General: Forums subtopic: App & System Services > Networking TN3151 Choosing the right networking API Networking Overview document — Despite the fact that this is in the archive, this is still really useful. TLS for App Developers forums post Choosing a Network Debugging Tool documentation WWDC 2019 Session 712 Advances in Networking, Part 1 — This explains the concept of constrained networking, which is Apple’s preferred solution to questions like How do I check whether I’m on Wi-Fi? TN3135 Low-level networking on watchOS TN3179 Understanding local network privacy Adapt to changing network conditions tech talk TCP and UDP ports used by Apple software products support article Understanding Also-Ran Connections forums post Extra-ordinary Networking forums post Foundation networking: Forums tags: Foundation, CFNetwork URL Loading System documentation — NSURLSession, or URLSession in Swift, is the recommended API for HTTP[S] on Apple platforms. Moving to Fewer, Larger Transfers forums post Testing Background Session Code forums post Network framework: Forums tag: Network Network framework documentation — Network framework is the recommended API for TCP, UDP, and QUIC on Apple platforms. Building a custom peer-to-peer protocol sample code (aka TicTacToe) Implementing netcat with Network Framework sample code (aka nwcat) Configuring a Wi-Fi accessory to join a network sample code Moving from Multipeer Connectivity to Network Framework forums post NWEndpoint History and Advice forums post Wi-Fi (general): How to modernize your captive network developer news post Wi-Fi Fundamentals forums post Filing a Wi-Fi Bug Report forums post Working with a Wi-Fi Accessory forums post — This is part of the Extra-ordinary Networking series. Wi-Fi (iOS): TN3111 iOS Wi-Fi API overview technote Wi-Fi Aware framework documentation WirelessInsights framework documentation iOS Network Signal Strength forums post Network Extension Resources Wi-Fi on macOS: Forums tag: Core WLAN Core WLAN framework documentation Secure networking: Forums tags: Security Apple Platform Security support document Preventing Insecure Network Connections documentation — This is all about App Transport Security (ATS). WWDC 2017 Session 701 Your Apps and Evolving Network Security Standards [1] — This is generally interesting, but the section starting at 17:40 is, AFAIK, the best information from Apple about how certificate revocation works on modern systems. WWDC 2025 Session 314 Get ahead with quantum-secure cryptography Available trusted root certificates for Apple operating systems support article Requirements for trusted certificates in iOS 13 and macOS 10.15 support article About upcoming limits on trusted certificates support article Apple’s Certificate Transparency policy support article What’s new for enterprise in iOS 18 support article — This discusses new key usage requirements. Prepare your network environment for stricter security requirements support article — This is primarily of interest to folks developing management software, for example, an MDM server. Technote 2232 HTTPS Server Trust Evaluation Technote 2326 Creating Certificates for TLS Testing QA1948 HTTPS and Test Servers Miscellaneous: More network-related forums tags: 5G, QUIC, Bonjour On FTP forums post Using the Multicast Networking Additional Capability forums post Investigating Network Latency Problems forums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] This video is no longer available from Apple, but the URL should help you locate other sources of this info.

We operate a captive portal WIFI network in a walled-garden setup. There is no public internet access on this network. Users connect to our SSID and can only reach a local resource. On Android, our captive portal can show a button that launches the devices default browser and navigates to our portal page. We cannot reproduce this on iOS: we can place the button inside the CNA tear sheet but tapping it does not open Safari, the redirect simply does not happen. I found this older thread describing the same need: https://developer.apple.com/forums/thread/75498 From that thread, it seems the behavior changed several times. It reportedly worked around iOS 11.2 then broke again in later releases. My questions: On current iOS, is it possible to open Safarı or the default browser programmatically from within the CNA? For example, via a link or button after authentication? If yes, what is the supported way? If it is not supported, is that intentional? Is there any official documentation describing CNA limitations and the recommended pattern? For a walled-garden network with no public Internet, what is Apple's recommended approach to move the user from the CNA into a full browser session?

