, it is en0 AND awdl0. Because my current handling is so naive, this re-invocation ends up with two connections being made to the remote server (the Apple TV). Now, I know that this handler, by its very name, is designed to be called multiple times as things change, so I'm curious as to what strategies I might employ here. Is there any value in tearing down any previous connections and re-connecting using the latest one? Should I just kill the browser as soon as I handle the first one? Just ignore subsequent ones? I'm sure that, to a degree, the answer is probably "it depends"... but I'm curious to see if there might be at least some high-level strategies like "whatever you do, don't do xxxx" or "most apps do yyyy" :-) Thanks.

Hi, I built a system that can detect and block Short Form Videos like Instagram Reels and Youtube Shorts. It works by connecting the iphone to a VPN and then do statistics on network packets (no decryption). I was wondering the feasibility of porting this to run on device. Functionality wise I would need: packet interception, packet drop, DNS query interception. I saw that Content filter providers could be something to look into, but then I read an article of how you would have to have a managed device which is not ideal for the end user. New to apple development, the lack of snippets and code examples is confusing.

Hi, I've created a packet tunnel but my packetFlow object isn't get called with any packets. Do I need to do something else to configure the packetFlow? Maybe I have to link it to a NWUDPSession? Thanks, Dave class PacketTunnelProvider: NEPacketTunnelProvider { override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: tunnelRemoteAddress) settings.ipv4Settings = NEIPv4Settings(addresses: [tunnelRemoteAddress], subnetMasks: ["255.255.255.255"]) settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()] setTunnelNetworkSettings(settings) { error in completionHandler(error) self.readPacketObjects() } } private func readPacketObjects() { self.packetFlow.readPacketObjects() { packets in // It never gets here. self.logMessage("Got '\(packets.count)' packet(s)") self.packetFlow.writePacketObjects(packets) self.readPacketObjects() } } }

Hello, I'm developing a Transparent Proxy and I noticed that the Network Extension Framework logs in the Unified Logging System when my profile receives a flow, its source application, its destination endpoint, and my profile's decision regarding that flow. I worry that this may compromise the user's privacy. So is there a way that I can turn off these logs at least in Distribution Configurations?

We have an old iOS app and an old camera that connects using Wi-Fi either using an access point or Ad Hoc network, e.g., iPhone/iPad connects to the camera's Wi-Fi directly... How it works (old legacy app/system, which cannot be redesigned): Camera is configured to Ad Hoc Wi-Fi network (insecure TCP). iPhone connects to this insecure Wi-Fi. Camera uses Bonjour service to broadcast its IP address. App reads in IP address and begin to send messages to the camera using NSMutableURLRequest, etc. All this works fine for iOS 17. But in iOS 18 step 4 stopped working. App simply doesn't get any responses! We believe we have configured ATS properly (App Store version): In panic we have also tried this in Test Flight version: The latter actually seemed to make a difference when running the app on macOS Apple Silicon. But on iOS it didn't seem to make any difference. Occasionally, I was lucky to get connection on on iPhone 16 Pro with iOS 18. But for the 'many' iPads I have tried I couldn't. I also tried to install CFNetwork profile and look at the logs but I believe I just got timeout on the requests. Questions: Why it iOS 18 different? Bonjour works fine, but NSSURLRequests doesn't Do we configure ATS correctly for this scenario? What should I look for in the Console log when CFNetwork profile is installed? Should I file a TSI? Thanks! :)

[Q] Has there been a change in macOS 15.3.2 and later that can explain why some UDP traffic is not seen by some Network Extensions when it is in previous macOS minor and major versions?

1、Does Captive Portal documentation for IOS exist for developers? If so, please provide a link.

I am adopting Swift Concurrency in my network extension app to use Swift 6 protections. In the UI app I ended up with most of the app marked as MainActor, so that pieces of my app can keep seamless access to each other and at the same time have thread safe access. When it comes to my network extension, does it make sense to also mark most of the code as MainActor for the purposes of thread safety and seamless access of most classes to each other? I have doubts, because MainActor sounds like it should be a UI think, but network extension has no UI Of course any long or blocking operations would not be MainActor

