We’ve noticed that in iOS 18, the "Deactivate Configuration" button within the Per-App VPN settings immediately disables the VPN for selected apps without any confirmation prompt. This can be problematic for users, as there is no warning or verification before the action is taken, which may lead to unintended disruptions in VPN connectivity. We haven’t found any relevant documentation on Apple’s developer website addressing this behavior. Any insights or suggestions would be greatly appreciated and if we can have documentation to disable this button using MDM profile it will be great

Hi Team, OS is prompting for local network permission for our application which runs as root level daemon. As per the our analysis, it looks like it is prompting from our own library which is trying to get network info ' using /usr/sbin/system_profiler with "-xml -detailLevel basic SPNetworkDataType" and then trying to iterate to find DNS.ServerAddresses for each item. Then using [NSHost hostWithAddress:IPAddress];(When this library is not linked to the app then there is no prompt, so most likely this is the code that is resulting in the prompt). Is this expected ? . Is there any other way that we can get DNS host name without being prompted for local network permission on mac OS 15

as part of the iOS 17 apple added Network details capability to the shortcut app is there any update about the ability of getting the Network details such as RSSI , PHY in iOS 18?

The app needs to maintain internet communication under the following conditions: Both Wi-Fi and cellular networks are active. The Wi-Fi network has no internet connection. The cellular network has an active internet connection.

Hello; we observe slow behavior on some macOS systems which were upgraded from macOS Ventura to macOS Sonoma. , when they are connected to the company networks. Investigation learns that the getaddrinfo call querying ipv6 is taking 5 seconds before returning. Querying information for ipv4 (ai_famlly AF_UNSPEC) returns in few mSec correct. For ipv6, I tried struct addrinfo ai_family AF_INET6 and ai_flags AI_DEFAULT , as well as AI_ALL but no help. Querying for ipv6 lasts 5 seconds. Is there a fix or workaround for this? When switching off Wi-Fi , the getaddrinfo returns in few mSec ( similar to the ipv4 check ). The version is macOS Sonoma 14.6.1 , but also observed on other Sonoma 14.x versions and other sites/companies worldwide.

BEHAVIOR App runs great on first install. If I close the app and reopen, many times the network requests fail, most likely due to too many open files. If I restart the app 4 times, everything seems to load fine (until next time). A fresh install works as well. APP Flutter app. Utilizes flutter map package, which displays map tile layers. Otherwise, pulls JSON/API data every so often. Heavy/frequent pulling of tile images (typically ~1000 during a single pan). PROBLEM DEVICES: Issues ONLY happens on physical iPhones (tested on 11 and 15). iOS simulators work fine. Androids work fine On the Androids or simulator, I can pan the map and pull 3000+ tile images, and overlay data, with no issues. TESTING I have inspected disposal methods, closing network clients, even tried "exit(0)" in various places. Have tried app lifecycle widgets on paused, detached, resumed. Nothing changes the behavior. At one point, I thought I had the issue fixed when I changed my DNS from 1.1.1.1 to automatic, since all the working devices seemed to have router-defined DNS and my test device had manual IP. But then the problem came back again. COMMON ERRORS (upon restart) SocketException: Connection failed (OS Error: Too many open files, errno = 24) SocketException: Failed host lookup: 'site.com' (OS Error: nodename nor servname provided, or not known, errno = 8) Sometimes failed to load assets as well (icons, etc). QUESTIONS What is being "fixed" by reopening the app 4 times in a row on the iOS side? Is there anything I can do in the native code, so that the app always restarts fresh, and doesn't "hang on" to anything that may be causing the OS Errors? Could it be an IPv4 / IPv6 issue? REFERENCES I did recently find this dart thread as well, not sure if it is fully the same issue: https://github.com/dart-lang/http/issues/197 Flutter Map Repo for Tile Layers: https://github.com/fleaflet/flutter_map/tree/7632ccc6d95cf4b0d02760f6d259495e7a1d09d0/lib/src/layer/tile_layer DIO Package: https://pub.dev/packages/dio

I have created a NEPacketTunnelProvider which seems to work currently in testing. However I have noticed that the DNS do not go through the TUN interface, even setting a bogus DNS server in NEPacketTunnelNetworkSettings still has no effect and I'm able to browse just fine. I also know that there is the DNS Proxy Provider, can it be used in conjuction with Packet Tunnel Provider? Though from what I have read this is not available for the general public and can only be used on supervised / managed devices? Are there any supported methods of running a local DNS server, say on 127.0.0.1 and redirect all DNS queries to this server?