Incoming calls reported via reportNewIncomingCall on a CXProvider are correctly presented on the iPhone via CallKit, but are never relayed to the paired Apple Watch. Native cellular calls relay to the Watch correctly on the same devices. What does a VoIP app's CXProvider need to satisfy for callservicesd to consider it eligible for phone continuity relay to paired Apple Watch?

We have an app that uses UDP messaging. It has been working for over 3 years successfully. The App is now failing on installation with MacOS26. The issue would appear to be that MacOS is silently blocking the UDP traffic. If we disable the local network for the App, and then turn back on, this will fix the issue. But this needs to be done on every system restart.

Device: iPhone model + iOS 27 beta build number Mac: Mac model + macOS version Issue: Mac connects to iPhone Personal Hotspot successfully, but after several minutes the hotspot disconnects automatically. Expected: Mac should remain connected while hotspot is enabled and devices are nearby. Actual: Wi-Fi disconnects and Mac loses internet. Workarounds tried: Maximum Compatibility, restarting Wi-Fi, disabling VPN/Shadowrocket, USB tethering. Frequency: happens repeatedly / every X minutes.

Since macOS 26 (Tahoe), getaddrinfo() with AF_UNSPEC for a hostname whose DNS answer contains only A records (no AAAA) fails in forked child processes when the parent performed DNS resolution, or otherwise initialized os_log, before forking. This is a regression: the same code works on macOS 15.x and earlier. The child crashes with EXC_BAD_ACCESS (KERN_INVALID_ADDRESS) inside the NAT64 synthesis path: _os_log_preferences_refresh (libsystem_trace.dylib) <- faulting frame os_log_type_enabled (libsystem_trace.dylib) nw_path_access_agent_cache (Network) _nw_path_update_is_viableTm / nw_path_snapshot_path / nw_path_evaluator_evaluate nw_nat64_v4_address_requires_synthesis _gai_nat64_second_pass (libsystem_info.dylib) si_addrinfo -> getaddrinfo Runtimes that install a SIGSEGV handler (Ruby, Python) do not die; instead the DNS helper thread spins at 100% CPU and the process hangs. We have also captured a parent-side variant where a later fork() deadlocks in the atfork prepare path itself: libSystem_atfork_prepare -> nw_path_prepare_fork -> _os_unfair_lock_lock_slow. Minimal trigger in C: os_log_t log = os_log_create("com.example.repro", "repro"); os_log(log, "init"); struct addrinfo hints = { .ai_family = AF_UNSPEC, .ai_socktype = SOCK_STREAM }, *res; getaddrinfo("api.stripe.com", "443", &hints, &res); // parent: IPv4-only host if (fork() == 0) { getaddrinfo("api.stripe.com", "443", &hints, &res); // child: crashes in _os_log_preferences_refresh _exit(0); } Observed behavior and boundaries: Reproduces on 26.1 through 26.5.1 (25F80). Not reproducible on macOS 15.x. Only AF_UNSPEC lookups of IPv4-only hostnames are affected. AF_INET hints, IPv6-capable hostnames (for example google.com), numeric literals, and localhost are all immune. AF_INET6-only lookups neither trigger nor prevent it. The failure is all-or-nothing per parent process: once a parent is in the affected state, every forked child fails. On 26.5.1 it reproduces most reliably when the process was exec'd over a prior os_log-using image (for example Ruby launched via bundle exec, where the bundler Ruby execs the target Ruby in the same process), and intermittently from a bare shell. On 26.1 even bare runs reproduced readily. This is consistent with per-process logging state surviving exec and then being inherited invalid across fork. I understand that officially only async-signal-safe calls are supported between fork and exec. But this worked through macOS 15, and it breaks the pre-forking worker model used by major Ruby and Python frameworks (Resque, Unicorn, multiprocessing) on developer machines. Filed as FB21364061 in December 2025, no response so far. Is this a known issue, and is a fix present or planned in macOS 26.6 or the macOS 27 beta?

I previously attempted to apply for the hotspot-provider entitlement but was rejected. I no longer require this entitlement. I need to remove the hotspot-provider permission although the Network Extensions capability is checked. However, the generated provisioning profile still includes the hotspot-provider permission, which causes error 409 when I upload the IPA file. I only need the Network Extensions entitlement. Could you please advise how to remove hotspot-provider from the provisioning profile?

