Hi Team, Is there a way to disable secure DNS in macOS that is set at the OS level, like 8.8.8.8, which supports secure DNS on ports 443 and 853?

Hello! As a foreword, our issue is not on any version prior to macOS Sequoia. While testing our content filter on Sequoia, we found out that localhost traffic/flows were not being forwarded to the filter for evaluation. When setting up our default settings, we apply these rules that would forward loopback traffic to our filter: let ipv4localhost = NWHostEndpoint(hostname: "127.0.0.1", port: "0") let ipv4localhostRule = NENetworkRule(remoteNetwork: ipv4localhost, remotePrefix: 0, localNetwork: ipv4localhost, localPrefix: 0, protocol: .any, direction: .any) let ipv6localhost = NWHostEndpoint(hostname: "::1", port: "0") let ipv6localhostRule = NENetworkRule(remoteNetwork: ipv6localhost, remotePrefix: 0, localNetwork: ipv6localhost, localPrefix: 0, protocol: .any, direction: .any) let filterSettings = NEFilterSettings(rules: [NEFilterRule(networkRule: ipv4localhostRule, action: .filterData), NEFilterRule(networkRule: ipv6localhostRule, action: .filterData)], defaultAction: .filterData) We found out that these initialisers are deprecated in Sequoia https://developer.apple.com/documentation/networkextension/nenetworkrule/3143646-init and are replaced by https://developer.apple.com/documentation/networkextension/nenetworkrule/4365499-init. After replacing the deprecated calls, we do indeed see loopback traffic in the filter again. Our question is, is this intentional? Will deprecation of these methods mean that the "old" code will not work with macOS Sequoia anymore, or is it a bug? I'm asking this as it will force us to upgrade our builder nodes to be able to compile the new code, however as everything is still in beta there is a higher risk of problems that could accompany this. Thanks in advance, I wish you a nice day.

It does not seem to be stored in the system or user TCC database? Having a way to programatically grant the permission to a given app without user interaction, for example when automatically provisioning a CI node for macOS testing (with SIP disabled, so full disk access available), would be nice. Filed as FB14878596

Hi, I have an app that is performing long-duration audio recording on the Watch and need to communicate with the phone occasionally to: Request an auth token (login happens on the phone app) when needing to upload a recording. Occasionally poke the iPhone app to sample the current location (I don't do this on Watch). Most of the time, both the Watch and iPhone apps would be backgrounded but the Watch app has background audio enabled and is recording, so processing continues. I'm finding that WatchConnectivity isn't connected to the phone in these cases and cannot send a ping. That is, on the Watch side, WatchConnectivity is not connected to the phone (isReachable==false), and the messages are simply never received on the phone as a result. I'm not sure how else the apps should communicate this information. How are these scenarios typically handled? Thank you, -- B.

