Hi I am developing the packet tunnel extension on a SIP enabled device. If I build the app and notarize and install it on the device, it works fine. If I modify, build and execute the App (which contains the system extension), it fails with below error. 102.3.1.4 is production build. And 201.202.0.101 is for XCode build. SystemExtension "<<complete name>>.pkttunnel" request for replacement from 102.3.1.4 to 201.202.0.101 Packet Tunnel SystemExtension "<<complete name>>.pkttunnel" activation request did fail: Error Domain=OSSystemExtensionErrorDomain Code=8 "(null)" If SIP is disabled, it works fine. Is there a way the system extension can be developed even if SIP remains enabled?

I have a question regarding /etc/pf.conf. If I use this rule, rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 all other traffic on bridge100 will not function properly, even the traffic that is not destined for 192.168.2.104. Additionally, the hotspot generated through bridge100 will also become unavailable. Even if I comment out this rule and run sudo pfctl -e -f /etc/pf.conf, the problem still persists. The situation will only return to normal when I restart my Mac. my macos:15.3.2 my /etc/pf.conf # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Question: Best Practice for NEFilterRule and NENetworkRule Initializers with Deprecated NEHostEndpoint? Hi all, I'm looking for guidance on the right way to construct an NEFilterRule that takes a NENetworkRule parameter. Reading the latest documentation, it looks like: All initializers for NENetworkRule that accept an NEHostEndpoint are now deprecated, including initWithDestinationHost:protocol: and those using the various *Network:prefix: forms. NEHostEndpoint itself is also deprecated; Apple recommends using the nw_endpoint_t type from the Network framework instead. However, NEFilterRule still requires a NENetworkRule for its initializer (docs). With all NENetworkRule initializers that take NEHostEndpoint deprecated, it’s unclear what the recommended way is to create a NENetworkRule (and thus an NEFilterRule) that matches host/domain or network traffic. What’s the proper way to construct these objects now—should we create the endpoints using nw_endpoint_t and use new/undocumented initializers, or is there an updated approach that’s considered best practice? Helpful doc links for reference: NEFilterRule docs NENetworkRule docs NWHostEndpoint (now deprecated)

Our application currently uses NEFilterPacketProvider to filter network traffic based on Layer 4 rules (5-tuple: source IP, destination IP, source port, destination port, and protocol) on a packet-by-packet basis. We now want to extend this filtering to also consider the associated process—for example, allowing traffic from a specific source IP to a destination IP and port only if it's associated with a specific local process. That is, we’d like to make filtering decisions not just based on the 5-tuple, but also on the identity of the process either sending or receiving the traffic. We’ve looked into NEFilterSocketProvider, which does expose Layer 7 information such as process identifiers. However, it doesn’t seem to be tightly synchronized with the packet flow handled by NEFilterPacketProvider. As a result, there’s a risk that we might only get process information after the TCP handshake is complete, or before the socket is fully bound—at which point some of the 5-tuple fields (such as the local port) may still be unavailable. What we need is a way to correlate the 5-tuple with the relevant process name (either sender or receiver) at the time the first packet—e.g., a SYN packet—is about to be sent or received. Is there a recommended way to achieve this kind of early, process-aware filtering using NetworkExtension APIs?

Hello, I am in a very similar situation as described in the thread: https://developer.apple.com/forums/thread/655183 Context: I am working on an app that receives data from a hardware device through its Wifi network, and the hardware is not connected to the internet. Now, I would need to call some API while still connected to hardware so I would need to use the cellular data. As mentioned on the thread, I can achieve this via Network framework, using the requiredInterfaceType property. But Is there any other way I can achieve this? I can also do some suggestion on the hardware if that's helpful. Thank you!