Description of the Issue: We are experiencing intermittent, severe latency spikes during cellular data transmission (specifically with MQTT Publish) on iPhone 17 devices. Through internal testing and cross-referencing with similar user reports online, we suspect this is caused by an aggressive power-saving or sleep mechanism in the cellular modem/iOS network stack when traffic is sporadic or low-frequency. Steps to Reproduce / Observations: Establish an MQTT connection over a cellular network (5G/LTE) on an iPhone 17. Publish messages at irregular or low-frequency intervals (e.g., sporadic IoT data transmission). Result: Severe latency spikes occur intermittently during transmission. Diagnostic Findings & Documented Workarounds: Workaround 1 (Constant Traffic): If we connect a secondary device (e.g., a PC) to the iPhone 17's Personal Hotspot and run a continuous background ping (with a 10ms interval), the MQTT latency spikes disappear completely. This high-frequency traffic prevents the device/modem from dropping into power-save mode. Workaround 2 (VPN Tunnel): Utilizing a VPN profile (such as Cloudflare's 1.1.1.1 app) significantly mitigates the issue. We suspect this is due to either the VPN's background keep-alive packets maintaining the active state of the modem, or iOS applying a less aggressive power-saving policy to active VPN interfaces. System Environment: Device: iPhone 17 series OS: iOS 19 (or specify your current version) Network: Cellular (5G/LTE) Questions Regarding Temporary Workarounds & Mitigations: To unblock our current development and ensure a reliable user experience before an official OS-level fix is deployed, we would highly appreciate Apple's technical guidance on the following questions: Recommended Keep-Alive Mechanism: Since higher frequency traffic effectively prevents the modem from entering power-save mode, does iOS have a recommended, power-efficient way for an application to maintain an active cellular network state (e.g., recommended TCP/MQTT keep-alive intervals or NWPathEvaluator configurations) without being suspended or penalized by the system? Network Optimization APIs: Are there specific Network Framework APIs (Network.framework) or socket configuration flags (such as Multipath TCP, or Quality of Service (QoS) flags like Background vs Default) that can signal to the iOS kernel to apply a less aggressive power-saving policy on the active cellular interface? Background Execution Policy: For IoT applications that need to publish MQTT data seamlessly while running in the background, what is the best practice to prevent the cellular link from dropping into deep sleep mode? We would appreciate it if the Apple Network/CoreOS engineering team could look into this cellular power management behavior. Thank you for your support.

When entering the following command in macOS 27 beta: lvbojie@Mac ~ % netstat -I nan0 1 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll nan0* 1500 <Link#25> 66:31:00:4c:3c:b5 0 0 41 0 0 nan0* 1500 fe80::6431: fe80:19::6431:ff: 0 - 41 - - liushicong@Mac ~ % netstat -I nan0 1 The nan0 network interface is displayed. Does this indicate that macOS will support Wi-Fi Aware in the near future?

(Also submitted as FB23072541) iOS 27 beta 1 brings a brand new error which ends up resulting in a state of .serverSetupIncomplete: <NEPIRChecker: 0x7de6c79b60>: -[NEPIRChecker start:responseQueue:completionHandler:]_block_invoke - PIR status returned error <Error Domain=com.apple.CipherML Code=1100 "Unable to query status due to errors: Error details were logged and redacted." UserInfo={NSLocalizedDescription=Unable to query status due to errors: Error details were logged and redacted., NSUnderlyingError=0x7de712f4e0 {Error Domain=com.apple.CipherML Code=1800 "Error details were logged and redacted." UserInfo={NSLocalizedDescription=Error details were logged and redacted.}}}> <NEAgentURLFilterExtension: 0x7de6d24e60>: -[NEAgentURLFilterExtension startURLFilter]_block_invoke - Failed to startFilter <Error Domain=NEMembershipCheckerErrorDomain Code=3 "(null)"> What’s a NEMembershipChecker? Member of what? Digging deeper I found these: Failed to prefetch tokens for group 'site.kaylees.Wipr2': Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey=https://pirissuer.kaylees.site/token-key-for-user-token, NSUnderlyingError=0x7517125a40 {Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" UserInfo={NSDescription=Network is down}}, _NSURLErrorPrivacyProxyFailureKey=true, NSLocalizedDescription=The Internet connection appears to be offline.} queryStatus(for:options:) threw an error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey=https://pirissuer.kaylees.site/token-key-for-user-token, NSUnderlyingError=0x7517125b00 {Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" UserInfo={NSDescription=Network is down}}, _NSURLErrorPrivacyProxyFailureKey=true, NSLocalizedDescription=The Internet connection appears to be offline.} The connection and the URL mentioned are fine of course, but "Network is down” now? This new problem only affects the App Store version of my app – not present if I install from Xcode. Users report that oddly, having an active VPN on the device works around this bug.

