Development environment: Xcode 26.4, macOS 26.3.1 Run-time configuration: iOS 18.7.6 and higher We have an application running on supervised devices, with an MDM profile typically deployed via jamf. The profile enables a Content Filter, with the two flags "Socket Filter" and "Browser Filter" set to true. On the device side, we implement the content filter as a network extension via: a class FilterDataProvider extending NEFilterDataProvider, a class FilterControlProvider extending NEFilerControlProvider. For the record, the FilterDataProvider overrides the handle*() methods to allow all traffic; the handleNewFlow() simply reports the new connection to FilterControlProvider for analysis. Problem: some customers reported that after a reboot of their device, they would not get access to the internet for up to 60s/90s. We have not been able to reproduce the problem on our own devices. What we see is that, even with our app uninstalled, without any Content Filter, it takes roughly 20s to 25s for a device to have internet access, so we can probably consider this 20s delay as a baseline. But would you be aware of a reason that would explain the delay observed by these customers? More details: We have conducted some tests on our devices, with extended logging. In particular: we have added an internet probe in the app that is triggered when the app starts up: it will try to connect to apple.com every 2s and report success or failure, we also have a network monitor (nw_path_monitor_set_update_handler) that reacts to network stack status updates and logs the said status. A typical boot up sequence shows the following: the boot time is 7:59:05, the app starts up at 7:59:30 (manually launched when the device is ready), the probe fails and keeps failing, the content filter is initialized/started up 7:59:53 and is ready at 7:59:55, the network monitor shows that the network stack is connected (status = nw_path_status_satisfied) right after that, and the probe succeeds in connecting 2s later. In other words, internet is available about 50s after boot time, 25s after app startup (i.e. after the device is actually ready). For some customers, this 25s delay can go up to 60/90s.

Hello team, I have implemented sample project for URL Filtering as well as setup PIR server at backend but currently I am facing a major issue, If PIR server is re started then the app shows error code 9 every time until. and unless I disconnect and connect it back to internet

I am facing an intermittent problem where iPhones are failing to pair/connect with Xcode under Xcode -> Windows -> Devices and Simulators. This happens when more than one web content filters are present, for instance, I have my web content filter (FilterSockets true, FilterGrade Firewall) and there is also Sentinel One web content filter with same configuration. Note: We are not blocking any flow from remoted / remotepairingd / core device service / MDRemoteServiceSupport etc processes. But they do get paused and resumed at times for our internal traffic verification logic. So, we are trying to understand what impact our content filter may be having on this iPhone Pairing?? If we stop either one of the filters the problem goes away. I have tracked the network traffic to the phone, and it seems to be using a ethernet interface (en5/en10) over the USB-C cable. I can see endpoints like this: localEndpoint = fe80::7:afff:fea1:edb8%en5.54442 remoteEndpoint = fe80::7:afff:fea1:ed47%en5.49813 I also see remoted process has the below ports open : sudo lsof -nP -iTCP -iUDP | grep remoted remoted 376 root 4u IPv6 0xce4a89bddba37bce 0t0 TCP [fe80:15::7:afff:fea1:edb8]:57395->[fe80:15::7:afff:fea1:ed47]:58783 (ESTABLISHED) remoted 376 root 6u IPv6 0xf20811f6922613c7 0t0 TCP [fe80:15::7:afff:fea1:edb8]:57396 (LISTEN) remoted 376 root 7u IPv6 0x2c393a52251fcc56 0t0 TCP [fe80:15::7:afff:fea1:edb8]:57397 (LISTEN) remoted 376 root 8u IPv6 0xcb9c311b0ec1d6a0 0t0 TCP [fd6e:8a96:a57d::2]:57398 (LISTEN) remoted 376 root 9u IPv6 0xc582859e0623fe4e 0t0 TCP [fd6e:8a96:a57d::2]:57399 (LISTEN) remoted 376 root 10u IPv6 0x2f7d9cee24a44c5b 0t0 TCP [fd6e:8a96:a57d::2]:57400->[fd6e:8a96:a57d::1]:60448 (ESTABLISHED) remoted 376 root 11u IPv6 0xbdb7003643659de 0t0 TCP [fd07:2e7e:2a83::2]:57419 (LISTEN) remoted 376 root 12u IPv6 0x569a5b649ff8f957 0t0 TCP [fd07:2e7e:2a83::2]:57420 (LISTEN) remoted 376 root 13u IPv6 0xa034657978a7da29 0t0 TCP [fd07:2e7e:2a83::2]:57421->[fd07:2e7e:2a83::1]:61729 (ESTABLISHED) But due to the dynamic nature of port and IPs used we are not able to decide on an effective early bypass NEFilterRule. We don't want to use a very broad bypass criteria like all link local IPs etc. Any help will be greatly appreciated.

