Hi everyone, I am developing a MacOS app where a network extension and a content filter are installed as system extensions when the app is launched. I'd like to test the flow where user get a "System Extension Blocked" prompt like this: But I couldn't find a way to revoke the approval I gave at the first place. I've tried remove the system extensions using "sudo systemextensionsctl uninstall [TEAM ID] [BUNDLE ID]" with SIP disabled but no luck. I've also tried to remove them from the KextPolicy database but they are not even in the database. I am on MacOS Sonoma 14.5. All I want is to revoke the system extension approval and recreate this prompt. Has anyone experienced a similar issue or have any suggestions on how to achieve this?

WireGuard Apple VPN Client App for macOS with System Extension to Distribute Outside App Store Checkout the source code of WireGuard Apple. https://github.com/WireGuard/wireguard-apple I have fixed several issues and now I can create and connect to the VPN. This source code uses the App Network Extension (appex) which can only be distributed on the App Store. But I don't want to distribute it via the App Store. I will distribute it outside the App Store. But for this, we need to sign the app with the Developer ID Application certificate and we also need to notarize it. So for this, the App Network Extension (appex) will not help. We need to use the System Extension Network Extension (sysex). So we need to make changes to the WireGuard Apple source code to be able to connect the VPN via the System Extension Network Extension (sysex), this means we need to migrate existing App Network Extension (appex) to System Extension Network Extension (sysex) in this source code. I am facing this challenge, that's why I am looking for a solution here. I have already done changes explained here https://forums.developer.apple.com/forums/thread/695550. Also done with changes for getting system extension permission and network extension permission. Real problem is, VPN client app is not getting connect to VPN and to fix this, we need to fix in WireGuard Apple Kit source code. Please help me to solve this problem.

Hi Team, Is there a way to disable secure DNS in macOS that is set at the OS level, like 8.8.8.8, which supports secure DNS on ports 443 and 853?

Hi, We have this situation in which we are sending buffers from a server to the Vision Pro in a local network and for some reason when we take the headset off of the user's head, the QUIC stream we are using are getting closed/terminated/disconnected. What our options are in order to remove this behavior, probably resume or make sure the AVP is ready again to receive the buffers from the server in a graceful manner?

Hi, This is basically a fundamental question on the QUIC's implementation via the Network framework. We are using the NWMultiplexGroup object to deal with multiples streams over the wire, but we would like to understand if this object is using http3 under the hood, because our understanding is the actual connection multiplexing is happening under that protocol. If this is not the case, can you please elaborate a little bit more on this. Btw, in this implementation we are not using URLSession at all, is just pure QUIC via Network framework. Thanks in advance.

Hi, On macOS 15 beta 7, we get a network popup while launching application, "Allow "App" to find the devices on local network?" This popup we are not seeing in older versions of macOS. We also see a a new option in "System Settings->Privacy & Security->Local Network". Is there way to add the application entry in "Local Network" through a command so that we can suppress this popup on launching the applications? Regards Prema Kumar

Hello Folks, Can we capture below information for connected WIFI { AdapterType SSIDName DefaultAuthenticationAlgorithm DefaultCipherAlgorithm SecurityEnabled ConnectionStatus VpnConnectionStatus BssType NetworkConnectable NumberOfSSIDs ProfileName Bssid FrequencyType SignalQuality }

Hello. I've set up a VPN server, generated .mobilconfig with it. It works, but after installation the new entry is placed on top of the list in "VPN configurations" What I need is to place it into the "Private VPN" section as some apps do, for example, Brooog IKEv2. I studied Configuration profile reference, but couldn't find an answer. What's the solution for that?

Hi, I'm using network extension on my VPN app. I'm override the sleep method and send some data to my server when the method call. I noticed that the server requests are succeeded when I'm connecting with a WiFi networks and failed when I'm connecting with cellular networks. Does the OS blocks immediately the connectivity when I'm on the cellular networks and the device enter to sleep?

We provide software that our customers deploy on their employee work computers to secure sensitive data. We have a daemon which could connect to an on-premise web-server for certain functionality. In Mac OS 15 beta we see that there is a local network access permission dialog that comes up sometimes, and it requires a permission to be provided under the Privacy & Security section of the system preferences. We have seen the local network access permission would pop up only when both Server and Client are residing in the same private network range (eg 172.16.x.x. in our case.) When the same server is accessed from a Sequoia machine over a VPN from external network, the local network access permission does NOT pop up. But note in this case, the Sequoia machine has an IP in the 10.x.y.z range, whereas the server is at 172.16.x.y. We have the following questions: In our setup with Macs connecting to a web-server, what conditions can trigger the local network prompt? In particular, do both the client and server need to be in the same private subnet range for the prompt to be shown? Is it possible that a user at home, working on a Sequoia machine, connecting over VPN to an on-prem server, would trigger this prompt? If so, we would submit this is not expected, as a VPN is not really a local network. Is there an MDM way of automatically providing the permission, so that the prompt is suppressed? In general, is there a programmatic way of providing this permission during installation ? if yes how can we do it. How do we stop users from disabling the permission incase the user has admin rights?