I started losing my WiFi connection and then my password would no longer work. I restarted iPhone and the same thing, used the forget network and same thing. I then restarted the WiFi router and the WiFi worked correctly again.

Is there any current documentation of Wide-Area Bonjour support in macOS? While the system-level defaults still seem to be the same, in the past there were bugs in the various HMAC and other authentication mechanisms for dynamic updates. Is there a source for current documentation?

Hello, We have a Network extension transparent proxy (NETransparentProxyProvider) that receives browser TCP flows as NEAppProxyTCPFlow. For each flow we create an NWConnection to the flow's original destination and set NEParameters.preferNoProxies = true - expecting the outbound connection to bypass the user's HTTP/HTTPS proxy and PAC so it goes to the destination server directly. However, in practice we see connections still being redirected to local proxy after being evaluated against the PAC rules using the destination IP and port. Our questions are: Could we expect preferNoProxies to be respected when a PAC exist on the endpoint and supersede the PAC rule decision? If yes, what would be the best way to file a bug and what information do you need? If not, is there any other way of making sure that the outbound NWConnection created by the transparent proxy is not redirected to a proxy and goes directly to the destination? One other way of avoiding our NWConnection being redirected to the proxy is to use hostname instead of destination IP. Would there be a reliable way of getting hostname for the NEAppProxyTCPFlow so that PAC can correctly filter all NWConnection based on rules? We have explored remoteHostname but it's generally not available for connections from browsers other than Safari.

Hello, We recently moved to the NWPath.Status implementation for reachability, is that the same reachability that powers URLSessionConfiguration.waitsForConnectivity? Or does the NWPath implementation rely on a specific network path such as cell only or wifi only? Is using NWPath still the best way to measure if the network is reachable? Thank you!

Hello, Our app makes a lot of requests and we are starting to wrangle them into a priority queue style structure for ordered execution. As we get further into that work, is there guidance on how many requests URLSession will queue and does that change based on connectivity or network quality? Thank you!

Moin! Can you comment if anything of the happy eyeballs version 3 IETF draft ( https://datatracker.ietf.org/doc/draft-ietf-happy-happyeyeballs-v3/ ) is in the 27 version of OSes? So long -Ralf