I'm working on enabling a content filter in my iOS app using NEFilterManager and NEFilterProviderConfiguration. The setup works perfectly in debug builds when running via Xcode, but fails on TestFlight builds with the following error: **Failed to save filter settings: permission denied ** **Here is my current implementation: ** (void)startContentFilter { NSUserDefaults *userDefaults = [NSUserDefaults standardUserDefaults]; [userDefaults synchronize]; [[NEFilterManager sharedManager] loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { dispatch_async(dispatch_get_main_queue(), ^{ if (error) { NSLog(@"Failed to load filter: %@", error.localizedDescription); [self showAlertWithTitle:@"Error" message:[NSString stringWithFormat:@"Failed to load content filter: %@", error.localizedDescription]]; return; } NEFilterProviderConfiguration *filterConfig = [[NEFilterProviderConfiguration alloc] init]; filterConfig.filterSockets = YES; filterConfig.filterBrowsers = YES; NEFilterManager *manager = [NEFilterManager sharedManager]; manager.providerConfiguration = filterConfig; manager.enabled = YES; [manager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) { dispatch_async(dispatch_get_main_queue(), ^{ if (error) { NSLog(@"Failed to save filter settings: %@", error.localizedDescription); [self showAlertWithTitle:@"Error" message:[NSString stringWithFormat:@"Failed to save filter settings: %@", error.localizedDescription]]; } else { NSLog(@"Content filter enabled successfully!"); [self showAlertWithTitle:@"Success" message:@"Content filter enabled successfully!"]; } }); }]; }); }]; } **What I've tried: ** Ensured the com.apple.developer.networking.networkextension entitlement is set in both the app and system extension. The Network extension target includes content-filter-provider. Tested only on physical devices. App works in development build, but not from TestFlight. **My questions: ** Why does saveToPreferencesWithCompletionHandler fail with “permission denied” on TestFlight? Are there special entitlements required for using NEFilterManager in production/TestFlight builds? Is MDM (Mobile Device Management) required to deploy apps using content filters? Has anyone successfully implemented NEFilterProviderConfiguration in production, and if so, how?

Hi everyone, I'm developing a visionOS app that allows users to download large video files (similar to a movie download experience, with each file being around 10 GB). I've successfully implemented the core video download functionality using URLSession, and everything works as expected while the app is active. Now, I’m looking to support background downloading. Specifically, I want users to be able to start a download and then leave the app (e.g., switch apps or return to the home screen) while the download continues in the background. Additionally, I’d like to confirm a specific scenario: If the user starts a download, then removes the headset (keeping the device turned on and connected to power), will the download continue in the background? Or does visionOS suspend the app or downloads in this case? I’m considering using a background URLSessionConfiguration (as done in iOS/macOS) to enable this behavior, but I’m not sure if it behaves the same way on visionOS or if there are special limitations or best practices when handling large downloads on this platform. Any insights or official guidance would be greatly appreciated! Thanks!

plateform: iPadOS 16.3.1 xcode:15.2 code: self.queue = Queue() self.monitor = NWPathMonitor() self.monitor.pathUpdateHandler = { [weak self] path in queue.async { } }

I have a requirement to create a VPN app which only works on Cellular. But I'm facing an issue like when wifi is ON, OS is using wifi interface to route the traffic instead of cellular. I tried some ways like let cellularParams = NWParameters.udp cellularParams.requiredInterfaceType = .cellular But this is not working properly as expected. How can I manually bind to cellular interface in iOS?

I am developing an iOS application using NWPathMonitor for network connectivity monitoring. We discovered a reproducible issue where disabling and re-enabling WiFi triggers an unexpected network status sequence. ENVIRONMENT: iOS Version: 17.x Device: iPhone (various models tested) Network Framework: NWPathMonitor from iOS Network framework STEPS TO REPRODUCE: Device connected to WiFi normally Disable WiFi via Settings or Control Center Re-enable WiFi via Settings or Control Center EXPECTED BEHAVIOR: WiFi reconnects and NWPathMonitor reports stable satisfied status ACTUAL BEHAVIOR: T+0s: WiFi re-enables, NWPathMonitor reports path.status = .satisfied T+8s: NWPathMonitor unexpectedly reports path.status = .unsatisfied with unsatisfiedReason = .notAvailable T+9-10s: NWPathMonitor reports path.status = .satisfied again Connection becomes stable afterward NETWORK PATH TIMELINE: T+0s: satisfied (IPv4: true, DNS: false) T+140ms: satisfied (IPv4: true, DNS: true) T+8.0s: unsatisfied (reason: notAvailable, no interfaces available) T+10.0s: satisfied (IPv4: true, DNS: true) KEY OBSERVATIONS: Timing consistency: unsatisfied event always occurs ~8 seconds after reconnection resolution: "Reset Network Settings" eliminates this behavior TECHNICAL QUESTIONS: What causes the 8-second delayed unsatisfied status after WiFi re-enablement? Is this expected behavior that applications should handle? Why does reset network setting in iPhone fix this issue?

