Hi all, I have a requirement to intercept and modify inbound connections on macOS. For example, if I’m running a server on TCP port 8080 on macOS, I want to intercept all traffic to and from this port. I’m open to working at the level of TCP flows or even raw Ethernet packets, depending on what’s feasible. I’m already successfully using NETransparentProxy to intercept outbound traffic, but I haven’t found a way to handle inbound connections using any of the Network Extension APIs. Is there any supported or alternative approach for intercepting inbound traffic (via NE, NKEs, PF, or something else)? Any guidance would be greatly appreciated. Thanks in advance!

Hello there, Starting from iOS 18.4, support was included for QWAC Validation and QCStatements. Using the official QWAC Validator at: https://eidas.ec.europa.eu/efda/qwac-validation-tool I was able to check that the domain "eidas.ec.europa.eu" has a valid QWAC certificate. However, when trying to obtain the same result using the new API, I do not obtain the same result. Here is my sample playground code: import Foundation import Security import PlaygroundSupport PlaygroundPage.current.needsIndefiniteExecution = true @MainActor class CertificateFetcher: NSObject, URLSessionDelegate { private let url: URL init(url: URL) { self.url = url super.init() } func start() { let session = URLSession(configuration: .ephemeral, delegate: self, delegateQueue: nil) let task = session.dataTask(with: url) { data, response, error in if let error = error { print("Error during request: \(error)") } else { print("Request completed.") } } task.resume() } nonisolated func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { guard let trust = challenge.protectionSpace.serverTrust else { completionHandler(.cancelAuthenticationChallenge, nil) return } if let certificates = SecTrustCopyCertificateChain(trust) as? [SecCertificate] { self.checkQWAC(certificates: certificates) } let credential = URLCredential(trust: trust) completionHandler(.useCredential, credential) } nonisolated func checkQWAC(certificates: [SecCertificate]) { let policy = SecPolicyCreateSSL(true, nil) var trust: SecTrust? guard SecTrustCreateWithCertificates(certificates as CFArray, policy, &trust) == noErr, let trust else { print("Unable to create SecTrust") return } var error: CFError? guard SecTrustEvaluateWithError(trust, &error) else { print("Trust evaluation failed") return } guard let result = SecTrustCopyResult(trust) as? [String : Any] else { print("No result dictionary") return } let qwacStatus = result[kSecTrustQWACValidation as String] let qcStatements = result[kSecTrustQCStatements as String] print("QWAC Status: \(String(describing: qwacStatus))") print("QC Statements: \(String(describing: qcStatements))") } } let url = URL(string: "https://eidas.ec.europa.eu/")! let fetcher = CertificateFetcher(url: url) fetcher.start() Which prints: QWAC Status: nil QC Statements: nil Request completed. Am I making a mistake while using the Security framework? I would greatly appreciate any help or guidance you can provide.

iOS 26 NWPathMonitor dont handle any updates - always all good.

Hello everyone, I'm developing a macOS application with an integrated Content Filter System Extension. Both the main app and the extension are signed with a Developer ID Application provisioning profile. When building in Xcode, I'm encountering an entitlement mismatch error. I've inspected the provisioning profile using the command: security cms -D -i FilterContentExtension-prod-profile.provisionprofile | grep -A 10 com.apple.developer.networking.networkextension And found that the com.apple.developer.networking.networkextension section only contains values with the -systemextension suffix, for example: content-filter-provider-systemextension. However, when I enable Network Extension → Content Filter in Xcode, the .entitlements file is generated with: content-filter-provider. This leads to the error: "Provisioning profile 'FilterContentExtension-prod-profile' doesn't match the entitlements file’s value for the com.apple.developer.networking.networkextension entitlement." My specific questions are: Why does this error occur? How can I use the content-filter-provider entitlement? If I want to use the content-filter-provider entitlement inside com.apple.developer.networking.networkextension for my Content Filter System Extension, what should I do?

