Have you ever encountered the issue where the Wi-Fi MAC address information can no longer be retrieved after I updated to iOS 26?

We are having an issue with the Local Network permission pop-up not getting triggered for our apps that need to communicate with devices via local network interfaces/addresses. As we understand, apps using UDP should trigger this, causing macOS to prompt for access, or, if denied, fail to connect. However, we are facing issues with macOS not prompting this popup at all. Here are important and related points: Our application is packaged as a .app package and distributed independently (not on the App Store). The application controls hardware that we manufacture. In order to find the hardware on the network, we send a UDP broadcast with a message for our hardware on the local network, and the hardware responds with a message back. However, the popup (to ask for permission) never shows up. The application is not able to find the hardware device. It is interesting to note that data is still sent out to the network (without the popup) but we receive back the wrong data. The behaviour is consistent macOS Sequoia (and above) with both Apple And Intel silicon. Workarounds that have been tried: Manual Authorization: One solution suggested in various blogs was to go to "Settings → Privacy and Security-> Local network", find your application and grant access. However, the application never shows up in the list here. Firewall: No difference is seen in behaviour with firewall being ON OR OFF. Setting NSLocalNetworkUsageDescription: We have also tried setting the Info.plist adding the NSLocalNetworkUsageDescription with a meaningful string and updating the NSBonjourServices. Running Via terminal (WORKS): Running the application via terminal sees no issues. The application runs correctly and is able to send UDP and receive correct data (and find the devices on the network). But this is not an appropriate solution. How can we get this bug/issue fixed in macOS Sequoia (and above)? Are there any other solutions/workarounds that we can try on our end?

TL;DR: How does one use DNSServiceReconfirmRecord() to invalidate mDNS state of a device that's gone offline? I'm using the DNSServiceDiscovery API (dns_sd.h) for a local P2P service. The problem I'm trying to solve is how to deal with a peer that abruptly loses connectivity, i.e. by turning off WiFi or simply by moving out of range or otherwise losing connectivity. In this situation there is of course no notification that the peer device has gone offline; it simply stops sending any packets. After my own timeout mechanism determines the peer is not responding, I mark it as offline in my own data structures. The problem is how to discover when/if it comes back online later. My DNSServiceBrowse callback won't be invoked because mDNS doesn't know the device went offline in the first place. I am trying to use DNSServiceReconfirmRecord, which appears to be for exactly this use case -- "Instruct the daemon to verify the validity of a resource record that appears to be out of date (e.g. because TCP connection to a service's target failed.)" However my attempts always return a BadReference error (-65541). The function requires me to pass a DNS record, and the only one I know is the TXT record; perhaps it needs a different one? Which, and how would I get it? Thanks!

Hello Apple Support Team, We are seeing a production crash on iOS 26 devices that appears to originate from Apple system frameworks rather than application code. Crash Summary Crash signature: _xzm_xzone_malloc_freelist_outlined Crashed thread: com.apple.network.connections Frameworks involved: CFNetwork, Security, libdispatch, libsystem_malloc Affected OS: iOS 26.x App built with: Xcode 16 Devices: Multiple models (not device-specific) Reproducibility: Intermittent, higher frequency during app launch / background networking Observed Stack Trace (top frames) _xzm_xzone_malloc_freelist_outlined dispatch_data_create_alloc xpc_data_deserialize SecTrustEvaluateIfNecessary CFNetwork HTTPProtocol / HTTP3Connection com.apple.network.connections App Context The app uses URLSession for networking. Multiple third-party SDKs are integrated (Firebase Analytics, Dynatrace, Appsflyer, and similar analytics/monitoring SDKs). These SDKs perform concurrent background network requests, especially during app launch and foreground transitions. No unsafe memory operations (manual malloc/free, unsafe pointers, or custom networking stacks) are used in the app code. Key Observations The crash is predominantly observed on iOS 26 and not on earlier iOS versions. Stack traces do not include application symbols. Disabling or delaying analytics SDK initialization significantly reduces the crash rate. Reducing concurrent network requests and limiting HTTP/3 usage also mitigates the issue. This suggests a potential regression in CFNetwork / Network.framework / HTTP/3 handling combined with the new memory allocator (xzone) on iOS 26. Impact Random app termination during background networking. Occurs without a clear deterministic repro path, making it difficult to fully mitigate at the app level. Request Could you please help investigate whether this is a known iOS 26 issue related to: HTTP/3 / QUIC networking XPC deserialization Memory allocation in the new xzone allocator High-concurrency network requests We would appreciate guidance on: Recommended mitigations Whether this issue is already tracked internally Any best practices for apps integrating multiple analytics SDKs on iOS 26 Crash logs and additional diagnostics can be provided if needed. Thank you for your support. Best regards, Dhananjay