I have 3 phones iPhone 14 iOS 18.3 iPhone Xr iOS 18.5 iPhone Xr iOS 18.4.1 My app has a network extension, and I've noticed each phone having their connectivity interupted by calls on the push provider, calling stop with the noNetworkAvailable reason. The point of confusion is that each phone seems to get it's interuption at different times. For example one will get an interuption at 1:00, while the others is fine, while at 3:00 another will get an interuption, while the others are fine. This is confusing since a "no network available" seems to imply a problem with the router, or access point, but if that were the case, one would believe it should affect all the phones on the wifi. I don't see less interuptions on the iPhone14 vs the iPhone Xr. Do you believe the iOS version is affecting the performance? Could you please give me some insight, as to what could be going on inside these phones? P.S. I also see an error pop up when using NWConnection, this is inside the App. The state update handler will sometimes return the state, waiting(POSIX(.ENETDOWN)) Is there any relation to what's going on in the extension?

Hello, I have a question about developing an iOS app for general public. Can such an app use DNS Proxy Provider? The TN3134: Network Extension provider deployment article states that DNS Proxy Provider has the following restriction: "per-app on managed devices". Does this imply that a DNS Proxy Provider that can be used in a regular iOS App Store app? On the other hand, NEDNSProxyProvider only works with NEAppProxyFlow, is it possible to make it NOT per-app?

How can NEPacketTunnelProvider launch the companion application, or notify user to launch the application? I have built an iOS VPN that uses credentials stored in the keychain, and it works as expected. Now I'm trying to add OAuth login support. Everything works fine at first. I login from the companion application, store tokens in the keychain, then launch the VPN from either System Settings or the companion application. However, when the OAuth refresh tokens expire, or the OAuth IdP otherwise requires login, I can't perform the OAuth login from the NEPacketTunnelProvider. Login must happen from the companion application, which likely isn't running. I need the NEPacketTunnelProvider to either launch the companion application directly or to notify the user to do so. Searching and reading docs yields: You can't perform OAuth login from within the NEPacketTunnelProvider because it requires user interaction There is no way to guarantee that the companion application is running on iOS (otherwise one would use NEVPNStatusDidChange) You can't launch the companion application from NEPacketTunnelProvider using a custom URL because of security concerns You might be able to launch the companion application from a system extension... Some sources say you still can't guarantee that the system extension is loaded whenever the NEPacketTunnelProvider needs it anyway. Of course, any of these conclusions could be wrong. At this point I'm not sure where to begin. Is there another approach that could be initiated by the NEPacketTunnelProvider (push notifications, system notifications, smoke signals)? Any help would be appreciated. Thanks, Bill Welch

I was wondering which is the preferred way to send a lot of data from sensors of the apple watch to server. It is preferred to send small chucks to iphone and then to server or directly send bulk data to server from watch. How does it affect battery and resources from watch ? Are there any triggers that I can use to ensure best data stream. I need to send at least once a day. Can I do it in background or do I need the user to have my app in the foreground ? Thank you in advance

We're experiencing an issue with Local Network Permission. When trying to connect to a socket, the Local Network Permission alert pops up. To trigger the permission request at the start of the app, we used the following code to ask for permission and receive a callback on whether it's granted. However, this approach doesn't always trigger the permission alert, or it gets automatically dismissed after 30 seconds, only to reappear later. What could be causing this inconsistent behavior? func checkLocalNetworkPermission(_ completed: Optional<(Bool) -> Void> = .none) { DispatchQueue.global(qos: .userInitiated).async { let hostName = ProcessInfo.processInfo.hostName let isGranted = hostName.contains(".local") if let completed { DispatchQueue.main.async { completed(isGranted) } } } }

I am working on watch os project. I need to check network connectivity when user turn on and off the network. I am using NWPathMonitor for check network availability. I am connected with wifi but it still showing unsatisfied not real device but it's working perfect on simulator.

