Do we have clear document around multiple content filter applications running on single device.? While the documentation says 8 content filters and Only one filter available for system-wide use, there is no clear mention about below scenarios - Which content filter will get precedence? System-wide or App managed? Can there be mulitple Content filters configured for same managed application? Will all control provider running on the device get notified about network traffic ? I searched the forums to get a clear answer but seems older threads where nothing was conclusive. Thanks in advance for the help !!

Hello! I have a quirky situation that I am looking for a solution to. The iOS app I am working on needs to be able to communicate with systems that do not have valid root certs. Furthermore, these systems addresses will be sent to the user at run time. The use case is that administrators will provide a self signed certificate (.pem) for the iPhones to download which will then be used to pass the authentication challenge. I am fairly new to customizing trust and my understanding is that it is very easy to do it incorrectly and expose the app unintentionally. Here is our users expected workflow: An administrator creates a public ip server. The ip server is then configured with dns. A .pem file that includes a self signed certificate is created for the new dns domain. The pem file is distributed to iOS devices to download and enable trust for. When they run the app and attempt to establish connection with the server, it will not error with an SSL error. When I run the app without modification to the URLSessionDelegate method(s) I do get an SSL error. Curiously, attempting to hit the same address in Safari will not show the insecure warning and proceed without incident. What is the best way to parity the Safari use case for our app? Do I need to modify the urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) method to examine the NSURLAuthenticationMethodServerTrust? Maybe there is a way to have the delegate look through all the certs in keychain or something to find a match? What would you advise here? Sincerely thank you for taking the time to help me, ~Puzzled iOS Dev

Hello, I am planning to build content filter application for iOS platform and based on the documentation I have read, it's not clear if I can just inspect/monitor network traffic and not filter or block URLs in the NEFilterDataProvider. Is this a valid use case ? With this approach, will the App get rejected during the App review.?

The app is an official Apple app: https://developer.apple.com/documentation/wifiaware/building-peer-to-peer-apps. I have two phones, an iPhone 12 and an iPhone 13, both with Bluetooth turned on and connected to the same WiFi. The devices paired successfully the first time, but after I reset the Wi-Fi identifier in Settings - Privacy & Security - Paired Devices, the devices could no longer pair. Specifically, one device displays a PIN input pop-up, but the other device does not show the PIN. What could be the reason for this?