Hi there, How can I best understand the changes on the eSIM Installation wizard, i.e. on iOS 18 and later after an eSIM installation you used to get steps such as labeling the eSIM, deciding what to use for iMessage & FaceTime, what to use for mobile data, main voice line, etc. Whereas on iOS 26 you are not prompted for these steps.

Description Our NETransparentProxyProvider system extension maintains a persistent TLS/DTLS control channel to a security gateway. To maintain this stateful connection the extension sends application-level "Keep Alive" packets every few seconds (example : 20 seconds). The Issue: When the macOS device enters a sleep state, the Network Extension process is suspended, causing our application-level heartbeat to cease. Consequently, our backend gateway—detecting no activity—terminates the session via Dead Peer Detection (DPD). The problem is exacerbated by macOS Dark Wake cycles. We observe the extension's wake() callback being triggered periodically (approx. every 15 minutes) while the device remains in a sleep state (lid closed). During these brief windows: The extension attempts to use the existing socket, finds it terminated by the backend, and initiates a full re-handshake. Shortly after the connection is re-established, the OS triggers the sleep() callback and suspends the process again. This creates a "connection churn" cycle that generates excessive telemetry noise and misleading "Session Disconnected" alerts for our enterprise customers. Steps to Reproduce Activate Proxy: Start the NETransparentProxyProvider and establish a TLS session to a gateway. Apply Settings: Configure NETransparentProxyNetworkSettings to intercept outbound TCP/UDP traffic. Initialize Heartbeat: Start a 20-second timer (DispatchSourceTimer) to log and send keep-alive packets. Induce Sleep: Put the Mac to sleep (Apple Menu > Sleep). Observe Logs: Monitor the system via sysdiagnose or the macOS Console. Observation: Logs stop entirely during sleep, indicating process suspension. Observation: wake() and sleep() callbacks are triggered repeatedly during Dark Wake intervals, causing a cycle of re-connections. Expected Behavior We seek to minimize connection turnover during maintenance wakes and maintain session stability while the device is technically in a sleep state. Questions for Apple Is it possible to suppress the sleep and wake callback methods of NETransparentProxyProvider when the device is performing a maintenance/Dark Wake, only triggering them for a full user-initiated wake? Is it possible to prevent the NETransparentProxyProvider process from being suspended during sleep, or at least grant it a high-priority background execution slot to maintain the heartbeat? If suspension is mandatory, is there a recommended way to utilize TCP_KEEPALIVE socket options that the kernel can handle on behalf of the suspended extension? How can the extension programmatically identify if a wake() call is a "Dark Wake" versus a "Full User Wake" to avoid unnecessary re-connection logic?

Greetings, According to Apple's Wi-Fi Aware documentation (https://developer.apple.com/documentation/wifiaware) the Wi-Fi Aware APIs can be used only with peer devices that have been paired. Pairing can be performed using AccessorySetupKit or DeviceDiscoveryUI. Unfortunately, the sample code for Wi-Fi Aware doesn't include either of these APIs. (https://developer.apple.com/documentation/wifiaware/building-peer-to-peer-apps) Looking at the sample code for AccessorySetupKit (https://developer.apple.com/documentation/accessorysetupkit/setting-up-and-authorizing-a-bluetooth-accessory) there is only an example using Bluetooth. And the AccessorySetupKit APIs don't yet document how Wi-Fi Aware is used or how one sets up the Info.plist with the appropriate keys. Can Apple update its example code to fill in these gaps or point me to documentation that can fill in these gaps? It is hard to develop an understanding of the capabilities of these APIs when they are so poorly documented. Thanks for any help, Smith

