General: Forums subtopic: App & System Services > Networking TN3151 Choosing the right networking API Networking Overview document — Despite the fact that this is in the archive, this is still really useful. TLS for App Developers forums post Choosing a Network Debugging Tool documentation WWDC 2019 Session 712 Advances in Networking, Part 1 — This explains the concept of constrained networking, which is Apple’s preferred solution to questions like How do I check whether I’m on Wi-Fi? TN3135 Low-level networking on watchOS TN3179 Understanding local network privacy Adapt to changing network conditions tech talk Understanding Also-Ran Connections forums post Extra-ordinary Networking forums post Foundation networking: Forums tags: Foundation, CFNetwork URL Loading System documentation — NSURLSession, or URLSession in Swift, is the recommended API for HTTP[S] on Apple platforms. Network framework: Forums tag: Network Network framework documentation — Network framework is the recommended API for TCP, UDP, and QUIC on Apple platforms. Building a custom peer-to-peer protocol sample code (aka TicTacToe) Implementing netcat with Network Framework sample code (aka nwcat) Configuring a Wi-Fi accessory to join a network sample code Moving from Multipeer Connectivity to Network Framework forums post Network Extension (including Wi-Fi on iOS): See Network Extension Resources Wi-Fi Fundamentals TN3111 iOS Wi-Fi API overview Wi-Fi Aware framework documentation Wi-Fi on macOS: Forums tag: Core WLAN Core WLAN framework documentation Wi-Fi Fundamentals Secure networking: Forums tags: Security Apple Platform Security support document Preventing Insecure Network Connections documentation — This is all about App Transport Security (ATS). Available trusted root certificates for Apple operating systems support article Requirements for trusted certificates in iOS 13 and macOS 10.15 support article About upcoming limits on trusted certificates support article Apple’s Certificate Transparency policy support article What’s new for enterprise in iOS 18 support article — This discusses new key usage requirements. Technote 2232 HTTPS Server Trust Evaluation Technote 2326 Creating Certificates for TLS Testing QA1948 HTTPS and Test Servers Miscellaneous: More network-related forums tags: 5G, QUIC, Bonjour On FTP forums post Using the Multicast Networking Additional Capability forums post Investigating Network Latency Problems forums post WirelessInsights framework documentation iOS Network Signal Strength Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm seeing fully reproducible issues with URLSession on iOS 18.4 RC Simulator running from Xcode 16.3 RC. URLSession seems to get into a broken state after a second app run. The following sample succeeds in fetching the JSON on first app run but when the app is closed and ran again it fails with one of these errors: Error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." Error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." I'm wondering if this something related to my OS setup or is this due to internal URLSession changes in iOS 18.4. Already submitted as FB17006003. Sample code attached below: import SwiftUI @main struct NetworkIssue18_4App: App { var body: some Scene { WindowGroup { ContentView() } } } struct ContentView: View { @State private var message: String = "" var body: some View { VStack { Text(message) Button("Try Again") { Task { await fetch() } } } .task { await fetch() } } private func fetch() async { message = "Loading..." let url = URL(string: "https://poetrydb.org/title/Ozymandias/lines.json")! let session = URLSession.shared do { let response = try await session.data(from: url) print("Response: \(response)") message = "Success, data length: \(response.0.count)" } catch { print("Error: \(error)") message = "Error: \(error.localizedDescription)" } } }

It's not yet fully clear why and when does this crash occur, but I'm creating this post so there's a centralized thread for this. Some hints collected so far: The crash is occurring for existing Xcode projects opened with new Xcode 26.0 beta (17A5241e); no one's been able to reproduce on a project created in Xcode 26. I even tried creating a project with Xcode 16.2 and open it in Xcode 26, but it's all working fine there (don't have older Xcode at the moment, to try with many versions) It crashes right at the line of code that initializes URLSessionConfiguration. If you call URLSession() without parameters (which is deprecated as of iOS 13), the session initializes without the crash. It's NOT occurring only for libraries installed through package manages. In a project where it crashes, one should be able to reproduce by adding URLSessionConfiguration.default as the first line in didFinishLaunchingWithOptions It crashes when running an app on an iOS 26 simulator. (I don't have a device running beta iOS 26 to test on it!) It's working fine when running the app on a simulator or a device running iOS 18 or older. Related issue on Firebase GitHub repo: https://github.com/firebase/firebase-ios-sdk/issues/14948 Sorry to not be able to provide more info at the moment. I wanted to report this so in case someone from Apple knows about it, we could at least get some feedback or workarounds, until fix is released -- and, to prevent us all from duplicating this report in repositories of each library, as this isn't related to libraries.