Hi,team: I am testing a product and found that my 12.6.0 and 14.5.0 computers will cause other app processes to exit when starting my network filter, but 10, 11, 13, and 14.6.1 will not. I can see the exit log of the app from launchd.log. Why is this? The log is as follows: 2024-09-12 19:34:36.783374 (gui/501/app_bundleid [546]) : exited due to SIGPIPE | sent by App[546] 2024-09-12 19:34:36.783383 (gui/501/app_bundleid [546]) : service state: exited 2024-09-12 19:34:36.783386 (gui/501/app_bundleid [546]) : internal event: EXITED, code = 0 2024-09-12 19:34:36.783389 (gui/501/app_bundleid [546]) : job state = exited 2024-09-12 19:34:36.783411 (gui/501 [100005]) : service inactive: app_bundleid 2024-09-12 19:34:36.783414 (gui/501/app_bundleid [546]) : service state: not running 2024-09-12 19:34:36.783582 (pid/546 [App]) : shutting down

Hello, We have filtering logic that is being loaded into PacketTunnelProvider network extension for processing web traffic. The issue we are facing is the 50MB cap is being hit after browsing a few websites and the OS terminates the PacketTunnelProvider. What would be the best way to tackle this problem? A few ideas come to mind and would appreciate any support on them: using IPC (Inter Process Communication) to move the filtering logic back to the main app (if this is possible) we could move the filtering in Filter Control Provider however the limitation on there is that we cannot perform HTTP response modification which is imperative for the workings of the filtering. We have same solution working fine on Android and app is using about 270MB in worst case (however in Android there is no limit to network extension as the VPN provider runs inside the app) The project target market is in excess of 50,000 devices We would appreciate any support on the matter.

The latest version of macOS 15 is unable to retrieve the SSID. We need to consult with Apple regarding this issue: Question: Is there a way for macOS to silently retrieve the SSID and BSSID? If special permissions are required, can company devices with MDM/ABM installed retrieve them silently?

When a VPN is active, RCS messaging does not work on iOS 18. I work on an iOS VPN app, and we were very appreciative of the excludeCellularServices network flag that was released during the iOS 16 cycle. It's a great solution to ensure the VPN doesn't interfere with cellular network features from the cellular provider. Separately - As a user, I'm excited that iOS 18 includes RCS messaging. Unfortunately, RCS messaging is not working when our VPN is active (when checking on the iOS 18 release candidate). My guess is that RCS is not excluded from the VPN tunnel, even when excludeCellularServices is true. It seems like RCS should be added in this situation, as it is a cell provider service. Can RCS be added as a service that is excluded from the VPN tunnel when excludeCellularServices is true? (I've also sent this via feedback assistant, as 15094270.)

We have an iOS app which includes a packet tunnel provider network extension. We have noticed on rare occasions that the VPN fails to start when we try to start the VPN from the app after installing it. However, rebooting the device or reinstalling the app fixes the issue. When creating the sysdiagnose file, we found some strange messages, a snippet is given below: 2024-09-10 13:40:20.291430 +0100 launchd Could not find and/or execute program specified by service: 2: No such file or directory: /private/var/containers/Bundle/Application/2FA92604-C67D-490D-8E8E-00F8D6FBF990/Sample.app/PlugIns/Tunnel.appex/Tunnel error 2024-09-10 13:40:20.291456 +0100 launchd Service could not initialize: access(/private/var/containers/Bundle/Application/2FA92604-C67D-490D-8E8E-00F8D6FBF990/Sample.app/PlugIns/Tunnel.appex/Tunnel, X_OK) failed with errno 2 - No such file or directory, error 0x6f - Invalid or missing Program/ProgramArguments We encountered this before several months ago on iOS 17.4 and reported it when the issue occurred, but this issue continues to be present in the iOS 18 release candidate. Is there any solution for this issue? Feedback ID: FB13714761

Starting from macOS 15 (macOS Sequoia), a new pop-up is triggered: “Local Network Privacy.” We have some questions regarding this new pop-up on MacOS: Running the following simple code: cups_dest_t *dests; int num_dests = cupsGetDests(&dests); triggers the “Local Network Privacy” pop-up. Question: Is this intended behavior? Even if the user presses the “Deny” button, printers can still be iterated, and it is possible to set options for the printer. Is this intended behavior? If so, which actions related to the CUPS library will be denied when the user presses the “Deny” button? Question: Should this pop-up appear for daemons/launchd processes? We found similar questions on some forums, but the answers are unclear. It seems that the pop-up should not appear for launch daemons. We tested the mentioned code with CUPS, and the pop-up was triggered. Is this a bug? If so, will it be resolved before the new macOS version is released? Question: There is somewhere documented all the scenarios in which this pop-up may appear is challenging? Regarding automatically allowing or disallowing the pop-up: We found the following response: “There is no way to automatically allow or disallow the local network privacy prompt. If it shows up in your app, you will need to analyze your code to better understand how the prompt is being triggered. If the prompt is triggered by a library you do not control, you will need to either remove the library or inquire further with the library vendor.” Question: How can we ensure that a launchd daemon will work as expected if the user presses the “Deny” button? Is there any way to detect if the user pressed “Deny”?