We have an application which is written in Swift, which activates Transparent Proxy network extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We are using JamF MDM profile with VPN payload for deployment. With this MDM profile, we are observing an issue, ie TransparentProxy extension is not enabled when user performs logout and login and only in Sonoma. By analyzing it further we are noticing that in Sonoma some times, the system invokes NETransparentProxyProvider's stopProxy delegate once or twice with NEProviderStopReason as 12 ie userLogout. Due to this after login the system extension is not activated.

As part of iOS 26, we get X25519MLKEM768 key exchange group support, but SecP256r1MLKEM768 and SecP384r1MLKEM1024 are not supported. Is there any way to enable these key exchange groups on iOS 26? We need them for WKWebView and NSURLSession. STEPS TO REPRODUCE On iOS 26, connect to the PQC server using Safari. The key exchange group is limited to X25519MLKEM768.

We are developing a macOS VPN application using NEPacketTunnelProvider with a custom encryption protocol. We are using standard On-Demand VPN rules with Wi-Fi SSID matching but we want to add some additional feature to the native behaviour.  We want to control the 'conenect/disconnect' button status and allow the user to interact with the tunnel even when the on demand rule conditions are satisfied, is there a native way to do it? In case we need to implement our custom on-demand behaviour we need to access to this information: connected interface type ssid name and being informed when it changes so to trigger our logic, how to do it from the app side? we try to use CWWiFiClient along with ssidDidChangeForWiFiInterface monitoring, it returns just the interface name en0 and not the wifi ssid name. Is location access mandatory to access wifi SSID on macOS even if we have a NEPacketTunnelProvider? Please note that we bundle our Network Extension as an App Extension (not SystemExtension).

Hello, I have a .app NSApplication which is ran as a LaunchDaemon, in it's lifecycle I never call any AppKit functions (I start it with CFRunLoopRun). (mentioned on this post as well). I intercept a couple of signals using signal(s) in order to trigger CFRunLoopStop(CFRunLoopGetCurrent()) to do some cleanup. This LaunchDaemon has the purpose of providing VPN connectivity, as such I call connect functions that trigger the "Add VPN configuration" dialog (I can't provide extra details about this, as I integrate another SDK so I'm not sure what happens under the hood) and I noticed that whenever it is displayed, after allowing it, during the lifecycle of the application when it's time to send the signal, the signal isn't received. I tried re-adding the NSApp callbacks in order to investigate, but it looks like those aren't called as well. I'm interested in knowing more about this scenario and what happens... I couldn't really find information about this dialog... Thanks!

I've implemented func urlSession(_ session: URLSession, task: URLSessionTask, willPerformHTTPRedirection response: HTTPURLResponse, newRequest request: URLRequest, completionHandler: @escaping (URLRequest?) -> Void) and func urlSession(_ session: URLSession, downloadTask: URLSessionDownloadTask, didWriteData bytesWritten: Int64, totalBytesWritten: Int64, totalBytesExpectedToWrite: Int64) I've put a breakpoint in each but the BP in willPerformHTTPRedirection never fires. When the didWriteData fires and I inspect downloadTask.originalRequest I see my original request URL When I inspect downloadTask.currentRequest the returned request contains a different URL. I'm the farthest thing from an HTTP wizard, but I had thought when originalRequest differs from currentRequest there had been some sort of server-side 'redirection'. Is there a way for my code to receive a callback when something like this happens? NOTE: my download code works fine, I'm just hoping to detect the case when currentRequest changes. any/all guidance greatly appreciated on the off chance it helps, are are my original and current request values: (lldb) po downloadTask.originalRequest ▿ Optional<URLRequest> ▿ some : https://audio.listennotes.com/e/p/c524803c1a90412f922948274ecc3625/ (lldb) po downloadTask.currentRequest ▿ Optional<URLRequest> ▿ some : https://26973.mc.tritondigital.com:443/OMNY_HAPPIERWITHGRETCHENRUBIN_PODCAST_P/media-session/76cfceb2-1801-4570-b830-ded57611a9cf/d/clips/796469f9-ea34-46a2-8776-ad0f015d6beb/e1b22d0b-6974-4bb8-81ba-b2480119983c/2f35a8ca-b982-44e9-8122-b3dc000ae0e1/audio/direct/t1769587393/Ep_571_Want_to_Join_Us_for_a_No-Spend_February_Plus_a_Better_Word_for_Squats.mp3?t=1769587393&in_playlist=751ada7f-ded3-44b9-bfb8-b2480119985b&utm_source=Podcast