{"bug_type":"210","timestamp":"2025-07-04 14:19:35.00 +0800","os_version":"macOS 15.5 (24F74)","roots_installed":0,"incident_id":"5457889A-1002-4389-BAE6-A447733EFD78"} { "build" : "macOS 15.5 (24F74)", "product" : "MacBookPro18,4", "socId" : "6001", "socRevision" : "11", "incident" : "5457889A-1002-4389-BAE6-A447733EFD78", "crashReporterKey" : "4ABE0CA2-C60B-8B0E-557A-C0BDEB1E9144", "kernel" : "Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:49 PDT 2025; root:xnu-11417.121.62/RELEASE_ARM64_T6000", "date" : "2025-07-04 14:19:35.95 +0800", "panicString" : "panic(cpu 1 caller 0xfffffe00215f28e8): Kernel data abort. at pc 0xfffffe0021310d9c, lr 0x37a67e002116f050 (saved state: 0xfffffe60706d3240)\n\t x0: 0xfffffe2eaac676f8 x1: 0x0000000000000000 x2: 0xfffffe002116f050 x3: 0x0000000000000002\n\t x4: 0x0000000000002021 x5: 0xffffffffffffffff x6: 0x0000000000000000 x7: 0x0000006ddf79e068\n\t x8: 0xf9555cb919b50093 x9: 0x0000000000000000 x10: 0x0000000000000054 x11: 0x0000000000000000\n\t x12: 0xfffffe002477dfc8 x13: 0x0000000000000001 x14: 0x0000000000000052 x15: 0x0000000000000000\n\t x16: 0x0000020061052ad4 x17: 0x0000000000000001 x18: 0x0000000000000000 x19: 0xfffffe2eaa38d000\n\t x20: 0x0000000000000000 x21: 0xfffffe2eaac676f8 x22: 0x0000000000000020 x23: 0xfffffe2eab90f000\n\t x24: 0x000000001e22b50a x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0xfffffe2eab90efb4\n\t x28: 0x0000000000003500 fp: 0xfffffe60706d35b0 lr: 0x37a67e002116f050 sp: 0xfffffe60706d3590\n\t pc: 0xfffffe0021310d9c cpsr: 0x60401208 esr: 0xfffffe6096000006 far: 0x0000000000000068\n\nDebugger message: panic\nMemory ID: 0x6\nOS release type: User\nOS version: 24F74\nKernel version: Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:49 PDT 2025; root:xnu-11417.121.62/RELEASE_ARM64_T6000\nFileset Kernelcache UUID: AF6531DB60D1EB2338126CF77682B8DE\nKernel UUID: CBC2F718-53E4-3C8D-BEC7-FB6DDC3318E1\nBoot session UUID: 5457889A-1002-4389-BAE6-A447733EFD78\niBoot version: iBoot-11881.121.1\niBoot Stage 2 version: iBoot-11881.121.1\nsecure boot?: YES\nroots installed: 0\nPaniclog version: 14\nKernelCache slide: 0x0000000018540000\nKernelCache base: 0xfffffe001f544000\nKernel slide: 0x0000000018548000\nKernel text base: 0xfffffe001f54c000\nKernel text exec slide: 0x0000000019ce0000\nKernel text exec base: 0xfffffe0020ce4000\nmach_absolute_time: 0x6ddf85c206\nEpoch Time: sec usec\n Boot : 0x686680ed 0x000c5ab2\n Sleep : 0x68676ff9 0x0005fdc0\n Wake : 0x68677007 0x000d2cfa\n Calendar: 0x68677252 0x00021537\n\nZone info:\n Zone map: 0xfffffe1016000000 - 0xfffffe3616000000\n . VM : 0xfffffe1016000000 - 0xfffffe15e2000000\n . RO : 0xfffffe15e2000000 - 0xfffffe187c000000\n . GEN0 : 0xfffffe187c000000 - 0xfffffe1e48000000\n . GEN1 : 0xfffffe1e48000000 - 0xfffffe2414000000\n . GEN2 : 0xfffffe2414000000 - 0xfffffe29e0000000\n . GEN3 : 0xfffffe29e0000000 - 0xfffffe2fac000000\n . DATA : 0xfffffe2fac000000 - 0xfffffe3616000000\n Metadata: 0xfffffe5e3a010000 - 0xfffffe5e43810000\n Bitmaps : 0xfffffe5e43810000 - 0xfffffe5e4f500000\n Extra : 0 - 0\n\nTPIDRx_ELy = {1: 0xfffffe28ded6aff0 0: 0x0000000000000001 0ro: 0x000000016fd330e0 }\nCORE 0 PVH locks held: None\nCORE 1 PVH locks held: None\nCORE 2 PVH locks held: None\nCORE 3 PVH locks held: None\nCORE 4 PVH locks held: None\nCORE 5 PVH locks held: None\nCORE 6 PVH locks held: None\nCORE 7 PVH locks held: None\nCORE 8 PVH locks held: None\nCORE 9 PVH locks held: None\nCORE 0: PC=0xfffffe0020f2d330, LR=0xfffffe0020f2d368, FP=0xfffffe60717cb460\nCORE 1 is the one that panicked. Check the full backtrace for details.\nCORE 2: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe607167bed0\nCORE 3: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe60725d3ed0\nCORE 4: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe6072bafed0\nCORE 5: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe6072197ed0\nCORE 6: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe60727abed0\nCORE 7: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe6071897ed0\nCORE 8: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe607149bed0\nCORE 9: PC=0xfffffe0020d81094, LR=0xfffffe0020d81094, FP=0xfffffe607214bed0\nCompressor Info: 0% of compressed pages limit (OK) and 0% of segments limit (OK) with 0 swapfiles and OK swap space\nPanicked task 0xfffffe1d4729c7a0: 1925 pages, 14 threads: pid 36674: com.TE.TEDataCloak.ne\nPanicked thread: 0xfffffe28ded6aff0, backtrace: 0xfffffe60706d28f0, tid: 743602\n\t\t lr: 0xfffffe0020d432b4 fp: 0xfffffe60706d2980\n\t\t lr: 0xfffffe0020ea52f8 fp: 0xfffffe60706d29f0\n\t\t lr: 0xfffffe0020ea3554 fp: 0xfffffe60706d2ab0\n\t\t lr: 0xfffffe0020cebb98 fp: 0xfffffe60706d2ac0\n\t\t lr: 0xfffffe0020d42b98 fp: 0xfffffe60706d2e90\n\t\t lr: 0xfffffe00215e7388 fp: 0xfffffe60706d2eb0\n\t\t lr: 0xfffffe00215f28e8 fp: 0xfffffe60706d30c0\n\t\t lr: 0xfffffe0020ea5154 fp: 0xfffffe60706d3160\n\t\t lr: 0xfffffe0020ea36c8 fp: 0xfffffe60706d3220\n\t\t lr: 0xfffffe0020cebb98 fp: 0xfffffe60706d3230\n\t\t lr: 0xfffffe002116f050 fp: 0xfffffe60706d35b0\n\t\t lr: 0xfffffe002116f050 fp: 0xfffffe60706d3730\n\t\t lr: 0xfffffe002116de88 fp: 0xfffffe60706d3780\n\t\t lr: 0xfffffe0021180174 fp: 0xfffffe60706d3810\n\t\t lr: 0xfffffe002117ea94 fp: 0xfffffe60706d38d0\n\t\t lr: 0xfffffe002117d69c fp: 0xfffffe60706d3a30\n\t\t lr: 0xfffffe0021281400 fp: 0xfffffe60706d3a80\n\t\t lr: 0xfffffe00213146dc fp: 0xfffffe60706d3c10\n\t\t lr: 0xfffffe0021324ff8 fp: 0xfffffe60706d3d00\n\t\t lr: 0xfffffe0021325580 fp: 0xfffffe60706d3de0\n\t\t lr: 0xfffffe00213edc24 fp: 0xfffffe60706d3e50\n\t\t lr: 0xfffffe0020ea35dc fp: 0xfffffe60706d3f10\n\t\t lr: 0xfffffe0020cebb98 fp: 0xfffffe60706d3f20\n\t\t lr: 0xfffffe0020cebb60 fp: 0x0000000000000000\n\nlast started kext at 3810289154: com.apple.filesystems.smbfs\t6.0 (addr 0xfffffe00200f68e0, size 111737)\nloaded kexts:\ncom.paragon-

