In my Packet Tunnel Provider, I'm setting the NEDNSSettings to localhost as I have a local DNS server listening on port 53 (this is a dns forwarder which conditionally forwards to different upstreams based on rules). On iOS it works just fine, I'm able to listen on localhost:53 in the Network Extension, then set NEDNSSettings servers to "127.0.0.1". However on macOS due to the port being under 1024, I get a Permission denied OS code 13 error. I'm assuming this is due to the Network Extension not running as root. Can this be changed? This could be rectified if you could customize the port in NEDNSSettings, as the listener could be on port 5353, but it doesn't look like it is possible? Just wondering if there is some other way to accomplish what I'm trying to do in the macOS Network Extension?

After installing iOS 18.1 RC, VPN using IKEv2 and Wireguard protocols stopped working. VPN successfully connects, but there is no internet. On older versions everything works fine. On OpenVPN protocol everything works fine. I haven't found any errors in Console.log.

Starting from macOS 15 (macOS Sequoia), a new pop-up is triggered: “Local Network Privacy.” We have some questions regarding this new pop-up on MacOS: Question 1: If a launchd daemon invokes a command-line tool, will this tool trigger the local network prompt if it attempts to access the network? We use a launchd daemon which runs in root context and is started from /Library/LanuchDaemons/ Question 2: How will this prompt work across various macOS executables? I have read other developer forum articles and the https://developer.apple.com/forums/thread/663858 - Local Network Privacy FAQ. The responses are a little unclear and any insight into these questions would be very helpful with this new requirements.

I used the SSH approach method in the post https://developer.apple.com/forums/thread/703234 to add TLS trust for the local accessory device with a self signed certificate. In the Info.plist, I disabled App Transport Security for local networking by setting the NSAllowsLocalNetworking property, as mentioned in the post. However, I am still encountering the following SSL error: ATS failed system trust Connection 3: system TLS Trust evaluation failed(-9802) Connection 3: TLS Trust encountered error 3:-9802 Connection 3: encountered error(3:-9802) Task <9432C2C5-C7A1-44E4-95CC-2AFA49D6C501>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) Task <9432C2C5-C7A1-44E4-95CC-2AFA49D6C501>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3 In the code everything is working fine. The certificates are compared and CFEqual(expected, actual), is returning true. Also in urlSession delegate method , the return completionHandler(.useCredential, credential) is returned. When I disable ATS in Info.plist by setting NSAllowsArbitraryLoads, it works fine. I have the following questions: Should I disable ATS by setting NSAllowsArbitraryLoads along with setting ? Instead of accepting the server certificate for the first time and saving it in the app, why can’t we embed the self-signed certificate in the app directly and use it for comparison?

We have an app which is using CTSubscriber.simInserted (using the carrier entitlement com.apple.CommCenter.fine-grained). In iOS 18, simInserted returns false for every sim (where it should instead be returning true). Presumably this just is a temporary bug in 18 beta?

I can build the SimpleFirewall application (https://developer.apple.com/documentation/networkextension/filtering_network_traffic ) using xcode: After I run the application, seems can't block any traffic. I find there is some logs from network extension process: networkd_settings_read_from_file Sandbox is preventing this process from reading networkd settings file at "/Library/Preferences/com.apple.networkd.plist", please add an exception. Any step I am missing ?

I am working on developing a Mac app that will be distributed outside of the App Store. I have added the network extension which packaged in System Extension with packet tunnel capability. I have created a build following these steps here: https://developer.apple.com/forums/thread/737894 based on your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251 It works fine in this case when the machine has SIP disabled and systemextensionsctl developer on. As soon as I have made changes on the machine to systemextensionsctl developer off and SIP enabled, System Extension stopped loading. I have copied the app to the "/Applications" directory before opening it. When I check the loading status of the system extension with the "systemextensionsctl list" command, it shows as "[validating by category]" Am I missing something? Thanks in advance.