Dear Apple Developer Team, We have encountered a recurring issue where our application crashes when initiating an NSURLSession task immediately after startup. The crash appears to be sporadic, but we have observed a few instances where it consistently happens right after launching the app and starting an NSURLSession task. The crash stack trace is as follows: _objc_retain_x20 _nw_activity_is_equal ___nw_activity_activate_block_invoke nw_synchronize<nw::unfair_mutex, void () block_pointer __strong>(nw::unfair_mutex*, void (&&)() block_pointer __strong) _nw_activity_activate sub_1893e49b0 From the stack trace, it appears that the crash is related to network activity synchronization (nw_synchronize) and activity activation (_nw_activity_activate). This issue could potentially be linked to some internal network state management or threading issues within the networking stack. Steps to Reproduce: 1. Launch the app. 2. Immediately initiate an NSURLSession task. Most important, it seems be happen after iOS17. Hoping your kind answer!

Howdy everyone, I'm researching for a potential product so I can't give too many details. To be brief, I need to put an iPhone or iPad into Wifi Monitor mode. I plan on creating an app to control this for users to utilize. I can't find material on this topic in the Xcode Docs, or if the iPhone/iPad even supports Wifi Monitor mode. Does anyone know if it's even possible?

When transferring files in a Multipeer Session, using the Progress instances (returned by either sendResource in the sender or the delegate method session(didStartReceiving:) on the receiver) in a SwiftUI ProgressView will eventually cause a crash (EXC_BAD_ACCESS in swift_retain on com.apple.MCSession.syncQueue) I have created a small sample project that demonstrates the problem. It can be found at: https://github.com/eidria/Multipeer-Progress-Demo.git. A screen shot of the stack trace from a crash (crash.jpg) is in the “Images” folder. STEPS TO REPRODUCE Run the sample on two different hosts connected to the same network (project contains both iOS & macOS targets, bug manifests in any combination). When the second instance comes up, they will automatically find and connect to each other. When the “Send Files” button is enabled, clicking it will cause the sender to repeatedly send the file “Image.HEIC” from the “Images” folder to the receiver, which deletes it upon receipt of a successful transfer (i.e. delegate call back is called with a nil error). Subsequent transfers are triggered when the sender receives notice that the prior send completed successfully. Eventually, after some (usually small) number of files have been transferred, either the sender or receiver will crash in the middle of a transfer, with EXC_BAD_ACCESS in swift_retain on com.apple.MCSession.syncQueue. Commenting out the ProgressView in the file FileTransferView.swift will allow the apps to run in perpetuity.

So I wanted to get my hands dirty with objective-c so I decided to create a project to list all outbound traffic, after digging a little I found that I could use the Network Extension API. I created a simple command line project with xcode and tried to load this extension but for some reason I can't get it to work. I don't have a developer license yet and I'm not sure if it has anything to do with the problem I'm facing. This is just some test code so there are 2 free functions, one for loading the system extension and another for checking its status: // activates the extension? BOOL toggleNetworkExtension(NSUInteger action) { BOOL toggled = NO; __block BOOL wasError = NO; __block NEFilterProviderConfiguration* config = nil; dispatch_semaphore_t semaphore = 0; semaphore = dispatch_semaphore_create(0); NSLog(@"toggling the network extension"); [NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(nil != error) { wasError = YES; NSLog(@"loadFromPreferencesWithCompletionHandler error"); } dispatch_semaphore_signal(semaphore); }]; NSLog(@"waiting for the network extension configuration..."); if(YES == wasError) goto fail; NSLog(@"loaded current filter configuration for the network extension"); if(1 == action) { NSLog(@"activating network extension...") ; if(nil == NEFilterManager.sharedManager.providerConfiguration) { config = [[NEFilterProviderConfiguration alloc] init]; config.filterPackets = NO; config.filterSockets = YES; NEFilterManager.sharedManager.providerConfiguration = config; } NEFilterManager.sharedManager.enabled = YES; } else { NSLog(@"deactivating the network extension..."); NEFilterManager.sharedManager.enabled = NO; } { [NEFilterManager.sharedManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(nil != error) { wasError = YES; NSLog(@"saveToPreferencesWithCompletionHandler error!"); } dispatch_semaphore_signal(semaphore); }]; } NSLog(@"waiting for network extension configuration to save..."); if(YES == wasError) goto fail; NSLog(@"saved current filter configuration for the network extension"); toggled = YES; fail: return toggled; } Then there's this function to check if the extension is enabled which for some reason always returns false. BOOL isNetworkExtensionEnabled(void) { __block BOOL isEnabled = NO; dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); [NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if (error != nil) { NSLog(@"Error with loadFromPreferencesWithCompletionHandler"); } else { isEnabled = NEFilterManager.sharedManager.enabled; } dispatch_semaphore_signal(semaphore); }]; return isEnabled; } Is something wrong is this code or is this related to entitlements or the developer license? As a side note I have already disabled SIP not sure if it matters in this case. Thanks in advance.