(related post: How to optimize my app for for a carrier-provided satellite network? ) I am trying to implement an app so that it works under a carrier-provided satellite network. The app uses (AS)WebAuthenticationSession for signing in. If the app is entitled to access a satellite network, will (AS)WebAuthenticationSession work as well? How about WKWebView and SFSafariViewController? Is there a way to test(simulate) a ultra-constrained network on a device or a simulator to see the expected behavior? Thanks,

On one test machine, our extension wouldn't load, because [NETransparentProxyManager loadAllFromPreferencesWithCompletionHandler] can't find a manager, saying Skipping configuration appname because it is of the wrong type. This is the first time I've seen this behaviour. (The containing app tries to find a configuration, if it can't find it it creates one, then modifies whatever it found or created, then stores it. I don't have the right logging yet for that, so I can't see the error messages. [NSLog instead of os_log_error.])

We are developing an IoT companion app that connects to the IoT device's Wi-Fi network and communicates with it through local network APIs. To support this functionality, we have: Added the necessary keys in the Info.plist. NSLocalNetworkUsageDescription , NSBonjourServices Used a Bonjour service at app launch to trigger the local network permission prompt. Problem on iOS 18.x (including 18.6 beta) Even when the user explicitly denies the local network permission, our API communication still works. This is unexpected behavior, as we assume denying permission should restrict access to local network communication. We tested this with the latest iOS 18.6 beta (as per Thread 789461021), but the issue still persists. This behavior raises concerns about inconsistent permission enforcement in iOS 18.x. Problem on iOS 17.x In iOS 17.x, if the user accidentally denies the local network permission and later enables it manually via Settings, the change does not take effect immediately. The app cannot access the local network unless the device is restarted, which results in a confusing and poor user experience. Expected Behavior If local network permission is denied, local API communication should be strictly blocked. If the permission is later enabled via Settings, the app should regain access without requiring a device restart. Request We request clarification and resolution on: Why local network APIs are accessible even when permission is denied on iOS 18.x. Whether the delayed permission update (requiring restart) in iOS 17.x is expected or a known issue. Best practices to ensure consistent and predictable permission handling across iOS versions.

I'm new to Control Filter Extensions and have a question about their network capabilities. I'm building an app that processes network data and need to send some results to a remote server. My main questions: Are Control Filter Extensions officially permitted to make outbound UDP connections? I want to confirm this is a supported capability before implementing the network export functionality. What specific entitlements are required for outbound network access? Currently using content-filter-provider - do I need additional network-related entitlements? Are there any restrictions or considerations for UDP data export in production vs development builds? I want to ensure I'm following Apple's guidelines and using the correct entitlements for this type of data export from a Control Filter Extension. Any guidance on the official network capabilities and required setup would be greatly appreciated!

As a third-party application on Apple Watch, can it be located in the same LAN httpServer? Currently, when testing to initiate an http request in the LAN, the connection timeout is returned, code: -1001 self.customSession.request("http://10.15.48.191:9000/hello").response { response in switch response.result { case .success(let data): dlog("✅ 请求成功，收到数据：") if let html = String(data: data ?? Data(), encoding: .utf8) { dlog(html) } case .failure(let error): dlog("❌ 请求失败：\(error.localizedDescription)") } } 执行后报错 Task <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1> finished with error [-1001] Error Domain=NSURLErrorDomain Code=-1001 "请求超时。" UserInfo={_kCFStreamErrorCodeKey=-2102, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>", "LocalDataPDTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>", "LocalDataTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>" ), NSLocalizedDescription=请求超时。, _kCFStreamErrorDomainKey=4, NSErrorFailingURLStringKey=http://10.15.48.191:9000/hello, NSErrorFailingURLKey=http://10.15.48.191:9000/hello}