The first time my application opened the app on macos15, after I enabled the LNP, my app could access the local network (a socket service was opened locally), but when I restarted the computer and opened the APP again, I could not access the local network at this time, why? Solution :1. Disable and enable the LNP or 2. Reinstall the app

Hi, Brief background on what I'm trying to achieve: I have an IoT device that produces a HLS stream of saved videos when they are accessed through the device's broadcast hotspot. To access the hotspot, I use an NEHotspotConfiguration. When I use AVPlayer to watch the HLS stream, everything is fine! When I use a media pod (VLC) to try to consume the HLS stream, traffic goes over cellular network even though the device's host address is 192.168.1.254. I am under the impression this is ALWAYS a local network device. I haven't spent much time digging into the code for VLC to figure out why, but when I disable cell network in my app's settings, the VLC request resolves perfectly. I have been served radio silence on their forums and issues, so I thought if there's another solution this would be the place to ask! Is there something going on with the way iOS handles web requests to local network devices? My IoT device's hotspot never has internet access, and after reading Quinn's Extra-ordinary Networking advice (https://developer.apple.com/forums/thread/734348), I'm still lost for how I can force my request to go to the WiFi network rather than cellular... Does anyone have any recommendations? Thanks in advance!

The OpenSSL library interface to Allegro Common Lisp system stopped working with macOS 15.x (15.0.1 and 15.1). We have tried many versions of OpenSSL. 1.1.1t (which we built ourselves), 3.0.x, 3.3.x, 3.4.0. All work fine on macOS 14 and earlier. All fail on macOS 15. What is bizarre about the failure: we can load the SSL libraries fine, but when we try to make an outgoing connection it fails (with varying errors). Also, trying to use lldb to debug just hangs, once we step into the SSL libraries. More specifically, using Homebrew OpenSSL 3.0.15 gives an exception that we see in lldb, but we cannot step into SSL_ctrl(), which is in libssl.3.dylib, provided by Homebrew. We have also tried a version of OpenSSL 1.1.1t that we built ourselves (and codesigned and is included in the notarized app), and it fails with a SEGV, rather than the error below, which is using 3.0.15: What started this were errors using the OpenSSL libraries. Here's the use case: cl-user(2): (net.aserve.client:do-http-request "https://franz.com") (net.aserve.client:do-http-request "https://franz.com") Error: Received signal number 0 [condition type: synchronous-operating-system-signal] Restart actions (select using :continue): 0: Return to Top Level (an "abort" restart). 1: Abort entirely from this (lisp) process. [1] cl-user(3): :zo :all t :count 5 :zo :all t :count 5 Evaluation stack: ... 5 more newer frames ... (excl::SSL_ctrl 6133462816 55 ...) (excl::ssl-device-open-common #<excl::ssl-client-stream closed fd # @ #x3079fed32> nil ...) ->((method device-open (excl::ssl-client-stream t t)) #<excl::ssl-client-stream closed fd # @ #x3079fed32> t ...) ((:internal (:effective-method 3 nil nil nil t) 0) #<excl::ssl-client-stream closed fd # @ #x3079fed32> t ...) ((:runsys sys::lisp_apply)) [... excl::function_lisp_apply ] (excl::caching-miss #<standard-generic-function device-open> (# t #) ...) [... device-open ] ... more older frames ... [1] cl-user(4): If you want to see the problem for yourself, I created a new, signed and notarized version of our application