I am trying to establish a connection using NetworkExtension and NEVPNProtocolIKEv2. It needs to work on an iOS device. I have a test.mobileconfig file and I have set up all configurations based on its content. However, I am unsure how to assign the value for identityData. I have tried multiple methods, but each time, I receive the following errors on my server: "ikev2-cp"[200] "my_ip_address" #1387: Peer attempted EAP authentication, but IKE_AUTH is required "ikev2-cp"[200] "my_ip_address" #1387: responding to IKE_AUTH message (ID 1) from "my_ip_address" with encrypted notification AUTHENTICATION_FAILED "ikev2-cp"[200] "my_ip_address" #1387: encountered fatal error in state STATE_V2_PARENT_R1 First of all, I used the first PayloadContent value inside the .mobileconfig file that I tested. I should mention that there is a certificate inside the file. However, the certificate is not password-protected. func getIKEv2Protocol(address: NSString, username: NSString, password: NSString) -> NEVPNProtocolIPSec { let p = NEVPNProtocolIKEv2() let kcs = KeychainService() p.certificateType = .RSA p.authenticationMethod = .certificate kcs.save(key: "ikev2_password", value: password as String) p.passwordReference = kcs.load(key: "ikev2_password") p.identityDataPassword = "cHH....B3" p.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM p.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA256 p.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19 p.ikeSecurityAssociationParameters.lifetimeMinutes = 1410 p.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM p.childSecurityAssociationParameters.integrityAlgorithm = .SHA256 p.childSecurityAssociationParameters.diffieHellmanGroup = .group19 p.childSecurityAssociationParameters.lifetimeMinutes = 1410 if let certData = Data(base64Encoded: base64String) { p.identityData = certData p.authenticationMethod = .certificate } p.serverCertificateIssuerCommonName = "***" p.serverCertificateCommonName = "***-2" p.deadPeerDetectionRate = .medium p.disableRedirect = true p.enableRevocationCheck = false p.useExtendedAuthentication = true p.remoteIdentifier = address as String p.localIdentifier = username as String p.serverAddress = address as String p.enablePFS = false return p; } and let vpnManager = NEVPNManager.shared() // inside > vpnManager.loadFromPreferences { (error) -> Void in let p = self.getIKEv2Protocol(address: address, username: username, password: password) vpnManager.protocolConfiguration = p vpnManager.localizedDescription = "IKEv2 VPN" vpnManager.isEnabled = true vpnManager.saveToPreferences(completionHandler: { (error) -> Void in ... vpnManager.loadFromPreferences(completionHandler: { error in ... try vpnManager.connection.startVPNTunnel() // And this section starts without any errors. How can I properly provide the value for p.identityData and .mobileconfig password? Please explain in detail if there is an answer, as I am inexperienced with Swift and VPNs.

For years our iOS apps have experienced a networking problem, which blocks them connecting to our servers via their API endpoint domains. How can we recover after the scenario described below? Using 3rd party error logging solutions, which have different endpoint domains, we can record the error: NSUnderlyingError": Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: pdp_ip0[lte], ipv4, dns, expensive, uses cell}, "_NSURLErrorFailingURLSessionTaskErrorKey": LocalDataTask <DEDBFA4D-810D-4438-A6A0-95E3B9668B9E>.<308>, "_kCFStreamErrorDomainKey": 3, "_NSURLErrorRelatedURLSessionTaskErrorKey": <__NSSingleObjectArrayI 0x301f82e60>( LocalDataTask <DEDBFA4D-810D-4438-A6A0-95E3B9668B9E>.<308> ) "NSLocalizedDescription": An SSL error has occurred and a secure connection to the server cannot be made., "NSLocalizedRecoverySuggestion": Would you like to connect to the server anyway? -9816 is the "server closed session with no notification" error based on comments in CoreFoundation source files. Subsequent API endpoint calls to the same domain return the same error. The SSL error occurs most prevalently after a server outage. However, despite our best efforts, we have been unable to replicate triggering the problem for development purposes via experiments with our server. When the error occurs the users report that: Fully closing (i.e. not just sending to background) and reopening the app does NOT clear connectivity to our server being blocked. Problem seems more prevalent when using mobile/cell data. Switching from mobile/cell data to WIFI resolves the connection problem and then switching back to mobile/cell data shows the problem again. So the underlying problem is not cleared. All other apps on the same device and mobile/cell data or WIFI connection, like Safari, have no problems connecting to the Internet. Deleting and reinstalling, or updating (when an update is available) resolves the problem. Or after waiting a few days the problem seems to resolve itself. The last two point above suggest that something is persisted/cached in the app preventing it from connecting properly with subsequent network attempts. Notes: We have one shared instance of the URLSession in the app for its networking because we are aware of the perils of multiple URLSession instances. We recently added conditions to call the URLSession await reset() method when detecting the SLL errors before repeating the request. It is debatable whether this reduces the problem as we still see logged cases with the subsequent requests hitting the same -9816 error. URLSession configuration: let config = URLSessionConfiguration.default config.timeoutIntervalForResource = 22 config.timeoutIntervalForRequest = 20 config.requestCachePolicy = .reloadIgnoringLocalCacheData config.urlCache = nil

Hi everyone, I am developing a MacOS app where a network extension and a content filter are installed as system extensions when the app is launched. I'd like to test the flow where user get a "System Extension Blocked" prompt like this: But I couldn't find a way to revoke the approval I gave at the first place. I've tried remove the system extensions using "sudo systemextensionsctl uninstall [TEAM ID] [BUNDLE ID]" with SIP disabled but no luck. I've also tried to remove them from the KextPolicy database but they are not even in the database. I am on MacOS Sonoma 14.5. All I want is to revoke the system extension approval and recreate this prompt. Has anyone experienced a similar issue or have any suggestions on how to achieve this?