Hi, In my attempt to reconnect NEPacketTunnelProvider, when there is a network change, I am making use of self.reasserting and setTunnelNetworkSettings, and I am calling it with similar parameters as during the startTunnelWithOptions callback and making sure to make a new call for setting the includedRoutes: NEPacketTunnelNetworkSettings.IPv4Settings.includedRoutes = @[NEIPv4Route.defaultRoute]; This works sometimes, when I switch to a new network, but most of the time the traffic flow stops and it only works when I switch back to the first network. The only difference I could see in the routing table when it works is when there is a presence of Apple Specific network routes as follows: 17.57.145.133 link#22 UHWIig utun4 17.57.145.135 link#22 UHWIig utun4 17.57.145.137 link#22 UHWIig utun4 or 13.107.246.47 link#22 UHW3Ig utun4 17.57.145.148 link#22 UHWIig utun4 17.57.145.149 link#22 UHWIig utun4 37.252.171.52 link#22 UHWIig utun4 37.252.173.215 link#22 UHWIig utun4 Note: utun4 has index of 22 or some other combination of routes for Apple, I am not sure what these routes are for but they are present when NEPacketTunnelProvider starts. When switching to a new network and calling setTunnelNetworkSettings of NEPacketTunnelProvider, in any case when these routes are not present the traffic flow stops and it works otherwise. Switching back the first network, brings back these routes and the traffic flow continues, although it also goes through the same setTunnelNetworkSettings call and logic. I am not sure if these route table entries could be the culprit, because I did try to add them manually and that didn't help but my guess is that some system calls are failing for some unknown reason which might be the reason for the missing routes and some other configuration needed for proper traffic flow, which I am not seeing. Any help or information would be greatly appreciated. Thanks.

We found that when we only set one App Category and one Traffic Category in Xcode entitlements, the built application will contain all App Categories and Traffic Categories in the embedded.mobileprovision file, is it expected? Entitlements file: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.developer.networking.slicing.appcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;streaming-9001&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.developer.networking.slicing.trafficcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;avstreaming-7&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; embedded.mobileprovision: &lt;key&gt;Entitlements&lt;/key&gt; &lt;dict&gt; &lt;key&gt;com.apple.developer.networking.slicing.appcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;communication-9000&lt;/string&gt; &lt;string&gt;games-6014&lt;/string&gt; &lt;string&gt;streaming-9001&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.developer.networking.slicing.trafficcategory&lt;/key&gt; &lt;array&gt; &lt;string&gt;defaultslice-1&lt;/string&gt; &lt;string&gt;video-2&lt;/string&gt; &lt;string&gt;background-3&lt;/string&gt; &lt;string&gt;voice-4&lt;/string&gt; &lt;string&gt;callsignaling-5&lt;/string&gt; &lt;string&gt;responsivedata-6&lt;/string&gt; &lt;string&gt;avstreaming-7&lt;/string&gt; &lt;string&gt;responsiveav-8&lt;/string&gt; &lt;/array&gt;

I'm simply trying to use a proxy to route a http request in Swift to measure the average round trip time of a list of proxies. I've went through multiple Stack Overflow threads on this topic but they are all super old / outdated. format:host:port:username:password I also added the info.plist entry: NSAllowsArbitraryLoads -&gt; NSExceptionDomains When I call the function below I am prompted with a menu that says "Proxy authentication required. Enter the password for HTTP proxy ... in settings" I closed this menu inside my app and tried the function below again and it worked without giving me the menu a second time. However even though the function works without throwing any errors, it does NOT use the proxies to route the request. Why does the request work (throws no errors) but does not use the proxies? I'm assuming it's because the password isn't entered in the settings as the alert said. My users will want to test proxy speeds for many different Hosts/Ports, it doesn't make sense to enter the password in settings every time. How can I fix this issue? func averageProxyGroupSpeed(proxies: [String], completion: @escaping (Int, String) -&gt; Void) { let numProxies = proxies.count if numProxies == 0 { completion(0, "No proxies") return } var totalTime: Int64 = 0 var successCount = 0 let group = DispatchGroup() let queue = DispatchQueue(label: "proxyQueue", attributes: .concurrent) let lock = NSLock() let shuffledProxies = proxies.shuffled() let selectedProxies = Array(shuffledProxies.prefix(25)) for proxy in selectedProxies { group.enter() queue.async { let proxyDetails = proxy.split(separator: ":").map(String.init) guard proxyDetails.count == 4, let port = Int(proxyDetails[1]), let url = URL(string: "http://httpbin.org/get") else { completion(0, "Invalid proxy format") group.leave() return } var request = URLRequest(url: url) request.timeoutInterval = 15 let configuration = URLSessionConfiguration.default configuration.connectionProxyDictionary = [ AnyHashable("HTTPEnable"): true, AnyHashable("HTTPProxy"): proxyDetails[0], AnyHashable("HTTPPort"): port, AnyHashable("HTTPSEnable"): false, AnyHashable("HTTPUser"): proxyDetails[2], AnyHashable("HTTPPassword"): proxyDetails[3] ] let session = URLSession(configuration: configuration) let start = Date() let task = session.dataTask(with: request) { _, _, error in defer { group.leave() } if let error = error { print("Error: \(error.localizedDescription)") } else { let duration = Date().timeIntervalSince(start) * 1000 lock.lock() totalTime += Int64(duration) successCount += 1 lock.unlock() } } task.resume() } } group.notify(queue: DispatchQueue.main) { if successCount == 0 { completion(0, "Proxies Failed") } else { let averageTime = Int(Double(totalTime) / Double(successCount)) completion(averageTime, "") } } }