Hello everyone, Can someone help me understand how the following code works? let params = NWParameters(tls: tlsOptions, tcp: tcpOptions) params.requiredInterfaceType = .cellular connection = NWConnection(to: connectionHostPort, using: params) Does this configuration guarantee that all network calls made using the connection will always use cellular data? What happens if both WiFi and cellular are connected simultaneously? Is there any underlying UNIX library which can confirm this? TIA arup[dot]s[at]icloud[dot]com

Greetings, I am trying to mimic what the official WireGuard client (available on AppStore, source code is publicly available) does regarding the routing tables. The client uses NetworkExtension framework. When a VPN connection is established with all traffic routed through WireGuard (AllowedIPs = 0.0.0.0/0), the routing table is amend with something like this: Destination Gateway RT_IFA Flags Refs Use Mtu Netif Expire default link#36 10.10.10.2 UCSg 114 0 1420 utun7 10.10.10.2 10.10.10.2 10.10.10.2 UH 0 10 1420 utun7 224.0.0/4 link#36 10.10.10.2 UmCS 0 0 1420 utun7 255.255.255.255/32 link#36 10.10.10.2 UCS 0 0 1420 utun7 Please note that another default route exists to the working Ethernet interface, but I have not mentioned it above. I would like to do something similar for wireguard-go (open source WireGuard implementation written in Go), in particular start it, assign an IP address, then add the routes. sudo env LOG_LEVEL=debug wireguard-go -f utun sudo ifconfig utun5 10.10.10.2 10.10.10.2 netmask 255.255.255.255 Here is the code fragment written in C which suppose to add default route (0.0.0.0/0) to the link layer address: void add_link_route() { struct { struct rt_msghdr hdr; struct sockaddr_in dest; struct sockaddr_dl gateway; struct sockaddr_in netmask; } rt; memset(&amp;rt, 0, sizeof(rt)); int sockfd = socket(PF_ROUTE, SOCK_RAW, 0); if (sockfd == -1) { perror("socket"); return; } unsigned int if_index = if_nametoindex("utun5"); rt.hdr.rtm_msglen = sizeof(rt); rt.hdr.rtm_version = RTM_VERSION; rt.hdr.rtm_type = RTM_ADD; rt.hdr.rtm_index = if_index; rt.hdr.rtm_flags = RTF_UP | RTF_STATIC | RTF_CLONING; rt.hdr.rtm_addrs = RTA_DST | RTA_GATEWAY | RTA_NETMASK; rt.hdr.rtm_seq = 1; rt.hdr.rtm_pid = getpid(); rt.dest.sin_len = sizeof(struct sockaddr_in); rt.dest.sin_family = AF_INET; rt.dest.sin_addr.s_addr = INADDR_NONE; rt.gateway.sdl_len = sizeof(struct sockaddr_dl); rt.gateway.sdl_family = AF_LINK; rt.gateway.sdl_index = if_index; rt.gateway.sdl_type = IFT_PPP; rt.netmask.sin_len = sizeof(struct sockaddr_in); rt.netmask.sin_family = AF_INET; rt.netmask.sin_addr.s_addr = INADDR_NONE; if (write(sockfd, &amp;rt, sizeof(rt)) == -1) { perror("write"); } close(sockfd); } But, when executed, write() returns EEXIST (File exists) error, meaning, the default route cannot be overwritten (because another default route exists which points to the existing Ethernet interface). At this point I have no idea how the routes could be created successfully inside NetworkExtension, and I would like to do the same. For comparison, there is another case when all traffice is not routed through the VPN. Then, the routes are created like this: Destination Gateway RT_IFA Flags Refs Use Mtu Netif Expire default link#36 10.10.10.2 UCSIg 0 0 1420 utun7 10.10.10.2 10.10.10.2 10.10.10.2 UH 0 0 1420 utun7 224.0.0/4 link#36 10.10.10.2 UmCSI 0 0 1420 utun7 255.255.255.255/32 link#36 10.10.10.2 UCSI 0 0 1420 utun7 The difference is that now the scope is bound to the network interface. And in such case, my C code succeeds, providing I add RTF_IFSCOPE flag to rtm_flags. I would appreciate if someone helped me with this problem.

I would like to connect an iPhone to Wi-Fi from my app without any popups. I work for a Wi-Fi testing company, and we have hundreds of iPhones that need to be connected to and disconnected from Wi-Fi frequently. We need to automate this process. Please let me know if there is any way to achieve this. Thanks in advance.