On "Accessory Interface Specification CarPlay Addendum R10", it says that it is recommended that the accessory uses a MIMO (2x2) hardware configuration, does this imply that WiFi 5 and SISO (1X1) will be phased out in the near future? When will WiFi 6 MIMO (2x2) become mandatory? On "Accessory Interface Specification CarPlay Addendum R10", it says that Spatial Audio is mandatory. However, for aftermarket in-vehicle infotainment (IVI) system due to the number of speakers are less than 6, is it allowed not to support spatial audio for this type of aftermarket IVI system?

Hello, I am seeking guidance regarding the com.apple.managed.vpn.shared keychain access group entitlement for our iOS app, which is required to support managed VPN configurations distributed via MDM profiles. Background: Our app uses the Network Extension framework and requires access to VPN credentials stored in configuration profiles, which—according to Apple documentation and forum posts—necessitates the com.apple.managed.vpn.shared entitlement We have already enabled the standard Network Extension entitlements via the Apple Developer portal What I Have Tried: I referenced the advice from a past Apple DTS engineer in this forum post: https://developer.apple.com/forums/thread/67613 I have submitted multiple requests to Apple Developer Technical Support (DTS) over the past two months, clearly explaining our use case and referencing the official documentation as well as the above forum thread Unfortunately, I have either received no response or responses that do not address my request for the special entitlement Questions: Has anyone successfully received the com.apple.managed.vpn.shared entitlement recently? If so, what was the process and how long did it take? Is there a specific format or information I should include in my DTS request to expedite the process or avoid misunderstandings? Are there any alternative contacts or escalation paths within Apple Developer Support for cases where standard DTS requests are ignored or misunderstood? Thank you in advance for your help

On "Accessory Interface Specification CarPlay Addendum R10", it says that it is recommended that the accessory uses a MIMO (2x2) hardware configuration, does this imply that WiFi 5 and SISO (1X1) will be phased out in the near future? When will WiFi 6 MIMO (2x2) become mandatory? On "Accessory Interface Specification CarPlay Addendum R10", it says that Spatial Audio is mandatory. However, for aftermarket in-vehicle infotainment (IVI) system due to the number of speakers are less than 6, is it allowed not to support spatial audio for this type of aftermarket IVI system?