Case-ID: 17935956 In the NetworkExtension framework, for the NETransparentProxyProvider and NEDNSProxyProvider classes: when calling the open func writeDatagrams(_ datagrams: [Data], sentBy remoteEndpoints: [NWEndpoint]) async throwsin the NEDNSProxyProvider class, and the open func write(_ data: Data, withCompletionHandler completionHandler: @escaping @Sendable ((any Error)?) -> Void)in the NETransparentProxyProvider class, errors such as "The operation could not be completed because the flow is not connected" and "Error Domain=NEAppProxyFlowErrorDomain Code=1 "The operation could not be completed because the flow is not connected"" occur. Once this issue arises, if it occurs in the NEDNSProxyProvider, the entire system's DNS will fail to function properly; if it occurs in the NETransparentProxyProvider, the entire network will become unavailable.

I’m trying to determine the actual Wi-Fi band (e.g. 2.4GHz, 5GHz, or 6GHz) of the network that is currently connected on macOS. I’m not looking for a heuristic based on the Wi-Fi name (SSID), such as checking whether it contains “5G” or “6G”. Instead, I want a reliable and accurate method that reflects the real connection parameters reported by the system. Specifically, I’m interested in: Whether macOS exposes the current Wi-Fi band or channel information through public APIs (e.g. CoreWLAN) Or if there is any supported system-level way to retrieve this information programmatically If this information is not directly accessible, I’d also like to understand: Why macOS does not expose it And whether there is a recommended alternative approach Any insights or examples would be greatly appreciated.

Hi, i programmed an app the uses MultipeerConnectivity to connect iOS-Devices to exchange Video-Files from the camera (https://pellepepper.my.canva.site/jumpcontrol). In general the solution works fine but I have some challenges: The connection is pretty stable when there are only few other devices around. It seems to become more fragile when there are more other iOS-Devices in the area Testing of the App worked with several meters of distance (up to 10). In real environments of athletics venues the solution is only stable in a region of about 2 meters It seems that newer iOS-Releases make the connection more unstable. Last weekend we used it with iOS 18-Devices on older hardware, what worked fine. Integrating an iOS 26 device made trouble. Working on iPhone 13 with iOS 26 is hardly not usable. What can I do to improve stability of the connection and therefore the App. What are the metrics to look for? Is there something I can do on the code base to make to connection more stable? Many thx Rainer