https://franz.com/ftp/pri/layer/acl11.0express-macos-arm64.dmg. To use it, install Homebrew and do brew install openssl@3.0, then execute the following to get the error: cd /Applications/AllegroCL64express.app/Contents/Resources env ACL_OPENSSL_VERSION=30 DYLD_LIBRARY_PATH="$(brew --prefix openssl@3.0)/lib:$DYLD_LIBRARY_PATH" ./alisp (progn (require :ssl)(require :aserve)) (net.aserve.client:do-http-request "https://franz.com") You should get the error shown above. Here's what we see when we set a breakpoint at SSL_ctrl: lldb alisp _regexp-env ACL_OPENSSL_VERSION=30 _regexp-env DYLD_LIBRARY_PATH=/opt/homebrew/opt/openssl@3.0/lib: br s -n SSL_ctrl run (progn (require :ssl)(require :aserve)) (net.aserve.client:do-http-request "https://franz.com") Then, we see this: cl-user(2): (net.aserve.client:do-http-request "https://franz.com") (net.aserve.client:do-http-request "https://franz.com") Process 5886 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.2 frame #0: 0x0000000102081090 libssl.3.dylib`SSL_ctrl libssl.3.dylib`SSL_ctrl: -> 0x102081090 <+0>: stp x20, x19, [sp, #-0x20]! 0x102081094 <+4>: stp x29, x30, [sp, #0x10] 0x102081098 <+8>: add x29, sp, #0x10 0x10208109c <+12>: mov x20, x2 (lldb) si <<<hang here>>> Again, it only started with macOS 15. We have not seen this on any previous version. More detail: $ codesign -vvvv /Applications/AllegroCL64express.app /Applications/AllegroCL64express.app: valid on disk /Applications/AllegroCL64express.app: satisfies its Designated Requirement $ $ codesign -d --entitlements - /Applications/AllegroCL64express.app Executable=/Applications/AllegroCL64express.app/Contents/MacOS/AllegroCL64express [Dict] [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true $ The other thing we noticed in debugging this is even though we set DYLD_LIBRARY_PATH, another libssl seemed to be found by lldb. For example, in this case 3 versions of SSL_new were found by lldb: $ lldb alisp (lldb) target create "alisp" Current executable set to '/Applications/AllegroCL64express.app/Contents/Resources/alisp' (arm64). (lldb) _regexp-env ACL_OPENSSL_VERSION=30 (lldb) _regexp-env DYLD_LIBRARY_PATH=/opt/homebrew/opt/openssl@3.0/lib: (lldb) br s -n SSL_new br s -n SSL_new Breakpoint 1: 2 locations. (lldb) run Process 6339 launched: '/Applications/AllegroCL64express.app/Contents/Resources/alisp' (arm64) Copyright (C) 1985-2023, Franz Inc., Lafayette, CA, USA. All Rights Reserved. ... CL-USER(1): (progn (require :ssl)(require :aserve)) ; Fast loading ; /Applications/AllegroCL64express.app/Contents/Resources/code/SSL.002 ... T CL-USER(2): (net.aserve.client:do-http-request "https://franz.com") Process 6339 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.3 frame #0: 0x00000001020803ec libssl.3.dylib`SSL_new libssl.3.dylib`SSL_new: -> 0x1020803ec <+0>: stp x20, x19, [sp, #-0x20]! 0x1020803f0 <+4>: stp x29, x30, [sp, #0x10] 0x1020803f4 <+8>: add x29, sp, #0x10 0x1020803f8 <+12>: cbz x0, 0x102080700 ; <+788> (lldb) br list Current breakpoints: 1: name = 'SSL_new', locations = 3, resolved = 3, hit count = 1 1.1: where = libboringssl.dylib`SSL_new, address = 0x0000000193f1b160, resolved, hit count = 0 1.2: where = libssl.48.dylib`SSL_new, address = 0x000000026907f64c, resolved, hit count = 0 1.3: where = libssl.3.dylib`SSL_new, address = 0x00000001020803ec, resolved, hit count = 1 (lldb) We are out of ideas on how to debug this.

Hi I'm building a React Native app and need to implement the functionality to connect/disconnect to a VPN using WireGuard configuration files (.conf). I'm using Swift for the native integration on iOS. Does anyone know of any libraries or resources that could help with this?