There is a problem with the Apple local network setting api, iOS18 system, you turn off the local network permissions of the APP, uninstall the APP, and then re-install, the local network permissions even if opened, there is no effect, only restart the phone is useful

Hi, Having an issue on one mac using Xcode 16.3 and simulator 18.4. macSO 15.4 We are checking for bonjour: authorizationBrowser = NWBrowser(for: .bonjour(type: "_bonjour._tcp", domain: nil), using: parameters) authorizationBrowser?.stateUpdateHandler = { [weak self] newState in switch newState { ... } } However at the command line we get the error: nw_browser_fail_on_dns_error_locked [B1] nw_browser_dns_service_browse_callback failed: PolicyDenied(-65570) Any idea why this is happening? or what this error means? Thanks Antz

Hi folks, I would like to ask for clarification regarding Local Network Policy. I found 2 cases where I think the behaviour differs from the documentation. 1. Use case In a CI environment, we have multiple services (LaunchAgents) which require Local Network Access. We are fine by manually approving the Local Network Permission once (per service), but we also require these services to be able to self-update. Self update results in downloading the a binary with an (obviously) different UUID, which seems to result in re-triggering the Local Network Consent prompt. Strange thing: If I don't click either buttons (Allow of Reject), just restart macOS, it will result in an enabled entry in Privacy & Security > Local Network. I read a reply somewhere on this forum by an Apple engineer that the approval process is a mix of Bundle ID + UUID + other components, so I would expect a new binary with the same properties (but different UUID) to be already whitelisted. Is this behaviour intended? 2. Use Case Given the first issue, I decided to do this in the "right way". I was happy to read this sentence in the documentation: If you ship a launchd agent that’s not installed using SMAppService, make macOS aware of the responsible code by setting the AssociatedBundleIdentifiers property in your launchd property list. I have a properly setup (and code signed) Application, for which I have enabled Local Network permission in Privacy & Security. I have a standalone LaunchAgent, which runs a long running binary from a user directory. The agent is managed with launchd, and in this sense it is "independent" from the main Application Bundle. I have setup AssociatedBundleIdentifiers in the Agent plist, to associate it with the Application. The TeamIdentifier of the 2 binaries are the same. Based on the documentation, this should be enough for my agent to signal macOS that the responsible code is the Application Bundle (which is already enabled from Local Network POV). Instead, once the LaunchAgent starts, the Local Network Consent popup appears for the binary. I would expect the Application to be the responsible code, thus no more Consent popup. Is this behaviour intended? I need this service to run as user, so I cannot just circumvent the Consent popup by running as a Daemon or Root. Nor I would like to manage the Agent with ServiceManagement. What do you guys think, have I misunderstood the documentation?

On iOS 26 beta 5, it is impossible to add a VPN configuration when a passcode is set on the device. Every time, all it does is redirect to the Settings app with no prompt for passcode. The only way around this is to disable passcode on the device so adding a VPN configuration doesn’t have to open the Settings app. This issue happened intermittently in the past with previous iOS 26 betas and even on iOS 18, but the problem has worsened on iOS 26 beta 5 to the point where you have to turn off passcode to add a VPN. Feedback ID: FB17974765

Hello! I'm developing NETransparentProxyProvider which started to work unexpectedly on macOS 15. Seems that iCloud Private Relay is not auto-disabled anymore in favor of another filtering software, when Firewall is enabled in macOS 15. Disabling firewall immediately restores old behavior. To reproduce this issue, you need to enable both iCloud Private Relay and Firewall. Then, Safari will always try to use iCloud Private Relay, even if Transparent Proxy has "destinationAddress:nil" rule. Every connection from Safari will be to "mask.icloud.com" over HTTP/3. Connections inside are not visible as separate flows. Since I have excludedRule for "icloud.com" (to not to alter Apple services), Safari traffic is just stopped to be processed. Is new behavior is expected or some type of regression?

Hi, my app makes tcp connection successfully on macOS 15. But, after restarting Mac, the app fails to make tcp connection. The app is allowed in Settings > Privacy & Security > Local Network. If I deny it and then allow it again, the app can make tcp connection successfully. Is it a macOS Sequoia bug?

Users are reporting that 3rd-party software that leverages Apple's Network Extensions (such as LuLu and Windows Defender) are causing networking issues after upgrading to macOS 15. However as such products were working seamlessly on macOS 14.* and nothing in the code of these products changed between then and now, this would point to bug in macOS. Users have mentioned the following work arounds: Disabling the internal (macOS) firewall Upgrading to macOS 15.1 beta More info about the issues and these "workarounds" here and here.. Looking for any guidance / insight / technical details from Apple, as users are (understandably) blaming these tools and their developers 😭 Of course if there are updated APIs or some other changes in macOS 15 that developers should consider / conform to, to ensure compatibility that'd be great to know too!