Tags NetworkExtension, NEFilterManager, Content-Filter, TestFlight, iOS, Swift, Entitlements, App-Groups Problem Summary I'm experiencing a critical issue with a Network Extension Content Filter that works perfectly in debug mode but fails in TestFlight with: ``` -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: Error Domain=NEFilterErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} ``` This is blocking completion of a client project and requires urgent assistance. Environment • Platform: iOS • Minimum Deployment: iOS 16.0 • Development: Xcode with Flutter integration • Testing Method: TestFlight (production build) • Works in: Debug mode (direct device deployment) • Fails in: TestFlight builds What Works vs. What Fails WORKS IN DEBUG MODE (✓): • Network extension installs successfully • System permission dialog appears correctly • Filter starts and blocks content as expected • All domain management functions work FAILS IN TESTFLIGHT (✗): • System permission dialog never appears • NEFilterManager.saveToPreferences fails immediately • Error Code 5: "permission denied" • Cannot set up the filter at all Implementation Details ARCHITECTURE: The implementation consists of: Main App (Flutter) - handles UI and configuration Network Extension Plugin (Swift) - bridges Flutter to NetworkExtension framework FilterDataProvider (Swift) - implements content filtering logic App Group - shared storage for configuration (group.app.v1.dev0) PERMISSION REQUEST CODE: ```swift func requestPermissions(completion: @escaping (Result<Bool, Error>) -> Void) { NEFilterManager.shared().loadFromPreferences { error in if let error = error { DispatchQueue.main.async { completion(.failure(error)) } return } let config = NEFilterProviderConfiguration() config.organization = "Testing config.filterBrowsers = true config.filterSockets = true let manager = NEFilterManager.shared() manager.providerConfiguration = config manager.localizedDescription = " Screen Shield" manager.isEnabled = true manager.saveToPreferences { saveError in DispatchQueue.main.async { completion(saveError == nil ? .success(true) : .failure(saveError!)) } } } } ``` EXTENSION INFO.PLIST: ```xml ENTITLEMENTS: ```xml What I've Already Tried VERIFIED ENTITLEMENTS (✓) • Both main app and extension have matching entitlements • App Group identifier is identical in both targets • content-filter-provider capability is set CHECKED PROVISIONING PROFILES (✓) • Created distribution provisioning profiles with Network Extension capability • App Group is included in all profiles • All capabilities are enabled in App Store Connect VERIFIED APP GROUP CONFIGURATION (✓) • App Group exists in Apple Developer portal • Added to both App ID and Extension App ID • Regenerated provisioning profiles after adding CODE SIGNING (✓) • Both targets build and sign successfully • No code signing errors during archive • Extension is embedded in main app bundle TESTFLIGHT REQUIREMENTS (✓) • Using distribution certificate for archive • Archive validation passes without warnings • Upload to TestFlight successful BUILD CONFIGURATION (✓) • Minimum deployment target is iOS 16.0 for both targets • Extension deployment target matches main app • All required frameworks are properly linked Specific Questions Permission Dialog: In debug mode, the system permission dialog appears. In TestFlight, it never shows. Is there a TestFlight-specific permission issue with Network Extensions? Entitlements Propagation: Are there known issues with entitlements not being properly included in TestFlight builds despite being present in the archive? Distribution vs Development: Are there any differences in how Network Extensions are authorized between development builds and distribution builds? Additional Context • The extension works flawlessly when deployed directly from Xcode • No console errors or warnings in TestFlight build • UserDefaults(suiteName:) successfully accesses the App Group in both modes • Filter logic itself is tested and working (confirmed in debug mode) • This is urgent as it's blocking client project completion I tested this with both adult acc and also with child app What I Need Specific steps to diagnose why NEFilterManager.saveToPreferences returns Code 5 in TestFlight Confirmation of whether Network Extension entitlements require special handling for TestFlight Any known issues or workarounds for this specific error in production builds Debugging techniques that work in TestFlight environment (since console logs are limited) System Information • Xcode Version: Latest stable • iOS Target: 16.0+ • Swift Version: 5.0 • Framework: Flutter with native iOS plugin • Build Type: Distribution (Ad Hoc via TestFlight) Thank you for any assistance. This is blocking critical client work and I need to resolve it urgently.