Dear Apple Support Team, I hope this message finds you well. I am writing to seek clarification on a specific aspect of Wi-Fi connectivity related to the iPhone 16 series running iOS 18.0. We have encountered an issue where the iPhone 16 series devices fail to connect to Wi-Fi networks, and this failure subsequently affects other devices running iOS 18.0. To better understand the root cause of this issue, I would like to inquire about the differences in the "authentication and encryption" processes between the iPhone 16 series running iOS 18.0 and other devices running iOS 18.0. Specifically, are there any changes or updates in the Wi-Fi authentication and encryption mechanisms that are unique to the iPhone 16 series? Understanding these differences will greatly assist us in diagnosing and resolving the connectivity issues we are experiencing. Thank you for your assistance. I look forward to your prompt response. Best regards, WJohn

iOS devices are failing to launch WebSheet (i.e. captive portal mini browser) when auto-join is used to connect to Hotspot 2.0 SSID with a captive portal. Logs captured from the device & RADIUS show that the device associates to the SSID, but does not launch the WebSheet due to the error, "Unable to launch WebSheet because this network has become captive". Afterwards the device may send an EAPOL Logoff request to the Access Point & disconnect from the network. If manually selecting the SSID from Settings > Wi-Fi, then the same device will log It's a manual join so no further checks required, remain associated to the SSID & launch the captive portal browser which is able to load the captive browser. info 17:28:35.298531-0500 configd device setup is completed info 17:28:35.298566-0500 configd Unable to launch WebSheet because this network has become captive, blacklisting network [HS2_Captive_Test] info 17:28:35.298604-0500 configd Removing FF981347-FDFA-45FD-82D9-88BA0426C0A3 default 17:28:35.298641-0500 configd __BUILTIN__: PresentUI result Temporary Failure (6) default 17:28:35.298677-0500 configd CNPluginHandler en0: Failure (__BUILTIN__) default 17:28:35.298716-0500 configd Temporarily disabling (blacklisting) HS2_Captive_Test Websheet should only be launched when the device is captive. Why wouldWebSheet fail to launch when the device is captive?

We have a device which is an appliance and we are developing a control interface app for macOS and iOS/iPadOS. How can we set up our iOS application to grab information from a local network device while it is in the background in order to show notifications? Communication between the Apple device and our device is via local networking and the device is designed to be used on networks without internet connections. On networks with internet connections we could forward events from the device, via a server and APNS push notifications, but that isn't valid here. Events occur on our device and are forwarded to clients, who are subscribed to Server-Sent Events. On macOS this works well and the application can receive updates and show Notification Center notifications fine. On iOS we are using a BGAppRefreshTaskRequest with time interval set to 1 minute, but it appears that we get scheduled only every few hours. This isn't very useful as notifications just arrive in batches rather than in a timely manner. All normal networking is closed when the app goes into the background, so we cannot keep the SSE request open. Another idea which we haven't tried yet: Creating a new endpoint on the device which keeps the connection open until a notification arrives, then using background URLSession to poll on that endpoint. Would that work? It seems like a mis-use of the API perhaps?

func setupUDPSocket() { stopSearch() udpSocket = GCDAsyncUdpSocket(delegate: self, delegateQueue: DispatchQueue.main) do { try udpSocket?.bind(toPort: 4012) try udpSocket?.beginReceiving() try udpSocket?.joinMulticastGroup("239.255.255.250") } catch let error { DispatchQueue.main.async { print(Thread.current) print(error) print(error) } } } private func search() { guard let udpSocket = udpSocket else { print("not set udpSocket") stopSearch() return } let message = "M-SEARCH * HTTP/1.1\r\n" + "HOST: 239.255.255.250:1900\r\n" + "MAN: \"ssdp:discover\"\r\n" + "MX: 3\r\n" + "ST: ssdp:all\r\n" + "\r\n" let data = message.data(using: .utf8)! udpSocket.send(data, toHost: "239.255.255.250", port: 1900, withTimeout: -1, tag: 0) } This is my send SSDP code, my project was inited in Objective-C, recently I update xcode to 16, I get Error Domain=NSPOSIXErrorDomain Code=65 "No route to host", when I send UPD data in iOS 18, but iOS 17 is ok. Even I found, if I init a new project in Swift, this bug is disappear.