We have an application which is written in Swift, which activates network extension (Transparent Proxy). We want to use MDM deployment for this network system extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further. As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy documentation, we noticed that we can use the VPN payload with app-proxy as Provider Type for Transparent Proxy. We were able to install the profile created via Jamf Pro and also while in stalling our product the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything. We are suspecting the remote server filed is causing this. So we tried creating the custom profile without remote server address for VPN payload, but we are unable to install the profile. It throws below error: 2025-02-11 16:43:55.193348+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] Failed to save configuration DGWebProxy because it is invalid: Error Domain=NEConfigurationErrorDomain Code=2 "configuration is invalid: Missing server address" UserInfo={NSLocalizedDescription=configuration is invalid: Missing server address}
2025-02-11 16:43:55.193376+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] NEProfileIngestion Error occurred when saving configuration 'DGWebProxy': configuration is invalid: configuration is invalid: Missing server address 
2025-02-11 16:43:55.196159+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] [0:MDMDaemon:CPDomainPlugIn:<0x2f880>] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<
2025-02-11 16:43:55.196826+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [ERROR] [0:MDMDaemon:<0x2f880>] [CE] PlugIn_InstallPayload ==> Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} Can we create MDM profile for Transparent Proxy without remote server address?

PLATFORM AND VERSION iOS Development environment: Xcode 16.0, macOS 15.0.1 Run-time configuration: iOS 17.5.1 DESCRIPTION OF PROBLEM We are working on an iOS application that utilizes the NEFilterDataProvider class from the Network Extension framework to control network flows. However, we are encountering an issue where network flows are not being detected as expected. Here are the details of our setup: We are using the NEFilterDataProvider class to filter network traffic in our app. The filtering setup works well for certain flows/apps, but we cannot detect Facebook network flows as intended. The app is correctly configured with the necessary entitlements, and we have set up the required App Groups and Network Extension capabilities. We would like to request guidance on how to troubleshoot or resolve this issue. Could you provide insights on: Whether there are any known limitations or conditions under which network flows may not be detected by NEFilterDataProvider. Recommendations for additional debugging techniques to better understand why some flows might not be captured. Recommendations for additional code to be added to detect some flows that might not be captured. Any specific scenarios or configurations that might be causing this issue in iOS. STEPS TO CHECK Replace below code in FilterDataProvider. Try running the app and set debugger in FilterDataProvider. Launch Facebook app. You will observe that no NEFilterFlow is detected in handleNewFlow for actions such as posts, reels, etc. import NetworkExtension class FilterDataProvider: NEFilterDataProvider { let blockedDomains = [ "facebook.com" ] override func startFilter(completionHandler: @escaping (Error?) -> Void) { // Perform any necessary setup here. DNSLogger.shared.log(message: "Filter started") completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { // Perform any necessary cleanup here. DNSLogger.shared.log(message: "Filter stopped with reason: \(reason)") completionHandler() } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { var url: URL? if let urlFlow = flow as? NEFilterBrowserFlow { url = urlFlow.url } else { let urlFlow = flow as? NEFilterSocketFlow url = urlFlow?.url } guard let hostName = url?.host else { return .allow() } DNSLogger.shared.log(message: "Domain reveived: \(hostName)") return .allow() } // Handle inbound data (data received from the network) override func handleInboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict { DNSLogger.shared.log(message: "Inbound data: \(readBytes)") return .needRules() } // Handle outbound data (data sent to the network) override func handleOutboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict { // Inspect or modify outbound data if needed // For example, you could log the data or modify it before sending DNSLogger.shared.log(message: "Outbound data: \(readBytes)") return .needRules() } override func handleRemediation(for flow: NEFilterFlow) -> NEFilterRemediationVerdict { return .needRules() } override func handleRulesChanged() { // Handle any changes to the rules } }

Hi! I've noticed that the IP_RECVIF socket option, i.e.: int y = 1; setsockopt(fd, IPPROTO_IP, IP_RECVIF, &y, sizeof(y)); does not seem to work if the socket is proxied by a NETransparentProxyProvider type network extension: there's no ancillary data in messages received with recvmsg. As soon as I disable the network extension, recvmsg starts returning ancillary data containing the interface name. This seems to break some applications which rely on IP_RECVIF in the presence of a transparent proxy, making it, in fact, not transparent. One such example is Apple's own libresolv, which relies on IP_RECVIF and breaks if there's no ancillary data in the recvmsg result. I don't think that this is the intended behaviour, since IPV6_PKTINFO seems to work fine. I've filed a bug report (FB17586550) about this, however, I would greatly appreciate if someone could point me in the direction of a workaround.