I have an iPad app that uses Network framework to allow iPads to wirelessly communicate via their built-in ad hoc network capability. However, our app is used in an enterprise environment and there's concern about them communicating wirelessly, so I've been tasked with looking into wired communication. Question: I've read that iOS can connect to a wifi network using an Ethernet adapter, but would this work for ad hoc networking? For ex, if I connect 2 iPads via Ethernet cables to each other (not to the wifi router), and have the NWListener start broadcasting itself, can the NWBrowser find it and establish an ad-hoc connection via the Ethernet cables (and not the wireless cards inside the iPads). The iPads don't have any wifi connections established so they wouldn't be able to communicate any other way. My guess is no...though if they did connect, how would I know it has happening via the cables and not via the wireless ad hoc capability, because I'm guessing there's no way to turn off just the wireless part of the ad hoc feature? If you disable the wifi on an iPad, you're also disabling ad hoc, right? I'm pretty sure there's no way to programmatically send data back and forth between iPads using a USB-C cable connection, so I'm trying to determine if Ethernet cables would work.

Hi, I am trying to create an App which connects to a Device via Wifi and then has to do some HTTP Requests. Connecting to the Wifi is working properly but when I try to make an HTTP API Call I get the response that the Domain is unavailable (No Internet Connection). I created the App in Flutter on Android everything works perfectly. The packages are all iOS Compatible. But in Safari the URL works so it is probably a permission Issue. I have the Following permissions granted: NSAppTransportSecurity NSBonjourServices NSLocalNetworkUsageDescription I even have Multicast Networking When I test the App I get asked to grant the access to local Network which I am granting. I don´t know what I should do next can somebody help? Feel free to ask for more Information

Hi! I recently had an idea to build an iOS app that allows users to create a system-level block of specified web domains by curating a "blacklist" on their device. If the user, for instance, inputs "*example.com" to their list, their iPhone would be blocked from relaying that network traffic to their ISP/DNS, and hence return an error message ("iPhone can't open the page because the address is invalid") instead of successfully fetching the response from example.com's servers. The overarching goal of this app would be to allow users to time-block their use of specified websites/apps and grant them greater agency over their technology consumption, and I thought that an app that blocks traffic at the network level, combined with the ability to control when to/not to allow access, would be a powerful alternative to the existing implementations out there that work more on the browser-level (eg. via Safari extension, which is isolated to the scope of user's Safari browser) or via Screen Time (which can be easy to bypass by inputting one's passcode). Another thing to mention is that since the app would serve as a local DNS proxy (instead of relying on a third party DNS resolver), none of their internet activity will be collected/transmitted off-device and be used for commercial purposes. I feel particularly driven to create a privacy-centered app in this way, since no user data needs to be harvested to implement this kind of filtering. I'd also love to get suggestions for a transparent privacy policy that respects users control over their device. With all this said, I found that the Network Extension APIs may be the only way that an app like this could be built on iOS and, I wanted to ask if the above-mentioned use case of Network Extension would be eligible to be granted access to its entitlement before I go ahead and purchase the $99/year Apple Developer Program membership. Happy to provide further information, and I'd also particularly be open to any mentions of existing solutions out there (since I might have missed some in my search). Maybe something like this already exists, in which case it'd be great to know in any case! :). Thank you so much in advance!