I am in the middle of investigating an issue arising in the call to setsockopt syscall where it returns an undocumented and unexpected errno. As part of that, I'm looking for a way to list any socket content filters or any such extensions are in play on the system where this happens. To do that, I ran: systemextensionsctl list That retuns the following output: 0 extension(s) which seems to indicate there's no filters or extensions in play. However, when I do: netstat -s among other things, it shows: net_api: 2 interface filters currently attached 2 interface filters currently attached by OS 2 interface filters attached since boot 2 interface filters attached since boot by OS ... 4 socket filters currently attached 4 socket filters currently attached by OS 4 socket filters attached since boot 4 socket filters attached since boot by OS What would be the right command/tool/options that I could use to list all the socket filters/extensions (and their details) that are in use and applicable when a call to setsockopt is made from an application on that system? Edit: This is on a macosx-aarch64 with various different OS versions - 13.6.7, 14.3.1 and even 14.4.1.

Hello there! We have an app that connects to an external device via Wi-Fi to send and query content from it. This external device generates a hidden AP that the phone connects against. However, sometimes the app fails to connect to the external device with the system alert "Unable to join the network...". We have been debugging for a couple but couldn't find any clear reason of why this thing is happening. What could be the reason behind this alert appearing? For the connection, we are using the NEHotspotConfigurationManager to connect to the AP of this external device. The configuration for the connection is the following: NEHotspotConfiguration( ssid: ssid, passphrase: password, isWEP: false ) configuration.hidden = true There are some logs that we extracted that show two connections. One happened at 20:37, which was a successful connection. wifi_logs_success 2.log Another connection was made at 20:38, which failed. wifi_logs_failure.log Inspecting the logs, one difference that I see between them is the __WiFiDeviceManagerDispatchUserForcedAssociationCallback: result %lld, which in the successful case is 0 and in the failed case is 1. Can anyone help with this? We're very lost on why this configuration could be an issue at all.

Hi Team, Looking for an answer, if it's just us or a widespread issue. Since Sept, our clients Apple devices can't load a Captive Portal on Apple devices. Client wants the CNA to pop up and I can't get it to happen! Android and Windows devices all work correctly with their respective popups, but CNA will not work. No changes done on our side and after multiple tshoots and getting vendors to take multiple PCAPs found, Apple devices are not initiating a HTTP GET request as per Meraki >> https://documentation.meraki.com/MR/MR_Splash_Page/Splash_Page_Traffic_Flow_and_Troubleshooting The work around is to force a HTTP GET request by manually going into the browser and initiate a http site (we tried 1.1.1.1, also tried other public HTTP sites and it works) and that redirects to our Captive Portal page.

I am trying to create an app that lets the user send Wake On LAN calls to computers in the local network. I created a small package that uses BSD sockets (https://github.com/pultar/WakeOnLAN/blob/main/Sources/CWakeOnLAN/wol.c) to send the magic packet. For now, I select "en0" manually as the interface. The app works in the simulator but fails on a real device. I also noticed that I can test the package when I only use the terminal and Swift Package Manager but not from a CLI within XCode. In either case, I observe: "No route to host" Following previous post in the forum (see below), I figured I require the multicast entitlement, which I was granted and could add in the Xcode project settings and on Apple Developer together with my App Bundle ID. However, even after activating the entitlement for my app, I observe the same error.

Hi team, I'm working on an MQTT client for Apple platforms (macOS, iOS, and possibly tvOS and watchOS). I would like the client to listen to messages even when the application is in the background. I would appreciate any suggestions on the best approach to achieve this. Based on iOS Background Execution Limits, it seems that my best bet is to use a long-running background process with BGProcessingTaskRequest while setting up the connection. Does that sound like the right approach? Is there any limits for the bg tasks? I currently have a working BSD socket. I'm not sure if it is necessary to switch to the Network Framework to have the background task working, but I'm open to switching if it's necessary. If the approach works, does that mean I could built a http client to process large upload/download tasks without using NSURLSession? As I'm working on a cross platform project, it would be benefit if I dont need a separate http client implementation for Apple. Any insights on this topic would be greatly appreciated. Additionally, it's off topic, but the link to "WWDC 2020 Session 10063 Background Execution Demystified" (https://developer.apple.com/videos/play/wwdc2020/10063/) is broken. Is there a way to access the content there? Thanks in advance for your help and insights!