I installed the WiFi diagnostics profile and the profile installed correctly. I see the diag tab in my current SSID and the data is correct. However I am try to save the wifi connection log with the Save logs feature. I give a name and click Save Log and nothing happens.

Good day. From IOS 17 have a problem with connecting to local ip devices. When i try to scan local network: zeroconf.scan('http', 'tcp', 'local.'); i get en error: Error: { NSNetServicesErrorCode = "-72007"; NSNetServicesErrorDomain = 10; } I use the react-native-zeroconf libruarry, config the infoPlist with: "NSBonjourServices": ["_http._tcp"], "NSLocalNetworkUsageDescription": "Allow Turkov application to configure LLC devices" "NSAppTransportSecurity": { "NSAllowsArbitraryLoads": true, "NSExceptionDomains": { "localhost": { "NSExceptionAllowsInsecureHTTPLoads": true } } And also i get approve sertificate to use multicast from apple team, and apply it in project "entitlements": { "com.apple.developer.networking.multicast": true }, Below IOS17 (i tested at 16.6) - all work fine.. Can some one help with that problem?

We have noticed that even if we have a localized CFBundleDisplayName, the phone would use the CFBundleName in the VPN permission dialog: " Would Like To Add VPN Configurations" The problem is even if we localize the CFBundleName in the InfoPlist.xcstrings, it still uses the base language in the permission prompt regardless of what language the phone is in. Is it possible to localize the name that's shown in the VPN permission dialog?

Hi, I have been working on the app with NE Filter Providers for a while now and it seems to work well. However, unlike Content Filter Providers, DNS Proxy is invalidated when device is inactive state. It shows status "Invalid" for just a couple seconds before to changes to "Starting" and eventually "Running". That's not a major issue, but I would like to know what's causing this behaviour and if there is a way to fix it. I am using custom DoH in my DNS Proxy for flows proxying. And if the server times out to respond, app sends rcode 5 (Refused) for requested flow. At the same time, app shouldn't crash because all errors are handled appropriately. Would be very grateful for any thoughts, thank you!

Hi, I have been working on the app with NE Filter Providers for a while now and it seems to work well. However, unlike Content Filter Providers, DNS Proxy is invalidated when device is inactive state. It shows status "Invalid" for just a couple seconds before to changes to "Starting" and eventually "Running". That's not a major issue, but I would like to know what's causing this behaviour and if there is a way to fix it. I am using custom DoH in my DNS Proxy for flows proxying. And if the server times out to respond, app sends rcode 5 (Refused) for requested flow. At the same time, app shouldn't crash because all errors are handled appropriately. Would be very grateful for any thoughts, thank you!

Hi, We have this situation in which we are sending buffers from a server to the Vision Pro in a local network and for some reason when we take the headset off of the user's head, the QUIC stream we are using are getting closed/terminated/disconnected. What our options are in order to remove this behavior, probably resume or make sure the AVP is ready again to receive the buffers from the server in a graceful manner?

Hello Folks I have a Custom UrlSessionDeleagte which is checking server authentication by overriding method func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { let serverTrust = challenge.protectionSpace.serverTrust // Applying additional validations. if(validated) { completionHandler(.useCredential, URLCredential(trust:serverTrust)) } } else { completionHandler(.performDefaultHandling, nil) } Initialized URL Session as below and reusing it in subsequent requests. if(urlSession != nil) { urlSession = URLSession(configuration: URLSessionConfiguration.Default, delegate: customURLSessionDelegate, delegateQueue : nil) } Now the issue is the uncertainty in response time First request - say took approx 11 secs. Second request if send immediately (< 2 secs difference from last call) - took only 0.2 secs or 1.2 secs. Third request if send after >20 secs - took again 12 secs. I want to know whether it is an implementation issue, or iOS behavior of handling the Server trust Authentication process in this way? Because the time it took after initializing a DataTask to checking server Auth differes. Also when call is sent immdiately it does not checkk Authentication again, but when send a after ~20 secs debugger fall on the Authentication method again, even if the URlsession instance was same.