Starting at 7 am many of our apps are crashing on launch from the -[USRVWebViewCallback invoke:] EXC_BAD_ACCESS: Attempted to dereference garbage pointer 0x20. This is coming across OS versions and does not seem to be related to our code as many different applications are crashing. Did Apple turn something on this morning?

Hello , I'm working on a macOS application involving a Packet Tunnel Extension and have encountered a few issues. I would appreciate any help or insights from the community. System Extension Not Activated: Despite the system extension activation request (OSSystemExtensionRequest) appearing successful, the system extension is not fully activating. Error log shows: Failed to create LSApplicationRecord for file:///Library/SystemExtensions/.../: 'The operation couldn’t be completed. (OSStatus error -10811.)' VPN Connection Timeout: When attempting to start the VPN connection, the connection status remains stuck at "Connecting" and does not enter the PacketTunnelProvider's startTunnel method. Error log shows: NESMVPNSessionStateStarting, with connection timing out (300 seconds). System Extension Entitlements Issue: In the system extension's entitlements file, I have included relevant configuration items, such as com.apple.security.application-groups and com.apple.security.system-extension. Despite the correct configuration, the error log still shows that the com.apple.security.application-groups entitlement is not satisfied. Here is the configuration from the system extension's entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>dns-proxy</string> </array> <key>com.apple.developer.networking.vpn.api</key> <array> <string>allow-vpn</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)com.mytest.client.macos.shared</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> App Groups in Developer Account: In Xcode, the App Group identifier starts with the team code, such as $(TeamIdentifierPrefix)com.mytest.client.macos.shared. However, on the Apple Developer website, I can only add App Groups that start with group. rather than those with the team code prefix. Summary: The system extension is not fully activating, and the VPN connection remains stuck in the connecting state. The entitlements file configuration does not seem to be applied correctly. The discrepancy between Xcode and the Developer website regarding App Group identifiers is causing confusion. I have reviewed the entitlements file and the application's provisioning profile to ensure they match. Any advice or shared experiences from those who have faced similar issues would be greatly appreciated! Thank you!

Documentation for System Extensions talk about an "appropriate" Applications directory, but doesn't specify what this is. /Applications and its subdirectories qualifies, but are there more? Did this change in macOS 15 Sequoia? Installing System Extensions and Drivers : Your app is installed in an appropriate Applications directory of the system. OSSystemExtensionErrorUnsupportedParentBundleLocation: The app itself must be in one of the system’s Applications directories. Background: while testing one of our apps with a VPN Network Extension on the current Sequoia beta, it seems that the restrictions got tighter. I'm able to run this app in my user's ~/Applications on macOS 14.6.1, but on macOS 15.1 beta I get this error now: Error Domain=OSSystemExtensionErrorDomain Code=3 "App containing System Extension to be activated must be in /Applications folder. Current location: file:///…