I'm using the NEHotspotConfigurationManager class, with joinOnce = false, to connect to a Wi-Fi network that lacks internet access (IoT device). After restarting my iPhone, the first connection to this network disconnects automatically in less than a minute. All subsequent connections remain stable without disconnecting. What could be causing this?

I'm able to discover a service with Bonjour, which gets me an nw_browse_result_t from which I can get an nw_endpoint_t and then an nw_connection_t. That's all fine. But this particular service runs on 3 ports. The port numbers of the other 2 ports are in the txt record (but they are well-known and stable anyway). How can I create 2 more nw_connection_t to the same host/IP but on a different port? I already have this working with NSNetService, but am trying to update to Network.framework. I've found nw_endpoint_get_address() but the docs say it returns null "if the endpoint is not of type nw_endpoint_type_address" and indeed nw_browse_result_t gives me an nw_endpoint_type_bonjour_service.

way to display it is by holding the Option key and clicking the Wi-Fi icon. In macOS 14.0, wdutil was still usable, but in 14.6.1, the returned information is now . I am unsure if there is an official way to obtain the corresponding BSSID. I need to process the BSSID in my code, so either a command-line tool or an API would work.

Reproduce: Download live-caller-id-lookup-example Add let url = URL(string: "http://another-macbook.local:80")! let task = URLSession.shared.dataTask(with: url) {(data, response, error) in guard let data = data else { return } print(String(data: data, encoding: .utf8)!) } task.resume() anywhere in the code run PIRService target in xcode Result: no dialogue, host is unreachable Works fine when launching same binary from terminal

In https://developer.apple.com/forums/thread/128705?answerId=405119022#405119022, it is said that But if it’s holding up connections that match the on demand rules, that’s the correct behaviour. So if there was an on demand rule to connect for all domains (Connect rule without any matching criteria), all traffic would be held up while in the connecting state. The problem is that a customer can have SSO configured so that auth happens outside of the vpn app. So sequence would be Connect for all domains on demand rule triggers vpn connection VPN, in order to connect, tries auth through a broker app. VPN is in connecting state and blocks broker app traffic and so auth cannot complete and it cannot connect. I tried adding an on demand rule for EvaluateConnection and never connect for the auth domains. However, that caused the vpn to never be triggered to connect. Is it possible to support the scenario of an on demand rule to connect for all domains while having a vpn connection dependent on auth done in a separate app? Do you have any recommendations?

We are developers of an app, we found that there's no LN prompt for users to install the app for the 1st time on ios18. We used the following method to prompt the "allow/not allow" alert: // Attempts to trigger the local network privacy alert. /// /// This builds a list of link-local IPv6 addresses and then creates a connected /// UDP socket to each in turn. Connecting a UDP socket triggers the local /// network alert without actually sending any traffic. /// /// This is a ‘best effort’ approach, and it handles errors by ignoring them. /// There’s no guarantee that it’ll actually trigger the alert (FB8711182). func triggerLocalNetworkPrivacyAlert() { let addresses = selectedLinkLocalIPv6Addresses() for address in addresses { let sock6 = socket(AF_INET6, SOCK_DGRAM, 0) guard sock6 >= 0 else { return } defer { close(sock6) } withUnsafePointer(to: address) { sa6 in sa6.withMemoryRebound(to: sockaddr.self, capacity: 1) { sa in _ = connect(sock6, sa, socklen_t(sa.pointee.sa_len)) >= 0 } } } }