I have noticed race conditions on macOS when tearing down and re-configuring an NEPacketTunnelProvider. My goal is to handle switching out one VPN profile for another identical/near identical one (I'll add some context for this below). The flow that I have tested was to wait for the NEVPNStatusDidChange notification to report a NEVPNStatus.disconnected state, and then start the process of re-configuring the VPN with a new profile. In practice however, I have noticed that I must wait a couple of seconds between NEVPNStatus.disconnected state being reported and setting up a new tunnel. Otherwise, the system routing table gets messed up but the VPN reports being in NEVPNStatus.connected state, resulting in a tunnel that appears healthy but can't be accessed. With this, I wanted to ask if you have any suggestions on any OS items I can observer, in order to deterministically know that the system has fully cleaned up my packet tunnel, and that I am safe to configure another? This would be much more optimal than a hard-coded delay. Additional context: Jamf is a common solution for deploying MDM configuration profiles. However, in my tests, it doesn't support Apple's recommended approach of using the PayloadIdentifier to mark profiles for replacement, as PayloadIdentifiers are automatically updated to match the PayloadUUID of that same profile on upload. Although given what I've observed, I'm not sure the Apple recommended approach would work here in any case. Additionally, it would be nice to transition from non-MDM to MDM cleanly, however, this also requires an indeterminate wait time between the non-MDM configuration being disconnected and subsequently removed, and the MDM one being configured. With these scenarios, we need to be able to add a second configuration, with possibly identical VPN settings, then remove the old one, allowing the system to transition to the new configuration. For the MDM case, the pattern I've noticed on the system is that when the current profile is suddenly deleted, the connection will go into disconnected state, then NEVPNConfigurationChange will fire. The new profile can be configured from NEVPNConfigurationChange, however some time is needed to avoid races. For non-MDM, I had experimented with an approach of polling for MDM configurations appearing. When they do, I'd remove my previous notification observers, and set up a new NEVPNStatusDidChange notification observer, to remove the non-MDM VPN configuration after. it enters a disconnected state. Following the removal, I would call a function to reconfigure the VPN with new configuration. When this logic is in place, the call to stopVPNTunnel() is made. Again, a hardcoded delay is required between stopping and removing the old configuration and setting up a new one. Thanks!

We’re developing an enterprise VPN client for macOS using NetworkExtension (PacketTunnelProvider) with Always-On / On-Demand VPN, deployed via MDM. On macOS 14.x and 15.x we observe the following log message from nesessionmanager: nesessionmanager: NESMVPNSession[...] Resetting VPN On Demand This most commonly occurs after sleep → wake. After this happens, the VPN no longer reconnects automatically, even though isOnDemandEnabled remains true and On-Demand rules are still present. Then a manual user action is required to reconnect. Questions: Is the “Resetting VPN On Demand” log message expected during sleep/wake transitions? Under what conditions does macOS reset On-Demand VPN state? Is there a supported way to detect or recover from this state programmatically? Any guidance on expected behavior or best practices would be appreciated.

I’m developing an iOS idle game (guild management). To detect manual device time changes that would break progression, I need a trusted “current real-world time” reference. I’m considering querying Apple’s NTP host time.apple.com, but I couldn’t find any official guidance about whether third-party apps may use time.apple.com directly (acceptable use, rate limits, whether it’s discouraged, etc.). Apple Developer Support couldn’t provide info and suggested asking on the forums. Questions: 1. Is it permitted for a third-party iOS app to query time.apple.com via NTP/SNTP (Yes/No or conditional)? 2. If permitted, are there any published or recommended constraints (rate limits, caching, prohibited patterns, commercial app considerations)? 3. If not permitted / not recommended, what is the recommended alternative approach (run our own time service, use public NTP pool, or any Apple-recommended mechanism)? 4. If there is any official document / policy covering this, could you point me to it? For context: I do not need sub-second accuracy and I do not intend high-frequency polling. If implemented at all, it would be very low frequency (e.g., first launch + once per 24h) with caching and graceful fallback on failure. My main goal is policy clarity rather than implementation details.