I'm encountering a null pointer dereference crash pointing to the internals of CFNetwork library code on iOS. I'm spawning URLSessionTasks at a decently fast rate (~1-5 per second), with the goal being to generate application layer network traffic. I can reliably encounter this crash pointing to NetConnection::dequeue right after a new task has been spawned and had the resume method called. I suspect that this is perhaps a race condition or some delegate/session object lifecycle bug. The crash appears to be more easily reproduced with a higher rate of spawning URLSessionTasks. I've included the JSON crash file, the lldb stack trace, and the source code of my URLSession(Task) usage. urlsession_stuff_stacktrace.txt urlsession_stuff_source.txt urlsession_crash_report.txt

Inquiry) Inquiry Regarding USB Network Connectivity Between an iPad (Wi‑Fi Model) and an Embedded Linux Device An embedded device (OS: Linux) is connected to an iPad (Wi‑Fi model) using a USB‑C cable. The ipheth driver is installed on the embedded device, and the iPad is recognized correctly. A web server is running on the embedded device. To launch a browser on the iPad and access the web server running on the embedded device via a USB network connection. Based on our verification, the iPad is not assigned an IP address, and therefore communication with the web server on the embedded device is not possible. We would appreciate it if you could provide guidance on the following questions. We would like to assign an IP address to the iPad (Wi‑Fi Model) so that it can communicate with the embedded device over a USB network connection. Is there a way to achieve this through the standard settings on the iPad? If this cannot be achieved through settings alone, are there any existing applications that provide this functionality? If no such application currently exists, is it technically possible to develop an application that enables this capability on iPadOS? Information) The USB‑C port on the embedded device is fixed in HOST mode. The embedded device operates as the USB host, and the iPad operates as a USB device. When a cellular model iPad is connected and “Personal Hotspot” is enabled, an IP address is assigned via DHCP, and we have confirmed that the web server can be accessed from the iPad’s browser. We are investigating whether a similar solution is possible with a Wi‑Fi model iPad.

While going through the documentation for NWConnection, there seems to be state known as .waiting which means that the connection is waiting for a path change. For TCP, the state is understandable and can occur under some scenarios. But for the case of UDP, I have following queries: Why do we need .waiting state for the case of UDP? Even if we do need .waiting state for UDP, when all does this state occurs?

I've submitted a couple of pieces of feedback regarding broken WPA3 support on iOS 26 for the iPhone 17 Pro Max, and I've seen various access point vendors report that the GCMP256 cypher is not working. If you use WPA2, there is no issue. The problem I'm running into comes down to WPA3 being mandatory on 6 GHz. Some vendors have reported that disabling GCMP256 on Cisco Meraki hardware solves the problem. No other major vendor exposes this level of options. Does anyone know if it's possible to get more verbose diagnostic information out of the WiFi stack? I need actual information about why the negotiation fails, the technician-level stuff.

Many times the device totally lost connectivity, WIFI is completely down, no ip was assigned after device wakeup. From system log I can see BPF socket for DHCP was closed and detached right after attached to en0 in DHCP INIT phase, as result even the DHCP server sent back OFFER(I see server sent OFFER back from packet capture), but there is no persistent BPF socket since it is closed reception during the entire INIT phase. It is definitely an OS issue, is it a known issue? Please help understand Why BPF socket was close right after sending DISCOVER? Default 0x0 0 0 kernel: bpf26 attached to en0 by configd:331 2026-03-25 14:06:33.625851+0100 0x31dea Default 0x0 0 0 kernel: bpf26 closed and detached from en0 fcount 0 dcount 0 by configd:331 System log and packet capture attach, please check.

Hi, I’m looking for clarification on TN3134: Network Extension provider deployment, specifically iOS deployment requirements for: packet tunnel provider DNS proxy provider From the documentation: Packet Tunnel Provider App extension (min iOS 9.0): per-app mode requires a managed device DNS Proxy Provider App extension (min iOS 11.0): supervised devices only App extension (min iOS 11.0): per-app mode requires managed devices Issue I implemented a DNS proxy using NEDNSProxyManager. Works as expected in debug builds on a local device Fails to configure when distributed via TestFlight Console Output (TestFlight build) error 10:05:39.872258-0500 nehelper The production version of *** is not allowed to create DNS proxy configurations. Use MDM to create DNS Proxy configurations for the production version of ***. Question Is it possible to distribute a DNS proxy provider for use on non-MDM / non-supervised devices? If not: Is the limitation strictly enforced at distribution/runtime? Is a packet tunnel provider the only viable alternative for App Store distribution? There is a lot of different VPN apps on the App Store that appear to work out of the box without MDM or supervision, which suggests they are using a different deployment model. Thank you for any clarification or guidance!

