My app has local network permission on macOS Sequoia and works in most cases. I've noticed that after unlocking my MacBook Pro, the very first request will regularly fail with a No Route to Host. A simple retry resolves the issue, but I would have expected the very first request to succeed. Is this is a known issue on macOS Sequoia or by design? I'd prefer not to add a retry for this particular request as the app is a network utility.

➜ ~ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps Then Password Total number of apps = 6 1 : /Users/rks/Library/Android/sdk/platform-tools/adb (Block incoming connections) 2 : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome (Block incoming connections) 3 : /usr/libexec/sshd-keygen-wrapper (Block incoming connections) 4 : com.apple.WebKit.Networking (Allow incoming connections) 5 : com.netacad.PacketTracer8.0.1 (Allow incoming connections) 6 : com.wangxutech.MacLetsView (Allow incoming connections) ➜ ~

Hi, I upgraded my MacOs to 15.0. I work with maven in my environment. Normally, while running tests with maven in my environment in Sonomo 14.5, I was connecting to my test database environment with the postgresql library in the background. But after the upgrade, I realized that maven could not do this. After some research, I saw that this policy for applications was newly added at https://support.apple.com/en-us/121011. So, starting from 15.0, we have to allow "Local Network" usage for each application. But when I run the "mvn test" command from the terminal, it does not ask me if I allow Local Network usage and that's why my mvn test gets an error. But in normal applications, the same transaction works differently; For example, if I use the terminal of VSCode.app, it pops up a popup asking if I allow it and I allow it. Then, I see that this application has been added under Local Network. I definitely think there is a bug here. Even though I allowed the postgresql jdbc driver with the "socketfilterfw" command, it doesn't work. Even though I allowed maven, it doesn't come under "Local Network applications". 1- Here, there definitely needs to be an option to add an application to the "Local Network" screen. 2- We need to define the "Local Network" usage authorization for all my applications or the relevant user with a single permission. The worst part here is for CI servers. There are too many application runtimes in CI. It is unnecessary to bother with authorizing all of them here.

Hello, I'd like to find out if macOS Sequoia's MAC Address randomization affects the data (specifically, MAC addresses) we receive from I/O Kit. For context, I'd like to find out if it affects my Mac App Store receipt validation code in any way. Thank you, – Matthias

When using rvictl, I notice that it creates 2 interfaces. One of which establishes a link local connection between the iPhone and the Mac. What is this connection for? Why is it so talkative? and why can I only bring one of the created interfaces down but not the other? When I try to bring down the interfaces with the ifconfig enX down command it stops the DHCP requests and several TCP DUP ACK, but the other interface is persistent and will not stop talking. Can someone explain what type of traffic is being transmitted between the Mac and the iPhone?