I have an iOS app with two network extension targets(tunnel1 and tunnel2) in it. Use case is explained below:- One target i.e Tunnel1 will be used for public traffic. Traffic not part of Tunnel2 will go through this tunnel Second target i.e Tunnel2 will be used for private traffic.This will be configured as per app vpn so that only those apps can have access to private resources. MDMs can push two VPN profiles along with Provider Bundle Indentifier so that designated tunnel can start based on source app. So far this works well. Issue:- We have thousands of deployments already in place where VPN profiles did not contain Provider Bundle Indentifier because so far our app had just one tunnel target. Now , after upgrade to New App version(with two NE targets) , sometimes Tunnel1 starts , sometimes Tunnel2 . Its purely random and dont know logic behind it. Question:- Is there any way to always prefer Tunnel1 when there is no Provider Bundle Indentifier in MDM pushed VPN profile?

I'm trying to figure out how to debug failure to successfully resolve DNS queries. I have an app that installs a network extension as a system extension. Then, the system extension spawns a second process via posix_spawn. This second process fails to resolve DNS queries, but the initial system extension process can connect to a URL involving the same hostname. In mDNSResponder I see: 2024-08-23 11:01:30.313470+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R56090] DNSServiceCreateConnection START PID[70515](coder) 2024-08-23 11:01:30.313857+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R56091] DNSServiceQueryRecord(15000, 0, <mask.hash: 'sUpGaOtvrWLwu6toEcVb1g=='>(e8da8e0d), A) START PID[70515](coder) 2024-08-23 11:01:30.314945+0400 0x2336 Debug 0x0 1320 0 mDNSResponder: (Network) [com.apple.network:] -[NWConcrete_nw_path_evaluator dealloc] AE46B126-E438-4804-B030-F0E337AED7A0 2024-08-23 11:01:30.315004+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [Q18806] InitDNSConfig: Setting StopTime on the uDNS question 0x13d356ce0 <mask.hash: 'H8NJEpnLHE9dtbSyztCK1A=='> (Addr) 2024-08-23 11:01:30.315051+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R56091->Q18806] Question for <mask.hash: 'H8NJEpnLHE9dtbSyztCK1A=='> (Addr) assigned DNS service 1461 2024-08-23 11:01:30.315075+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [Q18806] DetermineUnicastQuerySuppression: Query suppressed for <mask.hash: 'H8NJEpnLHE9dtbSyztCK1A=='> Addr (blocked by policy) 2024-08-23 11:01:30.316901+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R56091->Q18806] GenerateNegativeResponse: Generating negative response for question <mask.hash: 'H8NJEpnLHE9dtbSyztCK1A=='> (Addr) 2024-08-23 11:01:30.316953+0400 0x2336 Debug 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R56091] QueryRecordOpCallback: Suppressed question <mask.hash: 'H8NJEpnLHE9dtbSyztCK1A=='> (Addr) 2024-08-23 11:01:30.316984+0400 0x2336 Default 0x0 1320 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R56091->Q18806] DNSServiceQueryRecord(<mask.hash: 'H8NJEpnLHE9dtbSyztCK1A=='>(e8da8e0d), A) RESULT ADD interface 0: (mortal, DNSSEC Indeterminate)<mask.hash: 'fy5Hgf26/rhBtId5NoaY9A=='> So, my query is getting "suppressed" by mDNSResponder, blocked by policy. It doesn't seem to matter what DNS name my 2nd process queries---they are all suppressed. What policies does mDNSResponder enforce? How can I figure out why my queries are being suppressed?

On iOS 16.0, I added accessories via the MTRDeviceController class in the Matter.framework, and it worked fine. But when I will phone upgrade to the latest version of the iOS (iOS 16.1.1), after I call "MTRDeviceController" class "pairDevice: onboardingPayload: error:" method. I get an error like this: CHIP: [BLE] BLE:Error writing Characteristics in Chip service on the device: [The specified UUID is not allowed for this operation.] According to the error message, I guess that the characteristics of a certain Bluetooth cannot be read and written. After trying to verify it, I find that the characteristics uuid of the Matter accessory: "18EE2EF5-263D-4559-959F-4F9C429F9D12" cannot be read. So, my question is what can I do in iOS 16.1.1 to make my app work as well as it does on iOS 16.0.

Hi Team: I first created a macOS app and added a target of the network extension of the system extension to the app. The function of my app is to enable the system extension and allow the network extension. The app only enables the network filter and does not perform other operations. After completion, it will execute [NSApp terminate:nil]; to exit. My network filter can run normally after the app exits, and I use rm -rf to delete the app from /Application, and the network filter can still run normally. This result is what I want, but I don’t know if it is reasonable to delete the app from /Application. My understanding is that the network filter I developed is registered with the system, so it is okay to delete it from /Application. Is this correct?

I have configured includedRoutes and excludedRoutes with specific IP addresses and masks. All applications, except for the app store, are following the access routes as intended. However, app store traffic is bypassing the defined access routes and going over the tunnel.