We need your assistance as we are currently facing an issue without a workaround for users on macOS 15.4 and 15.5. FeedbackID: FB17547675 The problem has been observed on macOS versions 15.4 and 15.5. Apple has acknowledged this issue and confirmed that it is fixed in the macOS 15.6 beta. Although we tried to reproduce the issue in our environment, it did not occur, even on macOS 15.5. Therefore, we cannot verify if the fix in macOS 15.6 beta resolves the problem. We are actively working to identify an appropriate workaround for users on macOS 15.5. Some users have reported a failure to obtain an IP address over Wi-Fi, possibly due to a DHCP failure. As a temporary solution, we added logic to restart Wi-Fi programmatically when either an APIPA address (169.254.x.x) or no IPv4 address is detected on the active interface. However, restarting Wi-Fi does not always resolve the issue, and the device may still fail to obtain an IP address over Wi-Fi or Ethernet. Could you advise if there is a reliable method to detect DHCP failure and recover the device from this state? Also, any idea, how we can reproduce this scenario in our machine? Below is the failure. default 2025-06-27 10:07:57.055003 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:07:57.055269 -0700 configd DHCP en0: status = 'no server' default 2025-06-27 10:08:23.336215 -0700 airportd WiFiUsageBssSession:: ChannelAfterRoam=0; ChannelAtJoin=36; FaultReasonApsdTimedOut=0; FaultReasonArpFailureCount=0; FaultReasonBrokenBackhaulLinkFailed=0; FaultReasonDhcpFailure=0; default 2025-06-27 10:08:23.367852 -0700 configd DHCP en0: status = 'media inactive' default 2025-06-27 10:08:23.367909 -0700 configd DHCP en0: INACTIVE default 2025-06-27 10:08:23.988565 -0700 configd DHCP en0: status = 'media inactive' default 2025-06-27 10:08:23.988703 -0700 configd DHCP en0: INACTIVE info 2025-06-27 10:08:23.988852 -0700 configd DHCPv6 en0: Inactive default 2025-06-27 10:08:35.656415 -0700 configd DHCP en0: status = 'network changed' default 2025-06-27 10:08:35.656817 -0700 configd DHCP en0: INIT default 2025-06-27 10:08:35.656821 -0700 configd DHCP en0: supplying device type 'Mac' info 2025-06-27 10:08:35.656934 -0700 configd DHCP en0: busy default 2025-06-27 10:08:35.657351 -0700 configd DHCP en0: INIT waiting at 0 for 1.358613 info 2025-06-27 10:08:35.657404 -0700 configd DHCPv6 en0: Inactive default 2025-06-27 10:08:37.019229 -0700 configd DHCP en0: INIT waiting at 1.36206 for 2.113913 default 2025-06-27 10:08:39.136955 -0700 configd DHCP en0: INIT waiting at 3.47937 for 4.462224 default 2025-06-27 10:08:43.602229 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:08:43.603143 -0700 configd DHCP en0: INIT waiting at 7.94533 for 8.128784 default 2025-06-27 10:08:51.735532 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:08:51.735846 -0700 configd DHCP en0: INIT waiting at 16.0786 for 8.749985 default 2025-06-27 10:09:00.488315 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:09:00.488550 -0700 configd DHCP en0: INIT waiting at 24.8313 for 8.496864 default 2025-06-27 10:09:08.988284 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:09:08.988310 -0700 configd DHCP en0: reported address acquisition failure symptom default 2025-06-27 10:09:08.988579 -0700 configd DHCP en0: INIT waiting at 33.3312 for 8.300735 default 2025-06-27 10:09:17.294478 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:17.294485 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:17.295454 -0700 configd DHCP en0: INIT waiting at 41.6373 for 8.798768 default 2025-06-27 10:09:26.096673 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:26.096688 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:26.097553 -0700 configd DHCP en0: INIT waiting at 50.4394 for 8.807943 default 2025-06-27 10:09:34.909050 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:34.909054 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:34.909375 -0700 configd DHCP en0: INIT waiting at 59.2517 for 8.877971 default 2025-06-27 10:09:43.792458 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:43.792464 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:43.793641 -0700 configd DHCP en0: status = 'no server' info 2025-06-27 10:09:43.794145 -0700 configd DHCP en0: not busy DNS failure resolver #1 flags : reach : 0x00000000 (Not Reachable) resolver #2 domain : local options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 301000 Route table Destination Gateway Flags Netif Expire 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0 169.254 link#14 UCS en0 ! 169.254.160.160/32 link#14 UCS en0 ! 224.0.0/4 link#14 UmCS en0 ! 224.0.0.251 1:0:5e:0:0:fb UHmLWI en0 239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0 255.255.255.255/32 link#14 UCS en0 !