Device Info: Device: iPad Pro 2022 (M2) OS: iPadOS 26.4 Network: 5GHz Wi-Fi Accessory: Apple Pencil (2nd Generation) Issue Description: Since updating to iPadOS 26, I experience periodic ping spikes during online gaming whenever Bluetooth is enabled. Since I use an Apple Pencil which requires Bluetooth, the issue affects me constantly during gaming sessions. Simply turning off Bluetooth in Settings does not fix the problem — the only way to temporarily restore normal ping is to turn off Bluetooth and then fully reboot the device. My Wi-Fi connection itself is fine, and other devices on the same 5GHz network have no issues. What I've Already Tried: Confirmed Wi-Fi is on 5GHz band (not 2.4GHz) Turning off Bluetooth + rebooting the device (temporary fix only, not a permanent solution) Reset network settings Updated to the latest iPadOS version (26.4) Important Background: When iPadOS 26 first launched, Apple Support provided a Configuration Profile that resolved the issue upon installation. However, the profile expired after approximately one week, and the problem has persisted ever since — never fixed by any subsequent update. I am currently on iPadOS 26.4 and the issue remains. My Questions: Has anyone else experienced this? Are there any known workarounds? Has Apple released an updated Configuration Profile or announced a fix for this specific issue?

I'm implementing a NEDNSProxyProvider on macOS 15.x and macOS 26.x. The flow works correctly up to the last step — returning the DNS response to the client via writeDatagrams. Environment: macOS 15.x, 26.x Xcode 26.x NEDNSProxyProvider with NEAppProxyUDPFlow What I'm doing: override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { guard let udpFlow = flow as? NEAppProxyUDPFlow else { return false } udpFlow.readDatagrams { datagrams, endpoints, error in // 1. Read DNS request from client // 2. Forward to upstream DNS server via TCP // 3. Receive response from upstream // 4. Try to return response to client: udpFlow.writeDatagrams([responseData], sentBy: [endpoints.first!]) { error in // Always fails: "The datagram was too large" // responseData is 50-200 bytes — well within UDP limits } } return true } Investigation: I added logging to check the type of endpoints.first : // On macOS 15.0 and 26.3.1: // type(of: endpoints.first) → NWAddressEndpoint // Not NWHostEndpoint as expected On both macOS 15.4 and 26.3.1, readDatagrams returns [NWEndpoint] where each endpoint appears to be NWAddressEndpoint — a type that is not publicly documented. When I try to create NWHostEndpoint manually from hostname and port, and pass it to writeDatagrams, the error "The datagram was too large" still occurs in some cases. Questions: What is the correct endpoint type to pass to writeDatagrams on macOS 15.x, 26.x? Should we pass the exact same NWEndpoint objects returned by readDatagrams, or create new ones? NWEndpoint, NWHostEndpoint, and writeDatagrams are all deprecated in macOS 15. Is there a replacement API for NEAppProxyUDPFlow that works with nw_endpoint_t from the Network framework? Is the error "The datagram was too large" actually about the endpoint type rather than the data size? Any guidance would be appreciated. :-))

Hello, I am developing a URL traffic filtering system. I’ve set up a PIR server following this guide: https://developer.apple.com/documentation/networkextension/setting-up-a-pir-server-for-url-filtering According to this WWDC25 video, it appears that I need to use an OHTTP Gateway: https://developer.apple.com/videos/play/wwdc2025/234/ So, I developed an OHTTP Gateway and verified it using a test client. Following that, I built the app and installed it on a test iPhone based on this sample: https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url However, I cannot find any settings related to the OHTTP URL within this sample. How should I proceed with the OHTTP configuration in this case? Thank you.