PLATFORM AND VERSION iOS Development environment: Xcode Version 16.0 (16A242d), macOS 15.0 (24A335) Run-time configuration: macOS 15.0 (24A335) DESCRIPTION OF PROBLEM macOS Sequoia has new Privacy & Security requirements for local area network access. This causes a call to POSIX socket function 'sendto' to fail immediately with EHOSTUNREACH on the first execution of any app that calls it. That failure occurs even if the socket is set to block for well over the time that it would typically take for the user to click "Allow" when presented with a system dialogue box that requests new permissions for the app. A test XCode project has been provided that is capable of reproducing the issue (see macOSsocketfail.zip at https://drive.google.com/file/d/14VxkT03ddm48RCXikLHf-aWgdqxwnpAB/view?usp=sharing). It will generate a log file that contains time-stamped messages. They report each step in the creation of a blocking UDP socket – and which system call has failed as a result of which error. The message time stamps demonstrate that macOS has terminated the sendto function call after tens of microseconds, well before the 5 minute timeout on the socket, and that it terminates with errno EHOSTUNREACH. That error is misleading, because the destination is pingable on my setup at the time of execution. The second execution of the app functions without error if "Allow" has been selected during the first run. This specific macOS behaviour does not appear to be documented anywhere that I have yet encountered; e.g. the sendto man page, the Privacy & Security LAN FAQ, etc. It is, however, highly disruptive to the use of our product, which hinges on LAN access. We have a situation in which a relatively large collection of apps are using the same shared library to manage network access. All of them must now receive manual permission from an administrator to work; but all of them will fail on their first execution. The problem is amplified because our customers use our framework to build their own apps, and not every user is an administrator. In contrast, apps that use our framework would simply work without issue on their first execution when run on macOS versions that precede Sequoia. We must support our software across multiple platforms, hence the reason that we are using POSIX function calls to implement networking. Unfortunately, the use of an Apple-specific networking API is not a viable solution for us. How should we mitigate this problem? Is there some way to configure an Xcode project so that the build product will already have Sequoia LAN permissions? I have read about the com.apple.developer.networking.multicast entitlement, but it is unclear whether it will help us, from the material that is available. STEPS TO REPRODUCE POSIX function call sequence For the following, addr has type struct sockaddr_in, and it is set appropriately for binding or broadcasting using standard library macros and functions. &addr is cast to a const struct sockaddr pointer and assigned to saddr. sock = socket( PF_INET, SOCK_DGRAM , 0 ) ; bind( sock, saddr, sizeof( addr ) ) ; r = 1 ; setsockopt( sock, SOL_SOCKET, SO_BROADCAST, &r, sizeof( r ) ); struct timeval timeout = { 300 , 0 }; setsockopt( sock , SOL_SOCKET , SO_RCVTIMEO , &timeout , sizeof( timeout ) ); sendto( sock, msg, strlen( msg ) + 1, 0, saddr , sizeof( addr ) ) ; Test program, presuming that a device with IP 100.1.1.1 exists on the LAN that the mac is also connected to. Open Xcode project macOSsocketfail. Build project. Execute first run of macOSsocketfail.app. Click "Allow" when asked for LAN permissions. Search for macOSsocketfail_log.txt, and make a copy with a distinct name e.g. macOSsocketfail_log_firstrun.txt. Execute second run of macOSsocketfail.app. Search for macOSsocketfail_log.txt, and make a copy with a distinct name e.g. macOSsocketfail_log_secondrun.txt. Examine log files. The first run log file will contain the following messages (time stamping will naturally differ): 1727710614.064009: Running udptest 1727710614.064015: Creating socket 1727710614.064030: Bind socket to port: 4000 1727710614.064061: Enable socket broadcast 1727710614.064064: Set socket timeout to 300.000000sec 1727710614.064067: Attempt to send blocking UDP connection packet to 100.1.1.1:589 1727710614.064124: sendto: No route to host Error during call to sendto: errno is EHOSTUNREACH: No route to host The second run log file will record a different outcome: 1727713660.733431: Running udptest 1727713660.733436: Creating socket 1727713660.733451: Bind socket to port: 4000 1727713660.733476: Enable socket broadcast 1727713660.733479: Set socket timeout to 300.000000sec 1727713660.733482: Attempt to send blocking UDP connection packet to 100.1.1.1:589 1727713660.733540: Ran to completion with no error detected Note that each line of the log files begins with a timestamp. The unit is seconds, and the resolution is to the nearest microsecond. Time values are obtained using gettimeofday(). RELEVANT LINKS https://developer.apple.com/forums/thread/663858 https://forums.developer.apple.com/forums/thread/757824 https://developer.apple.com/forums/thread/760964 https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_multicast/ https://developer.apple.com/forums/thread/657887 https://developer.apple.com/forums/thread/655920

If we start uploading a video file from the foreground and then switch to another app or press the home button, we can enable background processing by selecting the 'Background processing' option in the app's background modes. We utilize URLSession to handle the upload. I have a few questions regarding this process: If the user manually kills the app, will the upload continue in the background? For files around 100 MB, if the user locks the phone while the upload is in progress (and the app is in the background but not terminated), will the upload still be successful? Does Apple provide any additional APIs that would facilitate successful file uploads even if the user terminates the app? I would appreciate any solutions or insights you can provide. Thank you!