We are a Layer 3 VPN provider offering a comprehensive SASE (Secure Access Service Edge) solution that includes TLS inspection, threat protection, granular access control, and secure access to private resources. One of the key challenges we face involves TLS inspection. Many mobile applications, especially on iOS, implement certificate pinning, which causes them to fail when TLS inspection is applied. These apps expect connections to be secured with a specific certificate or trusted certificate authority, and inspection disrupts this trust model. On iOS, the current limitation is that the Packet Tunnel Provider extension does not provide visibility into the originating application (i.e., there is no API to obtain the app’s bundle ID or package name associated with a given network connection). Due to this, we are unable to dynamically determine whether TLS inspection should be bypassed for a particular app. While Apple’s Per-App VPN is one possible solution, it introduces a significant drawback: any applications that are excluded from the VPN configuration are entirely outside the VPN tunnel. This means they do not benefit from any of our SASE features — including secure access to internal resources, DNS/web content filtering, or threat detection. This limits the effectiveness of our solution in environments where both inspection and secure access are critical. We would like to understand whether iOS has any current or planned capabilities to associate a network flow (e.g., a 5-tuple: source IP, destination IP, source port, destination port, and protocol) with the originating app. Such a capability would allow us to programmatically identify certificate-pinned apps and selectively disable TLS inspection without excluding them entirely from the VPN, thereby preserving the full set of SASE protections. Is there any guidance or roadmap update from Apple that addresses this use case?

Hey! We are investigating a problem pf rules being ignored by some processes. Despite blocking all traffic, some outgoing unicast packets can be seen in tcpdump. Issue is present in MacOS 15.0.0 - 15.3.1 (Newest at the time of writing). I tested MacOS 14.7.4 and pf rules there behaved as expected. Steps to reproduce the issue: $ cat pf.conf block all $ sudo pfctl -e -F all -f ./pf.conf Password: pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled rules cleared nat cleared dummynet cleared 0 tables deleted. 196 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset pfctl: pf already enabled After executing these commands MacOS 14 will block all outgoing unicast traffic, and on MacOS 15 data can be sent to arbitrary addresses: $ ifconfig en0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM> ether b6:5e:a5:c5:1e:db inet6 fe80::1090:9c8:4325:329a%en0 prefixlen 64 secured scopeid 0xe inet 192.168.50.144 netmask 0xffffff00 broadcast 192.168.50.255 nd6 options=201<PERFORMNUD,DAD> media: autoselect status: active $ sudo tcpdump -k A -i any -n src 192.168.50.144 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes 12:05:12.673472 (en0, proc com.apple.geod:1286:, svc BE, out, ch, flowid 0x0, ttag 0x0, dlt 0x1, cmpgc 0x0) IP 192.168.50.144.52012 > 17.253.15.196.443: Flags [P.], seq 1888882378:1888882402, ack 3554898220, win 2048, options [nop,nop,TS val 2752050055 ecr 1291585385], length 24 12:05:13.793937 (en0, proc com.apple.WebKit:974:, eproc Safari:804:, svc BE, out, ch, flowid 0x0, ttag 0x0, dlt 0x1, cmpgc 0x0) IP 192.168.50.144.52024 > 3.65.102.105.443: Flags [P.], seq 2011312019:2011312073, ack 673002582, win 2048, options [nop,nop,TS val 777228223 ecr 484269939], length 54 Was there any change in the way pfctl is used or is this a bug? This issue affects negatively privacy features of our product.

way to display it is by holding the Option key and clicking the Wi-Fi icon. In macOS 14.0, wdutil was still usable, but in 14.6.1, the returned information is now . I am unsure if there is an official way to obtain the corresponding BSSID. I need to process the BSSID in my code, so either a command-line tool or an API would work.

I have few API's written with URLSession. Will they work in Carrier-constrained network / satellite mode ?