Hi, We're receiving data via centralManager.centralManager.scanForPeripherals, with no options or filtering (for now), and in the func centralManager(_ central: CBCentralManager, didDiscover peripheral: CBPeripheral, advertisementData: [String : Any], rssi RSSI: NSNumber) callback, we get advertisementData for each bluetooth device found. But, I know one of my BLE devices is sending an Eddystone TLM payload, which generally is received into the kCBAdvDataServiceData part of the advertisementData dictionary, but, it doesn't show up. What is happening however (when comparing to other devices that do show that payload), is I've noticed the "isConnectable" part is false, and others have it true. Technically we're not "connecting" as such as we're simply reading passive advertisement data, but does that have any bearing on how CoreBluetooth decides to build up it's AdvertisementData response? Example (with serviceData; and I know this has Eddystone TLM) ["kCBAdvDataLocalName": FSC-BP105N, "kCBAdvDataRxPrimaryPHY": 1, "kCBAdvDataServiceUUIDs": <__NSArrayM 0x300b71f80>( FEAA, FEF5 ) , "kCBAdvDataTimestamp": 773270526.26279, "kCBAdvDataServiceData": { FFF0 = {length = 11, bytes = 0x36021892dc0d3015aeb164}; FEAA = {length = 14, bytes = 0x20000be680000339ffa229bbce8a}; }, "kCBAdvDataRxSecondaryPHY": 0, "kCBAdvDataIsConnectable": 1] Vs This also has Eddystone TLM configured ["kCBAdvDataLocalName": 100FA9FD-7000-1000, "kCBAdvDataIsConnectable": 0, "kCBAdvDataRxPrimaryPHY": 1, "kCBAdvDataRxSecondaryPHY": 0, "kCBAdvDataTimestamp": 773270918.97273] Any insight would be great to understand if the presence of other flags drive the exposure of ServiceData or not...

I am developing a VoIP application that uses NetworkExtension (Local PUSH function) And VoIP(APNs) PUSH. Since iPhone X, iPhones have supported eSIM, allowing for the simultaneous use of a physical SIM and an eSIM. Consequently, users of our VoIP app have requested the ability to lock the network used by the VoIP app to either the eSIM or the physical SIM. Our VoIP app utilizes the network through the socket API. Is there an API in the iOS SDK to lock the network used via sockets to either the eSIM or the physical SIM? In other words, we would like to be able to retrieve the IP address assigned to the eSIM or the physical SIM in advance, and know which IP address is assigned to which SIM. Are there any such APIs available (that are not "Deprecated")

Apple's Wi-Fi Aware demo shows that pairing is required before establishing a connection. Is this pairing mandatory? Can Android devices pair with Apple devices? My Android device strictly supports Wi-Fi Aware 4.0 and I want to achieve interoperability with Apple devices.

Hi, I'm developing a security-focused iOS application and would like to detect potentially suspicious rogue access points. Specifically, I need to access the BSSID of the currently connected Wi-Fi network to analyze and identify inconsistencies (e.g. multiple APs using the same SSID). I understand that access to certain network information is restricted on iOS. Is it possible to use the Network Extension framework (or any approved API) to retrieve the BSSID? If so, are there any specific entitlements or usage descriptions required to ensure App Store approval? My goal is to implement this functionality in full compliance with App Store Review Guidelines and user privacy policies.