I have configured includedRoutes and excludedRoutes with specific IP addresses and masks. All applications, except for the app store, are following the access routes as intended. However, app store traffic is bypassing the defined access routes and going over the tunnel. The routing method is set to be destination IP.

We are encountering an issue with the MFi modal in our iOS application. Occasionally, when attempting to display the MFi modal, it either loads completely empty or shows the WiFi Network field as empty. This issue seems to occur intermittently.

Hey! We are investigating a problem with routes when the VPN is active on macOS, and I wonder if this is expected behavior or a bug that should be registered. I tested six different VPN providers on macOS 14.5 to ensure this problem does not only affect our product; I found out all VPN providers were affected. When a user connects to the VPN and the app calls setTunnelNetworkSettings, the operating system creates a new default route in the system: $ netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Netif Expire default link#50 UCSg utun23 <---- the new default route is added here default 192.168.0.1 UGScIg en10 ... ... A quick look into the netstat manual reveals the meaning of the flags for the route (UCSg) U - RTF_UP Route usable C - RTF_CLONING Generate new routes on use S - RTF_STATIC Manually added g - RTF_GLOBAL Route to a destination of the global internet (policy hint) We are concerned about the C flag (RTF_CLONING) in particular. Let's experiment to show why we are interested in this flag. Upon connecting to the VPN, execute the following commands: $ netstat -rn -f inet | grep 185.15.59.224 # empty output $ ping wkipedia.org PING wikipedia.org (185.15.59.224): 56 data bytes 64 bytes from 185.15.59.224: icmp_seq=0 ttl=58 time=38.798 ms 64 bytes from 185.15.59.224: icmp_seq=1 ttl=58 time=37.941 ms ^C $ netstat -rn -f inet | grep 185.15.59.224 185.15.59.224 link#50 UHW3Ig utun23 10 Notice the netstat command is executed without root privileges. A new route added (thanks to the RTF_CLONING flag) to the routing table means that the unprivileged user might easily track which websites were visited by another user, even if the latter uses a VPN service for the connection. I spent some time experimenting but didn't find a way to call setTunnelNetworkSettings to add a default route without the RTF_CLONING flag. Do you know if this is the expected behavior of the operating system, or should we register a bug for that behavior? Personally, I think it affects the user's rights to privacy quite heavily, especially because the netstat command might be executed by a regular user, does not need any priviliges to run.

I am trying to implement BLE communication between installations of an iOS app and I am following Transferring Data Between Bluetooth Low Energy Devices since the data I need to transfer exceeds the 512 byte limit for attribute values. I already have this working based on an older version of the app, however after I integrated with the mainline of development I am getting CBATTErrorRequestNotSupported which seems to be caused by OSStatus 65535 (which is kBluetoothSDPErrorCodeReservedEnd, but that is documented to not even be present on iOS). So it seems that a change on our end is causing these errors, but I am completely stumped as to what change that might be. Is anyone able to enlighten me?

Hi, We are working with a small QUIC POC, in which the macbook pro is the server and the vision pro the client (we use it to test QUIC's functionality). We have below logic to send small buffers (128k) using only one stream because we want the data to arrive in order and reliably as QUIC guarantees: private func createDummyData() { dummyData.append(Data(bytes: &frameNumber, count: MemoryLayout<UInt64>.size)) frameNumber += 1 } private func sendDataToClient() { createDummyData() let start = Date() Thread.sleep(forTimeInterval: 0.015) outgoingConnection?.sendBuffer(dummyData) { [weak self] in let interval = Date().timeIntervalSince(start) print("--> frame #: \(String(describing: self?.frameNumber)), send took: \(interval) seconds") self?.dummyData.removeLast(8) self?.sendDataToClient() } } As you can see we are waiting for the completion handler to call the next send operation. We needed to add a delay (0.015) because even when the data is arriving in order, we are not receiving a considerable amount of buffer on the client side. If we remove the delay, this is the way we are receiving our data. By the way, we are including a frame number (1,2,3,4....) on each buffer so we know which one arrived at the client : Connected to QUIC bi-di tunnel id: 0... Timestamp: 00:42:40.413, Buffer received... Frame number: 0, received... Timestamp: 00:42:40.414, Buffer received... Frame number: 1, received... Timestamp: 00:42:40.416, Buffer received... Frame number: 29, received... Timestamp: 00:42:40.416, Buffer received... Frame number: 30, received... Timestamp: 00:42:40.418, Buffer received... Frame number: 43, received... Timestamp: 00:42:40.418, Buffer received... Frame number: 52, received... Timestamp: 00:42:40.422, Buffer received... Frame number: 65, received... Timestamp: 00:42:40.424, Buffer received... Frame number: 80, received... Timestamp: 00:42:40.426, Buffer received... Frame number: 90, received... As you can see, we have received frames number 0 and 1 but after that we received # 29 and then jumps from 30 to 43 and 52 and 65. Again, if we introduce the delay this is not the case, is not fixing it but at least there are not that many losses. We thought QUIC had an internal sending queue in which every frame is waiting to be sent and it will be delivered reliably. Kindly let us know what are we missing.