After implementing the new structured concurrency API's for Network framework, we are noticing a few memory leaks in the Network framework when using API's like onViabilityUpdate and onBetterPathUpdate. Whenever a previously established connection is disconnected, the NWConnection object is never released by the Network framework when we use the 2 API's mentioned. Irrespective of what goes inside these handlers(or leave it empty), the connection object is leaking. If I comment out the handlers, there is no memory leak. Posting this here in the forum to understand if others have encountered similar issues and found a workaround? Raised a feedback assistant request with all the details and a sample app here: FB22339653

I have a macOS VPN app with a Network Extension (packet tunnel provider) distributed outside the App Store via Developer ID. Everything works perfectly when running from Xcode. After archiving and exporting for Developer ID distribution, the extension launches but immediately gets killed by nesessionmanager. The error: Signature check failed: code failed to satisfy specified code requirement(s) followed by: started with PID 0 status changed to disconnected, last stop reason Plugin failed What makes this interesting: the extension process does launch. AMFI approves it, taskgated-helper validates the provisioning profile and says allowing entitlement(s) due to provisioning profile, the sandbox is applied, PacketTunnelProvider is created — but then Apple's Security framework internally fails the designated requirement check and nesessionmanager kills the session. Key log sequence: taskgated-helper: Checking profile: Developer ID - MacOS WireGuardExtension taskgated-helper: allowing entitlement(s) for com.xx.xx.WireGuardNetworkExtension due to provisioning profile (isUPP: 1) WireGuardNetworkExtensionMac: AppSandbox request successful WireGuardNetworkExtensionMac: creating principle object: PacketTunnelProvider WireGuardNetworkExtensionMac: Signature check failed: code failed to satisfy specified code requirement(s) nesessionmanager: started with PID 0 error (null) nesessionmanager: status changed to disconnected, last stop reason Plugin failed Setup: macOS 15, Xcode 16 Developer ID Application certificate Manual code signing, Developer ID provisioning profiles with Network Extensions capability Extension in Contents/PlugIns/ (standard appex, not System Extension) Extension entitlement: packet-tunnel-provider-systemextension NSExtensionPointIdentifier: com.apple.networkextension.packet-tunnel codesign --verify --deep --strict PASSES on the exported app Hardened runtime enabled on all targets What I've verified: Both app and extension have matching TeamIdentifier Both are signed with the same Developer ID Application certificate The designated requirement correctly references the cert's OIDs The provisioning profiles are valid and taskgated-helper explicitly approves them No custom signature validation code exists in the extension — the "Signature check failed" comes from Apple's Security framework What I've tried (all produce the same error): Normal Xcode archive + export (Direct Distribution) Manual build + sign script (bypassing Xcode export entirely) Stripping all signatures and re-signing from scratch Different provisioning profiles (freshly generated) Comparison with official WireGuard app: I noticed the official WireGuard macOS app (which works with Developer ID) uses packet-tunnel-provider (without -systemextension suffix) in its entitlements. My app uses packet-tunnel-provider-systemextension. However, I cannot switch to the non-systemextension variant because the provisioning profiles from Apple Developer portal always include the -systemextension variants when "Network Extensions" capability is enabled, and AMFI rejects the mismatch. Questions: Is there a known issue with packet-tunnel-provider-systemextension entitlement + PlugIn-based Network Extension + Developer ID signing? Should the extension be using packet-tunnel-provider (without -systemextension) for Developer ID distribution? If so, how do I get a provisioning profile that allows it? The "Signature check failed" happens after taskgated-helper approves the profile — what additional code requirement check is the NE framework performing, and how can I satisfy it? Any guidance would be appreciated. I've exhausted all signing approaches I can think of.

I am seeing an issue with NETransparentProxyProvider where the extension successfully transitions from sleep to wake, but stops receiving handleNewFlow(_:) calls. Only below two methods gets called, We don't apply rules in these methods: override func wake() override func sleep(completionHandler: @escaping () -> Void) This breaking complete proxy workflow as it stops intercepting traffics. We are not observing this issues always. FYI: com.apple.developer.endpoint-security.client is not present in .entitlement file. I am not sure adding this will help. Any possibilities nesessionmanager might fail to re-bind the traffic rules for this extensions? Any thing we can do to avoid this issues?

This discussion is for iOS/iPadOS. I've written an NEAppProxyProvider network extension. I'd like to test it. I thought that using the "NETestAppMapping" dictionary was a way to get there, but when I try to instantiate an NEAppProxyProviderManager to try to install stuff, the console tells me "must be MDM managed" and I get nowhere. So can someone tell me, can I at least test the idea without needing to first get MDM going? I'd like to know if how I'm approaching the core problem even makes sense. My custom application needs to stream video, via the SRT protocol, to some place like youtube or castr. The problem is that in the environment we are in (big convention centers), our devices are on a LAN, but the connection from the LAN out to the rest of the world just sucks. Surprisingly, cellular has better performance. So I am trying to do the perverse thing of forcing traffix that is NOT local to go out over cellular. And traffic that is completely local (i.e. talking to a purely local server/other devices on the LAN) happens over ethernet. [To simplify things, wifi is not connected.] Is an app proxy the right tool for this? Is there any other tool? Unfortunately, I cannot rewrite the code to force everything through Apple's Network framework, which is the one place I know we can say "use cellular." [E.g. URLSession() has absolutely no way of forcing cellular, and even so, the low level streaming library I use is written with raw sockets, and its not feasible for me to rewrite it.] Any other suggestions of how to accomplish this "send non-local traffic to cellular, all local traffic out over ethernet" gratefully welcomed!