Hello, we are developing an application that uses TLS client authentication with self-signed certificate. The app has multiple targets, including iOS and macOS clients. However, we are encountering issues with the client certificate on both platforms. Specifically, the client certificate is being rejected when making a URLRequest, and an AuthChallenge is triggered. The strange part is that the TLS handshake fails for every target except one iOS target, making it unclear whether the issue lies with the server or the system. Flow The connection uses TLS with Client Authentication. User is authenticated by client certificate, that is issued when user signs in. The certificate is self-signed. It is decoded from PKCS#12 blob into Swift.Data and then successfully imported with SecPKCS12Import. The Keychain uses access groups (separate for each target), kSecAttrSynchronizable is set to false and the items are accessible .afterFirstUnlock. The certificate is used for two types of connections - 1) Basic query request 2) Periodic status report First type of request never fails - it is successful, the problem arises with second type of requests. If the certificate is expired on didReceive challenge: URLAuthenticationChallenge, it is refreshed and then provided for verification with URLCredential Issue With default target everything works as expected. The issue arose when another targets with the same functionality (Different UI, Access Group, Bundle identifier) were added (different xcodeproj or same). Importing certificate is successful as are basic query requests. The issue are with the second type of requests - Periodic status report. Whenever this request is sent via URLSession, it fails. Here is the output in Xcode console: - boringssl_context_handle_fatal_alert(2072) [C1.1.1.1:2][0x13c0755a0] read alert, level: fatal, description: bad certificate - nw_read_request_report [C1] Receive failed with error "bad certificate format" - boringssl_session_handshake_error_print(44) [C1.1.1.1:2][0x13c0755a0] Error: 5266350496:error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE:/AppleInternal/Library/BuildRoots/a8fc4767-fd9e-11ee-8f2e-b26cde007628/Library/Caches/com.apple.xbs/Sources/boringssl/ssl/tls_record.cc:592:SSL alert number 42 - “Task <..>.<1> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<redacted>” which could put your confidential information at risk.”“
 The certificate is in fact not invalid, since it works as expected for the other type of request and with the one specific target Here is the output from Console.app consoleoutput.txt I also noticed an additional error when I specifically searched for errors in Console.app. I'm not sure if it's connected, though it doesn't seem likely, as this error appears far more frequently than the requests.
 | Security | com.apple.security | trustd | SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-67808 "RSA signature verification failed, no match" UserInfo={numberOfErrorsDeep=0, NSDescription=RSA signature verification failed, no match} debug 21:56:54.822609+0200 | Security | com.apple.security | trustd | SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_pub_crypt failed, ccerr=-7" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=rsa_pub_crypt failed, ccerr=-7} debug 21:56:43.954898+0200 On iOS an additional error appears.
 
SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, 2048 bits (block size: 256), exponent: {hex: 10001, decimal: 65537}, modulus: F12EA3…97D85C5, addr: 0x7eca128c0>: sign - input buffer bad size (264 bytes)" UserInfo={numberOfErrorsDeep=0, NSDescription=<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, 2048 bits (block size: 256), exponent: {hex: 10001, decimal: 65537}, modulus: F12EA31…A835FA7B With the message that says, "The certificate for this server is invalid...," it appears that the server certificate is failing. However, as mentioned, it works for another target that uses the exact same endpoint. When making a simple GET request to this endpoint, it passes as expected, probably since client certificate is not requested. I also checked the trust result on AuthenticationChallenge and it was successful. Could this be an issue with the client/server certificate itself? Or perhaps with how the client certificate is being handled—such as storing it inside the keychain, possible collisions? Thank you for your response.

Hi! I am building a simple per-app VPN application. I want the traffic from the certain appRules-specified application to go to the HTTP/HTTPS proxy server. I am lacking the following pieces of information: When proxy settings are configured who receives the traffic first: a proxy server or a packet tunnel provider? Since HTTP and HTTPS protocols are on the highest level of the networking stack I expect the proxy server to receive the traffic first. Will the packet tunnel provider receive TCP/UDP traffic from the specified applications with specified HTTP/HTTPS proxy settings?

Sorry if this has been asked before. I was looking if there was any specific reason why location permission is needed to SSID name? I built small utility app to show network details. Some users have expressed concerns regarding enabling location services just to get the SSID or BSSID values. Just want to understand, and hopefully convey the right message to the users.

Hi, For my iOS app, I want to temporarirly connect to a in-house Wifi accessory. The iOS app will exchange some messages to configure the accessory and Wifi accessory does not need a connection to the internet. Based on the other post, NEHotspotConfiguration can be used to programmatically connect to a wifi network. However, iOS ask the authorization "Wants to Join Wi-Fi Network". I have following questions: Can we Wireless Accessory Configuration (WAC) for the same interaction? And in this case, can we silently connect to the accessory using Wifi without user having to authorize the connection? If WAC is used for this application, do we have to go through MFi certification? And what is estimated cost for this certification? Do we pay a one time fee or per device/app installation fee? The device is usb peripheral with a built-in wifi module. Thanks for the clarification