In our setup, our Transparent Proxy (call it TP1) funnels traffic to a helper process running on the same machine (call it Helper), which then actually sends out the traffic to the wider Internet. Now say there's another Transparent Proxy, TP2, on the same machine. Assuming TP1 gets hold of the traffic first, the sequence would look like so: Safari --> TP1 --> Helper --> TP2 We want to make it appear to TP2 that the incoming traffic is from Safari, rather than from the Helper process. We are aware of the Network framework's setMetadata API, but this does not look appropriate for us to use here. The Helper process is pre-existing Golang code, which at best can interface with "pure" (ie BSD) sockets-based C code. In order to use the setMetadata API, looks like we will need to rewrite the entire networking logic to use nw_connection_t (or similar) API, which is too much work, so is infeasible for us to use. Is there a way to make the setMetadata API work at a socket level? e.g., associate the metadata with a socket so that whatever data is sent out on the socket by the Helper will seem to TP2 to be coming from the desired source process. Assuming there isn't such a way, please consider this an Enhancement Request to make it so! Also, this reveals another complication: If and when this Enhancement is implemented, our own TP1 (which interepted the traffic in the first place) would end up thinking that the traffic is from Safari, so ends up re-intercepting it, causing a loop. Safari --> TP1 --> Helper (invokes setMetadata) --> TP1 --> Helper ... Which leads to the next Enhancement Request: Please extend the API to allow setting of the "last-hop" source process in addition to the original source application. If the last-hop source process info is set, our TP1 can query this property, see that it's coming from our own Helper process, and skip interception. In summary, here are the Enhancement Requests: Allow setMetadata API to work at a socket level Allow setting of "last-hop" source process in the metadata, in addition to the original source application More succinctly, please allow setting of metadata to cater to cases where the actual egress happens via a (different) helper process that uses pure C sockets based API. I have also filed this as a Feedback with Apple, at FB16048393.

When a VPN is active, RCS messaging does not work on iOS 18. I work on an iOS VPN app, and we were very appreciative of the excludeCellularServices network flag that was released during the iOS 16 cycle. It's a great solution to ensure the VPN doesn't interfere with cellular network features from the cellular provider. Separately - As a user, I'm excited that iOS 18 includes RCS messaging. Unfortunately, RCS messaging is not working when our VPN is active (when checking on the iOS 18 release candidate). My guess is that RCS is not excluded from the VPN tunnel, even when excludeCellularServices is true. It seems like RCS should be added in this situation, as it is a cell provider service. Can RCS be added as a service that is excluded from the VPN tunnel when excludeCellularServices is true? (I've also sent this via feedback assistant, as 15094270.)

I have added a Network Extension to my iOS project to use the WireGuard library. Everything was working fine up to Xcode 16, but after updating, I’m facing a build issue. The build fails with the following error: No such file or directory: '@rpath/WireGuardNetworkExtensioniOS.debug.dylib' I haven’t explicitly added any .dylib to my project. The Network Extension target builds and runs fine on Xcode 16.

I have a pretty straightforward code to connect to a given ip address and port using NWConnection. On the first attempt to connect to the Local Network I see the "Local Network Privacy" dialog and sometimes if I press "Don't Allow" on that dialog everything starts to fail. No matter I do I keep receiving the following error: POSIXErrorCode(rawValue: 50): Network is down Obviously going to settings and allowing local network access to the app doesn't fix the issue. Neither deleting the app and installing it again. The only workaround I found is to restart my device which is unacceptable for a user. My code is really simple, I tried a lot of different approaches to connect but neither approach worked. I am on iOS 18. Is it a known bug? could be possible a bug on my code? Any idea would be really appreciated, thanks!

We are developing an iOS application that is interacting with HTTP APIs that requires us to put a unique UUID (a nonce) as an header on every request (obviously there's more than that, but that's irrilevant to the question here). If the same nonce is sent on two subsequent requests the server returns a 412 error. We should avoid generating this kind of errors as, if repeated, they may be flagged as a malicious activity by the HTTP APIs. We are using URLSession.shared.dataTaskPublisher(for: request) to call the HTTP APIs with request being generated with the unique nonce as an header. On our field tests we are seeing a few cases of the same HTTP request (same nonce) being repeated a few seconds on after the other. Our code has some retry logic only on 401 errors, but that involves a token refresh, and this is not what we are seeing from logs. We were able to replicate this behaviour on our own device using Network Link Conditioner with very bad performance, with XCode's Network inspector attached we can be certain that two HTTP requests with identical headers are actually made automatically, the first request has an "End Reason" of "Retry", the second is "Success" with Status 412. Our questions are: can we disable this behaviour? can we provide a new request for the retry (so that we can update headers)? Thanks, Francesco