This issue has cropped up many times here on DevForums. Someone recently opened a DTS tech support incident about it, and I used that as an opportunity to post a definitive response here. If you have questions or comments about this, start a new thread and tag it with Network so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" iOS Network Signal Strength The iOS SDK has no general-purpose API that returns Wi-Fi or cellular signal strength in real time. Given that this has been the case for more than 10 years, it’s safe to assume that it’s not an accidental omission but a deliberate design choice. For information about the Wi-Fi APIs that are available on iOS, see TN3111 iOS Wi-Fi API overview. Network performance Most folks who ask about this are trying to use the signal strength to estimate network performance. This is a technique that I specifically recommend against. That’s because it produces both false positives and false negatives: The network signal might be weak and yet your app has excellent connectivity. For example, an iOS device on stage at WWDC might have terrible WWAN and Wi-Fi signal but that doesn’t matter because it’s connected to the Ethernet. The network signal might be strong and yet your app has very poor connectivity. For example, if you’re on a train, Wi-Fi signal might be strong in each carriage but the overall connection to the Internet is poor because it’s provided by a single over-stretched WWAN. The only good way to determine whether connectivity is good is to run a network request and see how it performs. If you’re issuing a lot of requests, use the performance of those requests to build a running estimate of how well the network is doing. Indeed, Apple practices what we preach here: This is exactly how HTTP Live Streaming works. Remember that network performance can change from moment to moment. The user’s train might enter or leave a tunnel, the user might step into a lift, and so on. If you build code to estimate the network performance, make sure it reacts to such changes. Keeping all of the above in mind, iOS 26 beta has two new APIs related to this issue: Network framework now offers a linkQuality property. See this post for my take on how to use this effectively. The WirelessInsights framework can notify you of anticipated WWAN condition changes. But what about this code I found on the ’net? Over the years various folks have used various unsupported techniques to get around this limitation. If you find code on the ’net that, say, uses KVC to read undocumented properties, or grovels through system logs, or walks the view hierarchy of the status bar, don’t use it. Such techniques are unsupported and, assuming they haven’t broken yet, are likely to break in the future. But what about Hotspot Helper? Hotspot Helper does have an API to read Wi-Fi signal strength, namely, the signalStrength property. However, this is not a general-purpose API. Like the rest of Hotspot Helper, this is tied to the specific use case for which it was designed. This value only updates in real time for networks that your hotspot helper is managing, as indicated by the isChosenHelper property. But what about MetricKit? MetricKit is so cool. Amongst other things, it supports the MXCellularConditionMetric payload, which holds a summary of the cellular conditions while your app was running. However, this is not a real-time signal strength value. But what if I’m working for a carrier? This post is about APIs in the iOS SDK. If you’re working for a carrier, discuss your requirements with your carrier’s contact at Apple. Revision History 2025-07-02 Updated to cover new features in the iOS 16 beta. Made other minor editorial changes. 2022-12-01 First posted.

Is There a Reliable Way to Check Local Network Permission Status in 2025? I've read many similar requests, but I'm posting this in 2025 to ask: Is there any official or reliable method to check the current Local Network permission status on iOS 18.x? We need this to guide or navigate users to the appropriate Settings page when permission is denied. Background Our app is an IoT companion app, and Local Network access is core to our product's functionality. Without this permission, our app cannot communicate with the IoT hardware. Sadly, Apple doesn't provide any official API to check the current status of this permission. This limitation has caused confusion for many users, and we frequently receive bug reports simply because users have accidentally denied the permission and the app can no longer function as expected. Our App High Level Flow: 1. Trigger Permission We attempt to trigger the Local Network permission using Bonjour discovery and browsing methods. (see the implementation) Since there's no direct API to request this permission, we understand that iOS will automatically prompt the user when the app makes its first actual attempt to communicate with a local network device. However, in our case, this creates a problem: The permission prompt appears only at the time of the first real connection attempt (e.g., when sending an HTTP request to the IoT device). This results in a poor user experience, as the request begins before the permission is granted. The first request fails silently in the background while the permission popup appears unexpectedly. We cannot wait for the user's response to proceed, which leads to unreliable behavior and confusing flows. To avoid this issue, we trigger the Local Network permission proactively using Bonjour-based discovery methods. This ensures that the system permission prompt appears before any critical communication with the IoT device occurs. We’ve tried alternative approaches like sending dummy requests, but they were not reliable or consistent across devices or iOS versions. (see the support ticket) 2. Wi-Fi Connection: Once permission is granted, we allow the user to connect to the IoT device’s local Wi-Fi. 3. IoT Device Configuration: After connecting, we send an HTTP request to a known static IP (e.g., 192.168.4.1) on the IoT network to configure the hardware. I assume this pattern is common among all Wi-Fi-based IoT devices and apps. Problem: Even though we present clear app-level instructions when the system prompt appears, some users accidentally deny the Local Network permission. In those cases, there’s no API to check if the permission was denied, so: We can’t display a helpful message. We can’t guide the user to Settings → Privacy &amp; Security → Local Network to re-enable it. The app fails silently or behaves unpredictably. Developer Needs: As app developers, we want to handle negative cases gracefully by: Detecting if the Local Network permission was denied Showing a relevant message or a prompt to go to Settings Preventing silent failures and improving UX So the question is: What is the current, official, or recommended way to determine whether Local Network permission is granted or denied in iOS 18.x (as of 2025)? This permission is critical for a huge category of apps especially IoT and local communication-based products. We hope Apple will offer a better developer experience around this soon. Thanks in advance to anyone who can share updated guidance.