I developed a program to connect to Wi-Fi using the CoreWLAN API. First, I need to scan for SSIDs. However, when I call the scanning function, the scan fails occasionally. Failed to perform Wi-Fi scan, returned error code 16, will try again in 200 ms took 2.0468 seconds, returned error [16, com.apple.wifi.apple80211API.error, 'Resource busy'] I need to retry several times to succeed, which makes the process of connecting to Wi-Fi relatively slow. I want to know the reason of this error. 2024-08-06 18:24:13.090634+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Info: <airport[158]> -[CWXPCSubsystem performScanWithChannelList:ssidList:legacyScanSSID:dwellTimeOverride:interfaceName:scanParametersOverride:allowDuringAWDLRealTimeMode:connection:scannedChannels:error:]: Failed to perform Wi-Fi scan, returned error code 16, will try again in 200 ms 2024-08-06 18:24:13.295896+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) Apple80211IOCTLSetWrapper:5093 @[3748838.819485] ifname['en0'] IOUC type 10/'APPLE80211_IOC_SCAN_REQ', len[5456] return 16/0x00000010 2024-08-06 18:24:13.295929+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Info: <airport[158]> -[CWXPCSubsystem performScanWithChannelList:ssidList:legacyScanSSID:dwellTimeOverride:interfaceName:scanParametersOverride:allowDuringAWDLRealTimeMode:connection:scannedChannels:error:]: Failed to perform Wi-Fi scan, returned error code 16, will try again in 200 ms 2024-08-06 18:24:13.498811+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Info: <airport[158]> -[CWXPCSubsystem performScanWithChannelList:ssidList:legacyScanSSID:dwellTimeOverride:interfaceName:scanParametersOverride:allowDuringAWDLRealTimeMode:connection:scannedChannels:error:]: Failed to perform Wi-Fi scan, returned error code 16 2024-08-06 18:24:13.499112+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Scan: <airport[158]> -[CWXPCConnection __performScanWithChannelSubset:ssidList:legacyScanSSID:includeHiddenNetworks:mergeScanResults:maxAge:maxMissCount:maxWakeCount:maxAutoJoinCount:interfaceName:waitForWiFi:waitForBluetooth:token:priority:scanParametersOverride:allowDuringAWDLRealTimeMode:reply:]_block_invoke: [575EE] WIFI_REQ_SCAN (exit) 2024-08-06 18:24:13.499318+0800 0x86f7a7 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] AutoJoin: <airport[158]> Failed cache-assisted scan request for wifihelper with channels {( <CWChannel: 0x138b236f0> [channelNumber=1(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138b8f880> [channelNumber=6(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138bee730> [channelNumber=11(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138b77590> [channelNumber=2(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138bb7e40> [channelNumber=3(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138b51290> [channelNumber=4(2GHz), channelWidth={20MHz}, active] )}, took 2.0468 seconds, returned error [16, com.apple.wifi.apple80211API.error, 'Resource busy'] wifi.log

Hi, let us explain the situation we have: We have a macOS server app which happens to be/act as a QUIC server (this setup is for a live demo). Once the server receives a streaming request from the client, server starts to send a bunch of QUIC streams to the client. The server needs to run on a macbook pro for the live demo and everything works fine, now when we click on a different app (the server app looses focus) the server app goes to background state and the network activity just stops going from 90MB/s to almost zero, but when we click on the server app again, the network activity goes back to 90MB/s and it continues normally. We understand this is the OS taking some decisions by managing resources efficiently. Question: Kindly let us know which options do we have to keep the server app QUIC networking tasks continuously running, even if it is not on the foreground (basically for it to behave like an actual server/service)? Thanks in advance