PLATFORM AND VERSION macOS Development environment: Xcode 15.0, macOS 15.0.1 Run-time configuration: macOS 15.0.1 DESCRIPTION OF PROBLEM We are currently developing a macOS app using the NEFilterDataProvider in the Network Extension framework, and we've encountered an issue regarding hostname resolution that we would like your guidance on. In our implementation, we need to drop network flows based on the hostname. The app successfully receives the remoteHostname or remoteEndpoint.hostname for browsers such as Safari and Mozilla Firefox. However, for other browsers like Chrome, Opera Mini, Arc, Brave, and Edge, we only receive the IP address instead of the hostname. We are particularly looking for a way to retrieve the hostname for all browsers to apply our filtering logic consistently. Could you please advise whether there is any additional configuration or API we can use to ensure that we receive hostnames for these browsers as well? Alternatively, is this a limitation of the browsers themselves, and should we expect to only receive IP addresses for certain cases? STEPS TO REPRODUCE For Chrome, Brave, Edge, and Arc browsers you won't receive the hostname in NEFilterFlow. Using the same sample project provided in WWDC 2019 https://developer.apple.com/documentation/networkextension/filtering_network_traffic import NetworkExtension import os.log import Network /** The FilterDataProvider class handles connections that match the installed rules by prompting the user to allow or deny the connections. */ class FilterDataProvider: NEFilterDataProvider { // MARK: NEFilterDataProvider override func startFilter(completionHandler: @escaping (Error?) -> Void) { completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { completionHandler() } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { guard let socketFlow = flow as? NEFilterSocketFlow, let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint, let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else { return .allow() } var hostName: String? = nil // Attempt to use the URL host for native apps (e.g., Safari) if let url = socketFlow.url { hostName = url.host os_log("URL-based Host: %@", hostName ?? "No host found") } // Fallback: Use remote hostname for third-party browsers like Chrome if hostName == nil { if #available(macOS 11.0, *), let remoteHostname = socketFlow.remoteHostname { hostName = remoteHostname os_log("Remote Hostname: %@", hostName ?? "No hostname found") } else { hostName = remoteEndpoint.hostname os_log("IP-based Hostname: %@", hostName ?? "No hostname found") } } let flowInfo = [ FlowInfoKey.localPort.rawValue: localEndpoint.port, FlowInfoKey.remoteAddress.rawValue: remoteEndpoint.hostname, FlowInfoKey.hostName.rawValue: hostName ?? "No host found" ] // Ask the app to prompt the user let prompted = IPCConnection.shared.promptUser(aboutFlow: flowInfo, rawFlow: flow) { allow in let userVerdict: NEFilterNewFlowVerdict = allow ? .allow() : .drop() self.resumeFlow(flow, with: userVerdict) } guard prompted else { return .allow() } return .pause() } // Helper function to check if a string is an IP address func isIPAddress(_ hostName: String) -> Bool { var sin = sockaddr_in() var sin6 = sockaddr_in6() if hostName.withCString({ inet_pton(AF_INET, $0, &sin.sin_addr) }) == 1 { return true } else if hostName.withCString({ inet_pton(AF_INET6, $0, &sin6.sin6_addr) }) == 1 { return true } return false } }

We’ve noticed that in iOS 18, the "Deactivate Configuration" button within the Per-App VPN settings immediately disables the VPN for selected apps without any confirmation prompt. This can be problematic for users, as there is no warning or verification before the action is taken, which may lead to unintended disruptions in VPN connectivity. We haven’t found any relevant documentation on Apple’s developer website addressing this behavior. Any insights or suggestions would be greatly appreciated and if we can have documentation to disable this button using MDM profile it will be great

macOS 15 has added a new "Local Network" permission under Security & Privacy. I had a bug in my app that led to a crash when the user denied this permission. Now I've fixed it and would like to verify that it all works fine. The problem is: I need to remove my app from the settings so that macOS will show the prompt again (e.g. to verify that my custom message appears correctly). Usually, sudo tccutil reset All would do the trick. But not for this permission! The apps do not get cleared with this command. So, there's two issues: tccutil should remove it but doesn't. How can I remove this settings? Update I had a look at the "TCC.db" (see https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive), and it seems to me that the Local Network permission isn't even managed by the TCC system, as it doesn't appear in it. This is odd.