Hey, We also opened a feedback assistant request, and also opened a ticket with Apple Developer Technical Support a while ago that notice the unmount problem also but it was before we pin point the problem to the Network Extension. After a further investigation, we've found out that the root cause of this problem is cause by having a network filter from the NetworkExtension provider on (Specifically we have tested with the NEFilterDataProvider) while having a Xsan volume. The NEFilterDataProvider causing problems for the Xsan, and is stalling the shutdown until we get a panic from watchdog timeout, and only then the mac is fully shutdown. The problem from what we investigated and also talked with you, is that the Xsan process can't unmount the volume and stuck. We have also noticed that if we install a network extension and allow the popup of the network filters, i.e enabled the NEFilterDataProvider the computer is stuck, and the finder is in a non responsive state until a reboot (Also probably due to the fact the Xsan is now in a problematic state). This tests was done on latest versions of MacOs 13 & 14. We have taken a sysdiagnose from the computer while we have tested. Do you familiar with the problem (We got no answer on the feedback assistant)? Thank you, Idan

We are implementing a connection between iPad and iPhone devices using LocalPushConnectivity, and have introduced SimplePushProvider into the project. We will have it switch between roles of Server and Client within a single project. ※ iPad will be Server and the iPhone will be Client. Communication between Server and Client is via TLS, with Server reading p12 file and Client setting public key. Currently, a TLS error code of "-9836" (invalid protocol version) is occurring when communicating from Client's SimplePushProvider to Server. I believe that Client is sending TLS1.3, and Server is set to accept TLS1.2 to 1.3. Therefore, I believe that the actual error is not due to TLS protocol version, but is an error that is related to security policy or TLS communication setting. Example: P12 file does not meet some requirement NWProtocolTLS.Options setting is insufficient etc... I'm not sure what the problem is, so please help. For reference, I will attach you implementation of TLS communication settings. P12 file is self-signed and was created by exporting it from Keychain Access. Test environment: iPad (OS: 16.6) iPhone (OS: 18.3.2) ConnectionOptions: TLS communication settings public enum ConnectionOptions { public enum TCP { public static var options: NWProtocolTCP.Options { let options = NWProtocolTCP.Options() options.noDelay = true options.enableFastOpen return options } } public enum TLS { public enum Error: Swift.Error { case invalidP12 case unableToExtractIdentity case unknown } public class Server { public let p12: URL public let passphrase: String public init(p12 url: URL, passphrase: String) { self.p12 = url self.passphrase = passphrase } public var options: NWProtocolTLS.Options? { guard let data = try? Data(contentsOf: p12) else { return nil } let pkcs12Options = [kSecImportExportPassphrase: passphrase] var importItems: CFArray? let status = SecPKCS12Import(data as CFData, pkcs12Options as CFDictionary, &amp;importItems) guard status == errSecSuccess, let items = importItems as? [[String: Any]], let importItemIdentity = items.first?[kSecImportItemIdentity as String], let identity = sec_identity_create(importItemIdentity as! SecIdentity) else { return nil } let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_local_identity(options.securityProtocolOptions, identity) sec_protocol_options_append_tls_ciphersuite(options.securityProtocolOptions, tls_ciphersuite_t.RSA_WITH_AES_128_GCM_SHA256) return options } } public class Client { public let publicKeyHash: String private let dispatchQueue = DispatchQueue(label: "ConnectionParameters.TLS.Client.dispatchQueue") public init(publicKeyHash: String) { self.publicKeyHash = publicKeyHash } // Attempt to verify the pinned certificate. public var options: NWProtocolTLS.Options { let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_verify_block( options.securityProtocolOptions, verifyClosure, dispatchQueue ) return options } private func verifyClosure( secProtocolMetadata: sec_protocol_metadata_t, secTrust: sec_trust_t, secProtocolVerifyComplete: @escaping sec_protocol_verify_complete_t ) { let trust = sec_trust_copy_ref(secTrust).takeRetainedValue() guard let serverPublicKeyData = publicKey(from: trust) else { secProtocolVerifyComplete(false) return } let keyHash = cryptoKitSHA256(data: serverPublicKeyData) guard keyHash == publicKeyHash else { // Presented certificate doesn't match. secProtocolVerifyComplete(false) return } // Presented certificate matches the pinned cert. secProtocolVerifyComplete(true) } private func cryptoKitSHA256(data: Data) -&gt; String { let rsa2048Asn1Header: [UInt8] = [ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00 ] let data = Data(rsa2048Asn1Header) + data let hash = SHA256.hash(data: data) return Data(hash).base64EncodedString() } private func publicKey(from trust: SecTrust) -&gt; Data? { guard let certificateChain = SecTrustCopyCertificateChain(trust) as? [SecCertificate], let serverCertificate = certificateChain.first else { return nil } let publicKey = SecCertificateCopyKey(serverCertificate) return SecKeyCopyExternalRepresentation(publicKey!, nil)! as Data } } } }