We found there is a significant crash reports (most of them are from iOS 17, the rest are iOS 16 and 15) comes from network loader from CFNetwork. Apparently it seems there are two types of crashes if we checked from the stack trace, the one we found from both Xcode organizer and 3rd party crash reporter is referring to URLConnectionLoader::loadWithWhatToDo and the other one from our 3rd party crash reporter (didn’t found the report from Xcode organizer) referring to _CFURLResponseCreateFromArchiveList (this one only happened on iOS 17.5 and later devices). It seems that they are both kinda similar which might point to the same root cause. From what I’ve seen, we never touch the lower level API directly, we usually use the URLSession to manage our API request. The crashed stack trace also didn’t give any indication about which of our app code that triggered the crash, it only shows calls to Apple’s internal SDKs so we are unsure how to approach this issue meanwhile the crash event already reached 800+ in the last 30 days. Unfortunately, we cannot reproduce the issue as the stack trace itself seems unclear to us. I have submitted a report through feedback assistant with number: FB14679252. Would appreciate if anyone can give any advice on what we can do to avoid this in the future and probably any hint on why it could happened. Hereby I attached the crash reports that we found each from Xcode crash report and our 3rd party crash reporter (the report said it crashed on com.apple.CFNetwork.LoaderQ) so you could get a glimpse of the similarity. Xcode crash report xcode crash report.crash 3rd party crash report 3rd party crash report.txt

Hi All, We are developing a hybrid MVNO and want to use Wi-Fi Passpoint to enable offload from our users phones when they are in range of our Wi-Fi network. The user experience of installing a .mobileconfig file is too many steps and a bad user experience which causes low adoption among our users. Instead, we want to use the NEHotspotConfigurationManager to configure a HS2.0 network using EAP-TLS. We configure these elements using NEHotspotConfiguration NEHotspotHS20Settings NEHotspotEAPSettings Our code to execute above is shown below: func configureProfile(certificate: String, issuingCa: String, caChain: [String], resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) { #if !targetEnvironment(simulator) let keychainQuery = [kSecClass as String: kSecClassCertificate] as [String: Any] as CFDictionary let status = SecItemDelete(keychainQuery) print("Delete status \(status)") let url = Bundle.main.url(forResource: "serverCA", withExtension: "crt")! let caCert = try! String(contentsOf: url) _ = addCertToChain(caCert, name: "HeliumMobile CaCert") caChain.enumerated().forEach { idx, ca in _ = addCertToChain(ca, name: "HeliumMobile Chain \(idx)") } let cert = addCertToChain(certificate, name: "HeliumMobile Cert") let identity = try! SecIdentity.load(certificate: cert!) let hs20Settings = NEHotspotHS20Settings(domainName: DOMAIN, roamingEnabled: false) let eapSettings = NEHotspotEAPSettings() eapSettings.trustedServerNames = ["radius.dev.wifi.\(DOMAIN)", "radius.wifi.\(DOMAIN)"] eapSettings.isTLSClientCertificateRequired = true eapSettings.supportedEAPTypes = [13] eapSettings.preferredTLSVersion = NEHotspotEAPSettings.TLSVersion._1_2 let identitySuccess = eapSettings.setIdentity(identity) print("Identity set? \(identitySuccess)") let config = NEHotspotConfiguration(hs20Settings: hs20Settings, eapSettings: eapSettings) config.hidden = false NEHotspotConfigurationManager.shared.getConfiguredSSIDs(completionHandler: { ssids in for ssid in ssids { // Remove previous wifi configs NEHotspotConfigurationManager.shared.removeConfiguration(forSSID: ssid) } NEHotspotConfigurationManager.shared.apply(config, completionHandler: { error in if let error = error { reject("Error", "Failed to install profile", error) } else { resolve(true) } }) }) #endif } Using this method we have a partial success, but there is a noticeable difference in the performance of this method relative to using a similarly (but not exactly) configured .mobileconfig file. The main issues we see are: The phone is sluggish / not eager to join the Wi-Fi network when in coverage. Relative to a device using a .mobileconfig profile for the same network, the App configured phone will take 2-3minutes longer to connect to the network. During this time you can view in logs numerous EAP attempts that fail. The Failure mode appears to be the phone starting to connect, then going silent and ignoring the Wi-Fi AP for a while (1-2min) before starting a new attempt. The App configured phone is more prone disconnection from the Wi-Fi network when in stable coverage area. This often coincides with the phone locking the screen and going to sleep. When waking from the sleep, you see the same EAP attempt and failure behavior as stated above. UI differences: Using the API there appears to not be a way to configure the "Provider Display Name" which is shown in the Settings -> Wi-Fi SSID list below the SSID string. UI differences: SSID is marked as "hidden SSID" in the Settings -> Wi-Fi SSID list. Note this is despite A) The SSID is not hidden, it is advertised in beacon frames B) We have tried explicitly configuring "config.hidden = false" Differing dependencies between API and .mobileconfig: using Apple configurator I can create a .mobileconfig that enables Roaming Partner connections with my MCC/MNCs configured, but having no NAI Realm. However when I try to enable isRoamingEnabled = true in the API I get an error saying I must have an NAI Realm. If/when I add an NAI realm, I get further oddity in connection/EAP behavior when using the API. Thus far, our examination of the API documentation has not revealed any resolution to the items above. It really feels like the API and .mobileconfig are doing 2 very different things inside the phone. Does anyone have guidance or suggestions on how to resolve these issues? Or perhaps example code showing the proper usage of the APIs to configure a passpoint network? Any help SUPER appreciated.