I'm trying to handle the error in NEHotspotConfigurationManager connection method.When i try even OS network connect dialog showing with "Cannot connect" response return as "Success". In my flow i'm trying to connect to a private network. First i connect using below code and then set the IP Address,SubNetMask,Router and DNS server address manually to already added Wifi by running below code. I'm doing this manually because as i understand you cannot set the IP Address,SubNetMask,Router and DNS server address using Swift. https://forums.developer.apple.com/forums/thread/96834?page=2 I read the above thread and what i can understand from that is it's a bug in the os method. So does this problem fixed on latest iOS version? or is there a way to handle this problem? Error handler code→ let eapSetting = NEHotspotEAPSettings() eapSetting.username = self.username eapSetting.password = self.password eapSetting.supportedEAPTypes = [NEHotspotEAPSettings.EAPType.EAPPEAP.rawValue as NSNumber] eapSetting.trustedServerNames = ["ABC"] NEHotspotConfigurationManager.shared.removeConfiguration(forSSID: self.ssid) let hotspotConfiguration = NEHotspotConfiguration(ssid: self.ssid, eapSettings: eapSetting) manager.apply(hotspotConfiguration){ (error) in if let error = error { print("Error") return } else { print("Success") return } }

I have some user of my App reporting that they are not able to store thread network credentials in keychain, the error they get is "Can not store frozen credentials". I couldn't find documentation around this error message, can anyone help me with it's meaning? Why this specific credential can't be stored in keychain?

I am in the middle of investigating an issue arising in the call to setsockopt syscall where it returns an undocumented and unexpected errno. As part of that, I'm looking for a way to list any socket content filters or any such extensions are in play on the system where this happens. To do that, I ran: systemextensionsctl list That retuns the following output: 0 extension(s) which seems to indicate there's no filters or extensions in play. However, when I do: netstat -s among other things, it shows: net_api: 2 interface filters currently attached 2 interface filters currently attached by OS 2 interface filters attached since boot 2 interface filters attached since boot by OS ... 4 socket filters currently attached 4 socket filters currently attached by OS 4 socket filters attached since boot 4 socket filters attached since boot by OS What would be the right command/tool/options that I could use to list all the socket filters/extensions (and their details) that are in use and applicable when a call to setsockopt is made from an application on that system? Edit: This is on a macosx-aarch64 with various different OS versions - 13.6.7, 14.3.1 and even 14.4.1.

I am trying to browse an SSH Service from UI Test Target using NWBrowser let descriptor = NWBrowser.Descriptor.bonjour(type: "_superapp._tcp", domain: "local.") let browser = NWBrowser(for: descriptor, using: .tcp) browser.stateUpdateHandler = { newState in print("browser.stateUpdateHandler \(newState)") } I get failed(-65555: NoAuth) error nw_browser_fail_on_dns_error_locked [B1] DNSServiceBrowse failed: NoAuth(-65555) I have added _superapp._tcp in Bonjour Services for UI Test Target Info.plist. I have also added Local Network Permission in UI Test Target Info.plist. Everything works fine, when I call this Bonjour service from App Target. Doesn't work when I call this from UI Test Target.

Hi, Brief background on what I'm trying to achieve: I have an IoT device that produces a HLS stream of saved videos when they are accessed through the device's broadcast hotspot. To access the hotspot, I use an NEHotspotConfiguration. When I use AVPlayer to watch the HLS stream, everything is fine! When I use a media pod (VLC) to try to consume the HLS stream, traffic goes over cellular network even though the device's host address is 192.168.1.254. I am under the impression this is ALWAYS a local network device. I haven't spent much time digging into the code for VLC to figure out why, but when I disable cell network in my app's settings, the VLC request resolves perfectly. I have been served radio silence on their forums and issues, so I thought if there's another solution this would be the place to ask! Is there something going on with the way iOS handles web requests to local network devices? My IoT device's hotspot never has internet access, and after reading Quinn's Extra-ordinary Networking advice (https://developer.apple.com/forums/thread/734348), I'm still lost for how I can force my request to go to the WiFi network rather than cellular... Does anyone have any recommendations? Thanks in advance!