Hello, I am seeking guidance regarding the com.apple.managed.vpn.shared keychain access group entitlement for our iOS app, which is required to support managed VPN configurations distributed via MDM profiles. Background: Our app uses the Network Extension framework and requires access to VPN credentials stored in configuration profiles, which—according to Apple documentation and forum posts—necessitates the com.apple.managed.vpn.shared entitlement We have already enabled the standard Network Extension entitlements via the Apple Developer portal What I Have Tried: I referenced the advice from a past Apple DTS engineer in this forum post: https://developer.apple.com/forums/thread/67613 I have submitted multiple requests to Apple Developer Technical Support (DTS) over the past two months, clearly explaining our use case and referencing the official documentation as well as the above forum thread Unfortunately, I have either received no response or responses that do not address my request for the special entitlement Questions: Has anyone successfully received the com.apple.managed.vpn.shared entitlement recently? If so, what was the process and how long did it take? Is there a specific format or information I should include in my DTS request to expedite the process or avoid misunderstandings? Are there any alternative contacts or escalation paths within Apple Developer Support for cases where standard DTS requests are ignored or misunderstood? Thank you in advance for your help

Samsung's Quick Share uses Wi-Fi Aware to achieve one-to-many concurrent sharing. Can Apple's Wi-Fi Aware achieve one-to-many concurrent sharing? Apple's AirDrop does support one-to-many concurrent sharing.

Hello, I have a question about developing an iOS app for general public. Can such an app use DNS Proxy Provider? The TN3134: Network Extension provider deployment article states that DNS Proxy Provider has the following restriction: "per-app on managed devices". Does this imply that a DNS Proxy Provider that can be used in a regular iOS App Store app? On the other hand, NEDNSProxyProvider only works with NEAppProxyFlow, is it possible to make it NOT per-app?

[Q] How many instances of the same NEFilterDataProvider subclass can there be in a single running Network Extension at any given time? I would expect that there can be only 1 instance but I'm looking at a memgraph where 2 instances are listed. As it's the Network Extension framework that is responsible for creating, starting and stopping these instances, this is rather strange.

Hi everyone, I’m working on an iOS project where an iPhone needs to connect to external scanners (dedicated hardware devices) over Wi-Fi. The goal is to: Discover available Wi-Fi networks from the scanner devices (broadcasting their own networks). Allow the user to seamlessly connect to the chosen scanner network. Network Discovery: Is there a way to programmatically list available Wi-Fi networks (SSIDs) on iOS without private APIs? If not, are there workarounds (e.g., Bonjour/mDNS)? Seamless Connection: As I see, we can use NEHotspotConfigurationManager to connect to and disconnect from specified networks and there will always be a system alert asking about do we really want to join this network Hardware/Firmware/Software Alternatives: If iOS restrictions prevent this, what alternatives exist? For example: Hardware: Scanners supporting Bluetooth LE for initial pairing, then Wi-Fi provisioning. Firmware: Scanners acting as clients on the same network as the iPhone (e.g., via user’s home/office Wi-Fi). Software: A companion app for the scanner that shares network credentials via QR code/NFC, or a local web server on the scanner for setup. Context: Target: iOS 16+ No jailbreaking; App Store compliance is a must. Scanners can be configured to act as APs or clients.