Hi everyone, I’m working on an iOS project where an iPhone needs to connect to external scanners (dedicated hardware devices) over Wi-Fi. The goal is to: Discover available Wi-Fi networks from the scanner devices (broadcasting their own networks). Allow the user to seamlessly connect to the chosen scanner network. Network Discovery: Is there a way to programmatically list available Wi-Fi networks (SSIDs) on iOS without private APIs? If not, are there workarounds (e.g., Bonjour/mDNS)? Seamless Connection: As I see, we can use NEHotspotConfigurationManager to connect to and disconnect from specified networks and there will always be a system alert asking about do we really want to join this network Hardware/Firmware/Software Alternatives: If iOS restrictions prevent this, what alternatives exist? For example: Hardware: Scanners supporting Bluetooth LE for initial pairing, then Wi-Fi provisioning. Firmware: Scanners acting as clients on the same network as the iPhone (e.g., via user’s home/office Wi-Fi). Software: A companion app for the scanner that shares network credentials via QR code/NFC, or a local web server on the scanner for setup. Context: Target: iOS 16+ No jailbreaking; App Store compliance is a must. Scanners can be configured to act as APs or clients.

I have an iPad app that uses Network framework to allow iPads to wirelessly communicate via their built-in ad hoc network capability. However, our app is used in an enterprise environment and there's concern about them communicating wirelessly, so I've been tasked with looking into wired communication. Question: I've read that iOS can connect to a wifi network using an Ethernet adapter, but would this work for ad hoc networking? For ex, if I connect 2 iPads via Ethernet cables to each other (not to the wifi router), and have the NWListener start broadcasting itself, can the NWBrowser find it and establish an ad-hoc connection via the Ethernet cables (and not the wireless cards inside the iPads). The iPads don't have any wifi connections established so they wouldn't be able to communicate any other way. My guess is no...though if they did connect, how would I know it has happening via the cables and not via the wireless ad hoc capability, because I'm guessing there's no way to turn off just the wireless part of the ad hoc feature? If you disable the wifi on an iPad, you're also disabling ad hoc, right? I'm pretty sure there's no way to programmatically send data back and forth between iPads using a USB-C cable connection, so I'm trying to determine if Ethernet cables would work.

Hi Team, With Mac OS26, the "Login Items and Extension" is presented under two tabs " apps " and "Extensions" , when trying to enable the item from apps tab the toggle button is not toggling( looks like this is just a status only button (read only not edit). Any one else seeing this issue for their Network system extension app.

We are developing an IoT companion app that connects to the IoT device's Wi-Fi network and communicates with it through local network APIs. To support this functionality, we have: Added the necessary keys in the Info.plist. NSLocalNetworkUsageDescription , NSBonjourServices Used a Bonjour service at app launch to trigger the local network permission prompt. Problem on iOS 18.x (including 18.6 beta) Even when the user explicitly denies the local network permission, our API communication still works. This is unexpected behavior, as we assume denying permission should restrict access to local network communication. We tested this with the latest iOS 18.6 beta (as per Thread 789461021), but the issue still persists. This behavior raises concerns about inconsistent permission enforcement in iOS 18.x. Problem on iOS 17.x In iOS 17.x, if the user accidentally denies the local network permission and later enables it manually via Settings, the change does not take effect immediately. The app cannot access the local network unless the device is restarted, which results in a confusing and poor user experience. Expected Behavior If local network permission is denied, local API communication should be strictly blocked. If the permission is later enabled via Settings, the app should regain access without requiring a device restart. Request We request clarification and resolution on: Why local network APIs are accessible even when permission is denied on iOS 18.x. Whether the delayed permission update (requiring restart) in iOS 17.x is expected or a known issue. Best practices to ensure consistent and predictable permission handling across iOS versions.

If the includeAllNetworks flag to true, we cannot update our app via Xcode, TestFlight or the AppStore. In the AppStore and TestFlight cases, it seems that the packet tunnel process is stopped before the new app is downloaded - once the packet tunnel process is stopped, it can’t be started again via Settings/VPN profiles, nor can it be started via the app.