I am working on developing a Mac app that will be distributed outside of the App Store. I have added the network extension which packaged in System Extension with packet tunnel capability. I have created a build following these steps here: https://developer.apple.com/forums/thread/737894 based on your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251 It works fine in this case when the machine has SIP disabled and systemextensionsctl developer on. As soon as I have made changes on the machine to systemextensionsctl developer off and SIP enabled, System Extension stopped loading. I have copied the app to the "/Applications" directory before opening it. When I check the loading status of the system extension with the "systemextensionsctl list" command, it shows as "[validating by category]" Am I missing something? Thanks in advance.

iOS18 UDP fails to send data, iOS other systems fine Device discovery by broadcasting over UDP Failed to send data to the discovered device using UDP communication This problem only occurs on iOS18, other iOS versions work fine I read the official forum of Apple, it is recommended to use BSD socket to send data, and it cannot be sent on iOS18. I suspect that the device privacy permission is found locally, which is invalid on iOS18

In my Packet Tunnel Provider, I'm setting the NEDNSSettings to localhost as I have a local DNS server listening on port 53 (this is a dns forwarder which conditionally forwards to different upstreams based on rules). On iOS it works just fine, I'm able to listen on localhost:53 in the Network Extension, then set NEDNSSettings servers to "127.0.0.1". However on macOS due to the port being under 1024, I get a Permission denied OS code 13 error. I'm assuming this is due to the Network Extension not running as root. Can this be changed? This could be rectified if you could customize the port in NEDNSSettings, as the listener could be on port 5353, but it doesn't look like it is possible? Just wondering if there is some other way to accomplish what I'm trying to do in the macOS Network Extension?

Hello there, I'm trying to consume graph.microsoft.com API by using URLSession. But I'm getting Error 400 from the server every time when I send a request with URLSession, but not if I use Postman for the same request. And when I examined the requests with Fiddler, I noticed that URLSession use HTTP/2, and Postman use HTTP/1.1. According to the Microsoft's documentation graph.microsoft.com supports only HTTP/1.1. As I understand URLSession decides to which version of HTTP to use during ALPN and will use HTTP/2 only if the server support it. My question is it possible the graph server to advertise itself as its support HTTP/2 and how to determinate this? Or maybe, which is more likely URLSession has bug that make it to do the wrong assumption about the HTTP/2. And most important there is there a mechanism to make URLSession to use a certain version of HTTP? Thank you in advance, Emil

Hi, we have an iOS application that runs a NEAppProxyProvider network extension. The configuration for the extension is delivered by MDM and we've noticed that some MDMs are beginning to force end users to select certificate based authentication as the auth type for the per-app VPN payload. This itself causes no problems, but when a certificate to use for the authentication is also provided in the profile, our extension fails to start. Our application does not use the credentials from the profile, certificate based or otherwise, so we aren't doing anything unusual with them either. We thought the problem might be caused because we lacked the com.apple.managed.vpn.shared entitlement that would be needed to access the certificate once it was on device (even though we never actually try to access it), but that did not fix the issue. We have also confirmed that this happens regardless of MDM used to configure the profile. Here are the relevant logs we are seeing that show the extension never starts: neagent: NEAgentSession: failed to create the delegate nesessionmanager:[313]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" : Last disconnect error for changed from "none" to "The VPN app used by the VPN configuration is not installed" STEPS TO REPRODUCE Create an application that establishes a basic per-app VPN (just a loopback works) using the network extension Using an MDM, create and deploy a per-app VPN profile with certificate based authentication (include a certificate as well) that uses the test application as a plugin. Using the MDM, assign another application to the per-app VPN. Try to connect to the internet using the assigned application, it should fail to connect because the system can't start the extension. For reference it appears that this issue is similar to ours: https://forums.developer.apple.com/forums/thread/746879 I've tried all the suggestions on that page, including adding a 'first-light' log and that is never seen. There are also no additional clues when adding the VPN debug profile to the device. Thanks!