We are investigating bridged Wi-Fi DHCP behavior on recent macOS releases and would appreciate some clarification regarding the net.link.bridge.use_dhcp_xid sysctl. We observed that with the default setting, DHCP packets transmitted from a virtual machine through a bridged Wi-Fi interface may have their DHCP client identity modified (chaddr). In our testing, setting: net.link.bridge.use_dhcp_xid=0 prevents this behavior and restores the DHCP packet format observed on older macOS versions. We would like to better understand the intended purpose of this sysctl: What functionality does net.link.bridge.use_dhcp_xid control internally? Besides DHCP chaddr rewriting, what other bridge or DHCP processing behavior is affected by this setting? Is this sysctl related to DHCP snooping, anti-spoofing protection, Wi-Fi bridging compatibility, or another mechanism? Is the current default behavior (use_dhcp_xid=1) a recent change introduced in macOS 26.4.x? Is the modified DHCP behavior considered expected and supported, or is it intended as an implementation detail? For additional context, we previously submitted feedback regarding DHCP handling for virtual machines using Virtualization Framework. Since packet modification is restricted from user space, we are wondering whether this sysctl is related to DHCP processing implemented by the bridge subsystem to address DHCP spoofing, client identification, or Wi-Fi bridging limitations. One concern we have is that net.link.bridge.use_dhcp_xid appears to be a system-wide setting. In our use case, DHCP handling requirements may differ between virtual machines, networks, and environments. As a result, changing a global bridge behavior for the entire host system is not always desirable. If this sysctl is intended to control DHCP processing for bridged virtual machines, would it be possible to expose similar functionality on a per-interface, per-bridge, or per-VM basis rather than as a host-wide setting? This would allow virtualization products to adapt DHCP behavior to specific network environments without affecting all bridged networking on the host. One additional question: Apple suggested making this setting persistent via /etc/sysctl.conf. However, this file does not exist by default on our macOS 26.4.x systems. Is /etc/sysctl.conf still a supported mechanism for persistent sysctl configuration, or is there a preferred modern alternative? Any documentation or implementation details that can be shared would be greatly appreciated.

Recently, the number of cybersecurity attacks has been steadily increasing. For corporate users, access is provided through special extensions that allow traffic from a specific application to be routed through a tunnel. However, connecting a device to an MDM solution is convenient for large customers, but it creates challenges for small companies and developer teams that need to secure their network connections (for example, when a specific application must be isolated so that all of its traffic is routed exclusively through the tunnel), or protect their local infrastructure by preventing external applications from establishing network connections to unexpected servers (for instance, some applications may make requests to random servers in an attempt to determine their network environment).

There doesn't seem to be a What's New in Networking or What's New in Foundation talk this year, and nothing mentioned in the various Release Notes, so can you summarize the overall changes across platforms, or point to a document that does so?

When enforceRoutes = YES is set on a split tunnel VPN configuration containing only excluded routes, all traffic matching the included routes is silently dropped — no packets reach the VPN tunnel. Only the excluded routes route correctly via the physical adapter. Setting enforceRoutes = NO with an identical configuration restores full connectivity immediately, confirming the issue is specific to the combination of enforceRoutes = YES and a non-empty excludedRoutes. This has been verified on iPadOS 26. Test Environment Device: iPad pro 4th gen OS Version: iPadOS 26.0 VPN Type: NEPacketTunnelProvider VPN Configuration (NEPacketTunnelNetworkSettings) tunnelRemoteAddress = 103.135.123.108 DNSSettings = { protocol = cleartext server = (10.34.250.51) } IPv4Settings = { configMethod = manual addresses = (10.34.247.235) subnetMasks = (255.255.255.255) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 } ) excludedRoutes = ( { destinationAddress = 10.168.10.182 destinationSubnetMask = 255.255.255.255 } ) overridePrimary = NO } MTU = 1400 enforceRoutes = YES includeAllNetworks = NO Reproduction Steps Configure NEPacketTunnelProvider with the settings above Set protocolConfiguration.enforceRoutes = YES Set protocolConfiguration.includeAllNetworks = NO Establish VPN connection and wait for Connected status Attempt to access any internet resource Observed Behavior Excluded route (10.168.10.182) correctly routes via physical adapter — confirmed in Wireshark Included routes (0.0.0.0/0) — zero packets visible in Wireshark on any interface, traffic completely dropped Internet fully inaccessible — no DNS responses, no TCP connections established Setting enforceRoutes = NO with an identical route configuration and all other settings unchanged restores full internet connectivity immediately. No other change is made.

iPad mini 6 with A15 supports WiFi6, but in a company's wifi environment, whose wireless infrastructure are WiFi7 AP's and enabled WPA3, iPad always stick to one AP even if I walked away, no matter how weak the signal is. Even if the AP kicked it off to let it roam to a new one because of low RSSI, it still reconnect the last AP, and being kicked again and again. For user experience, the kicking loop means an incountinous Internet experience. Forgetting the SSID and rejoining is the only solution, and there is still a chance that it tries to connect the weak AP after rejoined.