Hi, My company has an app that is communicating with local servers with self signed certificates, meaning in order to allow the app to have connection in the testing environment I had to add a few domains in NSExceptionDomains in App Transport Security Settings section of the Info.plist. The problem is, our Cyber department is not allowing us to upload the app with these domain in the app fearing a data leak. I had a Build Phase script using PlistBuddy that deleted those settings when archiving in Release but that no longer works as Apple recommended to set ”Generate Info.plist file” to true as a best practice. I tried to read about it and found out that info.plist is now generated after the build phases step so modifying it is impossible because it doesn’t exist yet in the $TARGET_BUILD_DIR when the script is running. Other than deleting it manually before each upload which is highly prone to mistakes, I need something like a script or some other automatic solution. Does Anyone have any suggestions to help me with this? Thanks

Hi, I am developing an IPTV app, an IPTV app cannot know what is the domain for the stream urls during the development. So I tried all the solution found on the net "NSAllowsArbitraryLoads -> TRUE" And tried the diagnostic command nscurl --ats-diagnostics --verbose with a working stream url on VLC. I got only fails for all the cases, the result is below, but if there's no way to load an arbitrary insecured stream url, how the exiting iptv app are zorking on IOS and IosTV ?! : ` mac@MK-MacBook-Pro ntv % nscurl 'http://ibrafr.com:8789/play/movie.php?mac=00:1A:79:??:??:??&stream=31893.mkv&type=movie' --verbose --ats-diagnostics Starting ATS Diagnostics ================================================================================ Default ATS Secure Connection ATS Default Connection ATS Dictionary: { } Result : FAIL Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://ibrafr.com:8789/play/movie.php?mac=00:1A:79:??:??:??&stream=31893.mkv&type=movie, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <6850A6F0-62AA-4581-B736-61E130C9F01F>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <6850A6F0-62AA-4581-B736-61E130C9F01F>.<1>" ), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://ibrafr.com:8789/play/movie.php?mac=00:1A:79:??:??:??&stream=31893.mkv&type=movie, NSUnderlyingError=0x600000611e60 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9836, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi}}, _kCFStreamErrorCodeKey=-9836} ================================================================================ Allowing Arbitrary Loads Allow All Loads ATS Dictionary: { NSAllowsArbitraryLoads = true; } Result : FAIL Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://ibrafr.com:8789/play/movie.php?mac=00:1A:79:??:??:??&stream=31893.mkv&type=movie, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask .<1>" ), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://ibrafr.com:8789/play/movie.php?mac=00:1A:79:??:??:??&stream=31893.mkv&type=movie, NSUnderlyingError=0x600000612940 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9836, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9836, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi}}, _kCFStreamErrorCodeKey=-9836} ================================================================================ All fails ================================================================================`

I need to intercept traffic (by port range) and need to have ability to modify it. If I understand correctly, the best way is to use NETransparentProxyProvider for this purpose. Is my understanding correct? I am trying to figure out how to make system extension (NETransparentProxyProvider) intercept the traffic. Unfortunately I have not found any description or example (similar to Network Filter). I am novice in Network Extension. Are there any guide, example or quick start how to implement app proxy? Thank you!