I'm developing a macOS security tool using NEFilterDataProvider as a system extension. On macOS 26 beta (25E241), sysextd consistently rejects my extension with: sysextd: no policy, cannot allow apps outside /Applications Configuration: App installed in /Applications/ Signed with Developer ID Application (693DSH8GN5) Entitlement: com.apple.developer.networking.networkextension = content-filter-provider com.apple.developer.system-extension.install = true Developer Mode enabled on test machine Comparison with Little Snitch: Little Snitch runs correctly on the same machine. Key differences I found: Little Snitch uses content-filter-provider-systemextension instead of content-filter-provider Little Snitch has com.apple.security.app-sandbox = false Both signed with Developer ID Application When I switch to content-filter-provider-systemextension, Xcode rejects every provisioning profile because none match that entitlement value, and the Developer Portal doesn't expose fine-grained control over the Network Extensions array values. Questions Is content-filter-provider-systemextension the correct entitlement for system extensions on macOS 26? How should the provisioning profile be configured to support it? Is there a known sysextd issue on macOS 26 beta causing this regardless of configuration? Is there - somewhere! - a guide on how to build such an extension? Thanks in advance for your help.

Apple MacOS Sequoia 15.4.1 Creates a ton of unused network interfaces and it's a nightmare trying to figure out what they all do, what theyr're linked to, etc. It appears that network links utun0, utun1, utun2, ... are never used or useful. ip link shows they are all status UNKNOWN. I don't use a VPN or anything like that, and the documentation on these interfaces does not exist. I'd like to permanently delete them and permanently prevent them from ever being created again -- how can I accomplish this task?

Hi Apple Team / Community, We are currently pulling our hair out over a TestNet OTA issue and could really use some help. Our Matter Door Lock (VID: 5424, PID: 513) has already obtained official CSA Certification, so we are 100% confident that our device firmware and OTA Requestor logic are completely solid. However, we simply cannot get Apple's TestNet to serve the update via HomePod. Here is exactly what is happening: Our device successfully sends a QueryImage command to the HomePod. The HomePod receives it, but immediately fires back a QueryImageResponse that essentially means "UpdateNotAvailable", forcing the device into an 86400-second sleep timeout. Here is what we have verified so far: Local OTA works perfectly: If we use Nordic's chip-ota-provider-app locally with the exact same .ota file, the BDX transfer triggers instantly and the device updates without a hitch. DCL details are 100% accurate: We published a brand new version (1.0.4 / 16778240) which is strictly higher than the device's current version (1.0.1 / 16777472). The otaFileSize (973839) and Base64 Checksum match the file perfectly. ZERO hits on our server: The OTA file is hosted on an AWS S3 direct link (SSL Grade A via SSL Labs, ATS compliant). We checked our server logs, and there hasn't been a single download attempt from any Apple IP addresses. Since our device is certified and local OTA works flawlessly, it strongly feels like Apple's TestNet backend either has a stuck/cached "invalid" state for our VID/PID (very similar to what was reported in CHIP GitHub Issue #29338), or the Apple backend crawler is failing to reach our URL for some internal reason. Could someone please check if there is a cached exception for VID: 5424 / PID: 513 on the TestNet backend? Any help or pointers would be hugely appreciated! Thanks in advance.

Hi I’m working on an app Called Wiux ( already on Android ) but one of my clients has a company with all iPhones so I need to develop the app for iOS, but I’m facing A huge wall, it’s an proactive wifi user experience monitor for distributed networks and the idea is that the app its sending every minute info about connectivity RSSI, which network , if is 2,4ghz or 5ghz channel used and device usage cpu ram etc but I find that is no getRSSI ( and I really need that data ) but some aps like iWifi or WiFi probe has that data and it works I check the reads with a phisical probe and my app on android and values match. i think maybe with NEHotspotHelper I could get the data but I don’t know how to ask to use it or if exist a dependency for quality monitoring that allows me to access that thow o info. ( And probably in the near future I face the same problem with LTE ( that I’m also monitoring with the app on Android and I think is going to be a problem on iOS )