Hey! We are investigating a problem with routes when the VPN is active on macOS, and I wonder if this is expected behavior or a bug that should be registered. I tested six different VPN providers on macOS 14.5 to ensure this problem does not only affect our product; I found out all VPN providers were affected. When a user connects to the VPN and the app calls setTunnelNetworkSettings, the operating system creates a new default route in the system: $ netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Netif Expire default link#50 UCSg utun23 <---- the new default route is added here default 192.168.0.1 UGScIg en10 ... ... A quick look into the netstat manual reveals the meaning of the flags for the route (UCSg) U - RTF_UP Route usable C - RTF_CLONING Generate new routes on use S - RTF_STATIC Manually added g - RTF_GLOBAL Route to a destination of the global internet (policy hint) We are concerned about the C flag (RTF_CLONING) in particular. Let's experiment to show why we are interested in this flag. Upon connecting to the VPN, execute the following commands: $ netstat -rn -f inet | grep 185.15.59.224 # empty output $ ping wkipedia.org PING wikipedia.org (185.15.59.224): 56 data bytes 64 bytes from 185.15.59.224: icmp_seq=0 ttl=58 time=38.798 ms 64 bytes from 185.15.59.224: icmp_seq=1 ttl=58 time=37.941 ms ^C $ netstat -rn -f inet | grep 185.15.59.224 185.15.59.224 link#50 UHW3Ig utun23 10 Notice the netstat command is executed without root privileges. A new route added (thanks to the RTF_CLONING flag) to the routing table means that the unprivileged user might easily track which websites were visited by another user, even if the latter uses a VPN service for the connection. I spent some time experimenting but didn't find a way to call setTunnelNetworkSettings to add a default route without the RTF_CLONING flag. Do you know if this is the expected behavior of the operating system, or should we register a bug for that behavior? Personally, I think it affects the user's rights to privacy quite heavily, especially because the netstat command might be executed by a regular user, does not need any priviliges to run.

Hi, This is basically a fundamental question on the QUIC's implementation via the Network framework. We are using the NWMultiplexGroup object to deal with multiples streams over the wire, but we would like to understand if this object is using http3 under the hood, because our understanding is the actual connection multiplexing is happening under that protocol. If this is not the case, can you please elaborate a little bit more on this. Btw, in this implementation we are not using URLSession at all, is just pure QUIC via Network framework. Thanks in advance.

Hello. I've set up a VPN server, generated .mobilconfig with it. It works, but after installation the new entry is placed on top of the list in "VPN configurations" What I need is to place it into the "Private VPN" section as some apps do, for example, Brooog IKEv2. I studied Configuration profile reference, but couldn't find an answer. What's the solution for that?

I installed the WiFi diagnostics profile and the profile installed correctly. I see the diag tab in my current SSID and the data is correct. However I am try to save the wifi connection log with the Save logs feature. I give a name and click Save Log and nothing happens.

Good day. From IOS 17 have a problem with connecting to local ip devices. When i try to scan local network: zeroconf.scan('http', 'tcp', 'local.'); i get en error: Error: { NSNetServicesErrorCode = "-72007"; NSNetServicesErrorDomain = 10; } I use the react-native-zeroconf libruarry, config the infoPlist with: "NSBonjourServices": ["_http._tcp"], "NSLocalNetworkUsageDescription": "Allow Turkov application to configure LLC devices" "NSAppTransportSecurity": { "NSAllowsArbitraryLoads": true, "NSExceptionDomains": { "localhost": { "NSExceptionAllowsInsecureHTTPLoads": true } } And also i get approve sertificate to use multicast from apple team, and apply it in project "entitlements": { "com.apple.developer.networking.multicast": true }, Below IOS17 (i tested at 16.6) - all work fine.. Can some one help with that problem?

We have noticed that even if we have a localized CFBundleDisplayName, the phone would use the CFBundleName in the VPN permission dialog: " Would Like To Add VPN Configurations" The problem is even if we localize the CFBundleName in the InfoPlist.xcstrings, it still uses the base language in the permission prompt regardless of what language the phone is in. Is it possible to localize the name that's shown in the VPN permission dialog?