We need your assistance as we are currently facing an issue without a workaround for users on macOS 15.4 and 15.5. FeedbackID: FB17547675 The problem has been observed on macOS versions 15.4 and 15.5. Apple has acknowledged this issue and confirmed that it is fixed in the macOS 15.6 beta. Although we tried to reproduce the issue in our environment, it did not occur, even on macOS 15.5. Therefore, we cannot verify if the fix in macOS 15.6 beta resolves the problem. We are actively working to identify an appropriate workaround for users on macOS 15.5. Some users have reported a failure to obtain an IP address over Wi-Fi, possibly due to a DHCP failure. As a temporary solution, we added logic to restart Wi-Fi programmatically when either an APIPA address (169.254.x.x) or no IPv4 address is detected on the active interface. However, restarting Wi-Fi does not always resolve the issue, and the device may still fail to obtain an IP address over Wi-Fi or Ethernet. Could you advise if there is a reliable method to detect DHCP failure and recover the device from this state? Also, any idea, how we can reproduce this scenario in our machine? Below is the failure. default 2025-06-27 10:07:57.055003 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:07:57.055269 -0700 configd DHCP en0: status = 'no server' default 2025-06-27 10:08:23.336215 -0700 airportd WiFiUsageBssSession:: ChannelAfterRoam=0; ChannelAtJoin=36; FaultReasonApsdTimedOut=0; FaultReasonArpFailureCount=0; FaultReasonBrokenBackhaulLinkFailed=0; FaultReasonDhcpFailure=0; default 2025-06-27 10:08:23.367852 -0700 configd DHCP en0: status = 'media inactive' default 2025-06-27 10:08:23.367909 -0700 configd DHCP en0: INACTIVE default 2025-06-27 10:08:23.988565 -0700 configd DHCP en0: status = 'media inactive' default 2025-06-27 10:08:23.988703 -0700 configd DHCP en0: INACTIVE info 2025-06-27 10:08:23.988852 -0700 configd DHCPv6 en0: Inactive default 2025-06-27 10:08:35.656415 -0700 configd DHCP en0: status = 'network changed' default 2025-06-27 10:08:35.656817 -0700 configd DHCP en0: INIT default 2025-06-27 10:08:35.656821 -0700 configd DHCP en0: supplying device type 'Mac' info 2025-06-27 10:08:35.656934 -0700 configd DHCP en0: busy default 2025-06-27 10:08:35.657351 -0700 configd DHCP en0: INIT waiting at 0 for 1.358613 info 2025-06-27 10:08:35.657404 -0700 configd DHCPv6 en0: Inactive default 2025-06-27 10:08:37.019229 -0700 configd DHCP en0: INIT waiting at 1.36206 for 2.113913 default 2025-06-27 10:08:39.136955 -0700 configd DHCP en0: INIT waiting at 3.47937 for 4.462224 default 2025-06-27 10:08:43.602229 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:08:43.603143 -0700 configd DHCP en0: INIT waiting at 7.94533 for 8.128784 default 2025-06-27 10:08:51.735532 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:08:51.735846 -0700 configd DHCP en0: INIT waiting at 16.0786 for 8.749985 default 2025-06-27 10:09:00.488315 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:09:00.488550 -0700 configd DHCP en0: INIT waiting at 24.8313 for 8.496864 default 2025-06-27 10:09:08.988284 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:09:08.988310 -0700 configd DHCP en0: reported address acquisition failure symptom default 2025-06-27 10:09:08.988579 -0700 configd DHCP en0: INIT waiting at 33.3312 for 8.300735 default 2025-06-27 10:09:17.294478 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:17.294485 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:17.295454 -0700 configd DHCP en0: INIT waiting at 41.6373 for 8.798768 default 2025-06-27 10:09:26.096673 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:26.096688 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:26.097553 -0700 configd DHCP en0: INIT waiting at 50.4394 for 8.807943 default 2025-06-27 10:09:34.909050 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:34.909054 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:34.909375 -0700 configd DHCP en0: INIT waiting at 59.2517 for 8.877971 default 2025-06-27 10:09:43.792458 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:43.792464 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:43.793641 -0700 configd DHCP en0: status = 'no server' info 2025-06-27 10:09:43.794145 -0700 configd DHCP en0: not busy DNS failure resolver #1 flags : reach : 0x00000000 (Not Reachable) resolver #2 domain : local options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 301000 Route table Destination Gateway Flags Netif Expire 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0 169.254 link#14 UCS en0 ! 169.254.160.160/32 link#14 UCS en0 ! 224.0.0/4 link#14 UmCS en0 ! 224.0.0.251 1:0:5e:0:0:fb UHmLWI en0 239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0 255.255.255.255/32 link#14 UCS en0 !