Hi there, I have some thread related questions regards to network framework completion callbacks. In short, how should I process cross thread data in the completion callbacks? Here are more details. I have a background serial dispatch queue (call it dispatch queue A) to sequentially process the nw_connection and any network io events. Meanwhile, user inputs are handled by serial dispatch queue ( dispatch queue B). How should I handle the cross thread user data in this case? (I write some simplified sample code below) struct { int client_status; char* message_to_sent; }user_data; nw_connection_t nw_connection; dispatch_queue_t dispatch_queue_A static void send_message(){ dispatch_data_t data = dispatch_data_create(message, len(message), dispath_event_loop->dispatch_queue, DISPATCH_DATA_DESTRUCTOR_DEFAULT); nw_connection_send( nw_connection, data, NW_CONNECTION_DEFAULT_MESSAGE_CONTEXT, false, ^(nw_error_t error) { user_data.client_status = SENT; mem_release(user_data.message_to_sent); }); }); } static void setup_connection(){ dispatch_queue_A= dispatch_queue_create("unique_id_a", DISPATCH_QUEUE_SERIAL); nw_connection = nw_connection_create(endpoint, params); nw_connection_set_state_changed_handler(){ if (state == nw_connection_state_ready) { user_data.client_status = CONNECTED } // ... other operations ... } nw_connection_start(nw_connection); nw_retain(nw_connection); } static void user_main(){ setup_connection() user_data.client_status = INIT; dispatch_queue_t dispatch_queue_B = dispatch_queue_create("unique_id_b", DISPATCH_QUEUE_SERIAL); // write socket dispatch_async(dispatch_queue_B, ^(){ if (user_data.client_status != CONNECTED ) return; user_data.message_to_sent = malloc(XX,***) // I would like to have all io events processed on dispatch queue A so that the io events would not interacted with the user events dispatch_async_f(dispatch_queue_A, send_message); // Disconnect block dispatch_async(dispatch_queue_B, ^(){ dispatch_async_f(dispatch_queue_A, ^(){ nw_connection_cancel(nw_connection) }); user_data.client_status = DISCONNECTING; }); // clean up connection and so on... } To be more specific, my questions would be: As I was using serial dispatch queue, I didn't protect the user_data here. However, which thread would the send_completion_handler get called? Would it be a data race condition where the Disconnect block and send_completion_handler both access user_data? If I protect the user_data with lock, it might block the thread. How does the dispatch queue make sure it would NOT put a related execution block onto the "blocked thread"?

Hi everybody! With latest updates on Ventura around 13.9.X, Sonoma 14.5 and upper, and most probably Sequoia, we notice a change on how to retrieve BSSID. We know Airport is discontinue, but also other commands are impacted by new security policies. Now, to make any command work in the proper way we need to ask for Location Permission. But here is where we are finding some issues to make it compatible with the new requirements. We have a web desktop app (Built with Electronjs) that use an mach-o executable (built on C++). This executable runs IOREG to retrieve the BSSID. One of the tries we did is to request the Location Permission on the parent/GUI app, but by doing this, IOREG was not able to retrieve the BSSID. Then, we try to look for a way to make a little test only with our executable. But in the attempt to, we do not found a way to trigger the location permission request, either manually or by a command. Is there a way to prompt the user from a terminal executable or the right way is to prompt from the GUI? Do we need to stop using Mach-o executable in c++ and move to a native mach-o executable in swift to be able to prompt from it (This executable runs in the machine frequently, several times per minute)? We are open to change the command if need it.

Hi, I have been working on the app that implements DNS Proxy Extension for a while now, and after a couple builds to TestFlight I noticed that I got a couple crashes that seem to be triggered by EXC_BREAKPOINT (SIGTRAP) After some investigation, it was found that crashes are connected to CFNetwork framework. So, I decided to additionally look into memory issues, but I found the app has no obvious memory leaks, no memory regression (within recommended 25%, actual value is at 20% as of right now), but the app still uses 11mb of memory footprint and most of it (6.5 mb is Swift metadata). At this point, not sure what's triggering those crashes, but I noticed that sometimes app will return message like this to the console (this example is for PostHog api that I use in the app): Task <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1> finished with error [18 446 744 073 709 550 613] Error Domain=NSURLErrorDomain Code=-1003 "A server with the specified hostname could not be found." UserInfo={_kCFStreamErrorCodeKey=8, NSUnderlyingError=0x1072df0f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1003 "(null)" UserInfo={_kCFStreamErrorDomainKey=12, _kCFStreamErrorCodeKey=8, _NSURLErrorNWResolutionReportKey=Resolved 0 endpoints in 2ms using unknown from cache, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalUploadTask <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalUploadTask <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1>" ), NSLocalizedDescription=A server with the specified hostname could not be found., NSErrorFailingURLStringKey=https://us.i.posthog.com/batch, NSErrorFailingURLKey=https://us.i.posthog.com/batch, _kCFStreamErrorDomainKey=12} If DNS Proxy Provider uses custom DoH server for resolving packets, could the cache policy for URLSession be a reason? I had a couple other ideas (HTTP3 failure, CFNetwork core issues like described here) but not sure if they are valid Would be grateful if someone could give me a hint of what I should look at