Hi, I’m implementing a macOS DNS Proxy as a system extension and running into a persistent activation error: OSSystemExtensionErrorDomain error 9 (validationFailed) with the message: extension category returned error This happens both on an MDM‑managed Mac and on a completely clean Mac (no MDM, fresh install). Setup macOS: 15.x (clean machine, no MDM) Xcode: 16.x Team ID: AAAAAAA111 (test) Host app bundle ID: com.example.agent.NetShieldProxy DNS Proxy system extension bundle ID: com.example.agent.NetShieldProxy.dnsProxy The DNS Proxy is implemented as a NetworkExtension system extension, not an app extension. Host app entitlements From codesign -d --entitlements :- /Applications/NetShieldProxy.app: xml com.apple.application-identifier AAAAAAA111.com.example.agent.NetShieldProxy <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>AAAAAAA111</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.NetShieldmac</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> xml com.apple.application-identifier AAAAAAA111.com.example.agent.NetShieldProxy.dnsProxy <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy-systemextension</string> </array> <key>com.apple.developer.team-identifier</key> <string>AAAAAAA111</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.NetShieldmac</string> <string>group.example.NetShieldmac</string> <string>group.example.agent.enterprise.macos</string> <string>group.example.com.NetShieldmac</string> </array> DNS Proxy system extension Info.plist On the clean Mac, from: bash plutil -p "/Applications/NetShieldProxy.app/Contents/Library/SystemExtensions/com.example.agent.NetShieldProxy.dnsProxy.systemextension/Contents/Info.plist" I get: json { "CFBundleExecutable" => "com.example.agent.NetShieldProxy.dnsProxy", "CFBundleIdentifier" => "com.example.agent.NetShieldProxy.dnsProxy", "CFBundleName" => "com.example.agent.NetShieldProxy.dnsProxy", "CFBundlePackageType" => "SYSX", "CFBundleShortVersionString" => "1.0.1.8", "CFBundleSupportedPlatforms" => [ "MacOSX" ], "CFBundleVersion" => "0.1.1", "LSMinimumSystemVersion" => "13.5", "NSExtension" => { "NSExtensionPointIdentifier" => "com.apple.dns-proxy", "NSExtensionPrincipalClass" => "com_example_agent_NetShieldProxy_dnsProxy.DNSProxyProvider" }, "NSSystemExtensionUsageDescription" => "SYSTEM_EXTENSION_USAGE_DESCRIPTION" } The DNSProxyProvider class inherits from NEDNSProxyProvider and is built in the system extension target. Activation code In the host app, I use: swift import SystemExtensions final class SystemExtensionActivator: NSObject, OSSystemExtensionRequestDelegate { private let extensionIdentifier = "com.example.agent.NetShieldProxy.dnsProxy" func activate(completion: @escaping (Bool) -> Void) { let request = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: extensionIdentifier, queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) } func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) { let nsError = error as NSError print("Activation failed:", nsError) } func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) { print("Result:", result.rawValue) } } Runtime behavior on a clean Mac (no MDM) config.plist is created under /Library/Application Support/NetShield (via a root shell script). A daemon runs, contacts our backend, and writes /Library/Application Support/NetShield/state.plist with a valid dnsToken and other fields. The app NetShieldProxy.app is installed via a notarized, stapled Developer ID .pkg. The extension bundle is present at: /Applications/NetShieldProxy.app/Contents/Library/SystemExtensions/com.example.agent.NetShieldProxy.dnsProxy.systemextension. When I press Activate DNS Proxy in the UI, I see in the unified log: text NetShieldProxy: [com.example.agent:SystemExtensionActivator] Requesting activation for system extension: com.example.agent.NetShieldProxy.dnsProxy NetShieldProxy: [com.example.agent:SystemExtensionActivator] SystemExtensionActivator - activation failed: extension category returned error (domain=OSSystemExtensionErrorDomain code=9) NetShieldProxy: [com.example.agent:SystemExtensionActivator] SystemExtensionActivator - OSSystemExtensionError code enum: 9 NetShieldProxy: [com.example.agent:SystemExtensionActivator] SystemExtensionActivator - validationFailed And: bash systemextensionsctl list -> 0 extension(s) There is no prompt in Privacy & Security on this clean Mac. Question Given: The extension is packaged as a system extension (CFBundlePackageType = SYSX) with NSExtensionPointIdentifier = "com.apple.dns-proxy". Host and extension share the same Team ID and Developer ID Application cert. Entitlements on the target machine match the provisioning profile and Apple’s docs for DNS Proxy system extensions (dns-proxy-systemextension). This is happening on a clean Mac with no MDM profiles at all. What are the likely reasons for OSSystemExtensionErrorDomain error 9 (validationFailed) with "extension category returned error" in this DNS Proxy system extension scenario? Is there any additional configuration required for DNS Proxy system extensions (beyond entitlements and Info.plist) that could trigger this category-level validation failure? Any guidance or examples of a working DNS Proxy system extension configuration (host entitlements + extension Info.plist + entitlements) would be greatly appreciated. Thanks!