When using the app, the phone can search for devices on the same network, and the app supports socket connections between the phone and other devices. However, iPhone12 pro max with ios17.5.1 cannot connect, and other phones can connect successfully.I want to know why and how to fix this problem, thanks.

I have an iOS app with two network extension targets(tunnel1 and tunnel2) in it. Use case is explained below:- One target i.e Tunnel1 will be used for public traffic. Traffic not part of Tunnel2 will go through this tunnel Second target i.e Tunnel2 will be used for private traffic.This will be configured as per app vpn so that only those apps can have access to private resources. MDMs can push two VPN profiles along with Provider Bundle Indentifier so that designated tunnel can start based on source app. So far this works well. Issue:- We have thousands of deployments already in place where VPN profiles did not contain Provider Bundle Indentifier because so far our app had just one tunnel target. Now , after upgrade to New App version(with two NE targets) , sometimes Tunnel1 starts , sometimes Tunnel2 . Its purely random and dont know logic behind it. Question:- Is there any way to always prefer Tunnel1 when there is no Provider Bundle Indentifier in MDM pushed VPN profile?

Our app has a network system extension that it uses and during the install process we prompt the user to go to "Security &amp; Privacy" in Settings to Allow it to run. A lot of the time users just kit "Ok" without actually going to the Settings and when they go to use the App we have no way, that we know of, to tell if the startup has failed because they just haven't Allow the extension to run. Is there an API call that we can use to determine if our extension has been Allowed so that if it hasn't we can prompt them to go to Settings again?

Hi everyone, I’m working on an app where I need to separate IPv4 and IPv6 traffic on a specific port, let's say "X", using the Network Framework. However, I’ve run into a problem: it appears that I'm only able to open a single NWListener for a given port number. I was under the impression that I should be able to create distinct IPv4 and IPv6 listeners for the same port "X". Here’s the sample code I’ve written: var params: NWParameters var l1: NWListener var l2: NWListener params = NWParameters.udp let protocolOptions = params.defaultProtocolStack.internetProtocol! as NWProtocolOptions let ipOptions = protocolOptions as! NWProtocolIP.Options ipOptions.version = .v6 l1 = try NWListener(using: params, on: NWEndpoint.Port(rawValue: 54192)!) l1.stateUpdateHandler = InternalListenerStateHandler l1.newConnectionHandler = InternalNewConnectionHandler l1.start(queue: .global()) ipOptions.version = .v4 l2 = try NWListener(using: params, on: NWEndpoint.Port(rawValue: 54192)!) l2.stateUpdateHandler = InternalListenerStateHandler l2.newConnectionHandler = InternalNewConnectionHandler l2.start(queue: .global()) I’m trying to figure out why this approach isn’t working. Is there a way to manage both IPv4 and IPv6 traffic on the same port using the Network Framework, or is there something I’m overlooking in my setup? Additionally, when I switch to the BSD framework, I can successfully open two sockets on the same port by setting the "IPV6_ONLY" property on the IPv6 socket. Any insights or advice would be greatly appreciated! Thanks, Harshal

Hi I want to add certificate and its privatekey in https request, like this mentioned in this cURL `curl -L -i -X PUT –cert ./[device_cert].pem –key ./[device_cert_private_key].pem -H 'Content-Type: application/json' -H 'Content-Encoding: utf-8' -d '{"registrationId": "[registration_id]"}' https://global.azure-devices-provisioning.net/[ID_Scope]/registrations/[registration_id]/register?api-version=2021-06-01

As mentioned in https://developer.apple.com/forums//thread/759955 I was having trouble on macOS 15 with a launch agent accessing local network resources, even if the local network permission dialog pops up, and Settings app visually claims the app has permission granted. The following was logged: nehelper +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /Users/foo/my-binary It turned out that the problem was caused by the default golang toolchain not producing a LC_UUID load command, which seems to be critical for the network privacy subsystem to determine whether the binary is allowed access or not. The issue has been reported upstream here: https://github.com/golang/go/issues/68678 To work around this I added -ldflags="-linkmode=external" when building the go binary, so that the system linker (which does add LC_UUID) is invoked.