I want to configure one aspect of my networking configuration (the QUIC keepalive interval). This only seems to be configurable via Network.framework’s nw_quic_set_keepalive_interval. Is there any way to apply this to a URLSession? Or do I need to implement the whole connection management myself using Network.framework?

1、Does Captive Portal documentation for IOS exist for developers? If so, please provide a link.

Hi everyone, I’ve been working with the NEPacketTunnelProvider class and came across the cancelTunnelWithError() method. The documentation mentions its general purpose but doesn’t provide much clarity on how and when it should be called. From what I’ve gathered in other forum posts, it seems that cancelTunnelWithError() should be called within my own implementation of the stopTunnel() method, but I’m not entirely sure if that’s the correct usage or whether there are specific scenarios where this applies. Here are my specific questions: Is it correct to always call cancelTunnelWithError() in my implementation of stopTunnel()? Are there specific conditions or scenarios where cancelTunnelWithError() is the preferred way to terminate a tunnel session, rather than other termination methods? What does the system do with the error that I pass to cancelTunnelWithError()? Does it have an impact on how the session termination is handled? Are there best practices or common pitfalls to avoid when using cancelTunnelWithError()? Any insights, examples, or guidance would be greatly appreciated! Thanks in advance for your help!

I have granted local network permissions, but sometimes I get a second confirmation popup, what is the timing of the secondary popup?

We found that when we only set one App Category and one Traffic Category in Xcode entitlements, the built application will contain all App Categories and Traffic Categories in the embedded.mobileprovision file, is it expected? Entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.slicing.appcategory</key> <array> <string>streaming-9001</string> </array> <key>com.apple.developer.networking.slicing.trafficcategory</key> <array> <string>avstreaming-7</string> </array> </dict> </plist> embedded.mobileprovision: <key>Entitlements</key> <dict> <key>com.apple.developer.networking.slicing.appcategory</key> <array> <string>communication-9000</string> <string>games-6014</string> <string>streaming-9001</string> </array> <key>com.apple.developer.networking.slicing.trafficcategory</key> <array> <string>defaultslice-1</string> <string>video-2</string> <string>background-3</string> <string>voice-4</string> <string>callsignaling-5</string> <string>responsivedata-6</string> <string>avstreaming-7</string> <string>responsiveav-8</string> </array>

I accidentally used -f and now Private Relay is not working with firewall active, but if i disable it, it works. Need the /etc/pf.conf original data

I've implemented a custom system extension VPN for macOS, using Packet Tunnel Provider. I have a XPC connection, from the containing app to the (system) extension. What is the expected behavior after the Mac's sleep/wake? Will the same XPC remain valid? Should I start a new connection?

​ I developed a Content Filter using the Network Extension, and when deployed to a batch of hosts (50 +), the installation worked for most of them, but there were six exceptions: five of them were macOS 10.15 and one of them was macOS 12.5. ​ The phenomenon of these 6 hosts is: in the System Settings->Network, two content filters with the same name appear. When one of the content filters with the same name is clicked, shows "Please use 'X Agent Extension' to control this content filter configuration" ('X Agent Extension' is the program I developed, this content filter can be deleted by clicking the minus sign in the lower left corner). Click on another content filter with the same name, shows 'Please use 'null' to control this content filter configuration', (but this content filter can't be removed by clicking the minus sign in the bottom left corner). ​ These systems are clean, use CLI 'systemextensionsctl list', and have only one systemextension in the output (this systemextension is my content filter). Online reference "https://forums.macrumors.com/threads/how-to-delete-custom-dns-profile-from-network-preference.2293322/" this paper, by closing the SIP, and delete file '/Library/Preferences/com.apple.networkextension.plist', then restart the system can remove the abnormal content filters with the same name. After restarting the system and reinstalling my content filter, the two content filters with the same name disappear (only the Content Filter I reinstalled) and the exception scenario cannot be repeated. ​ I would like to know, why do I have two content filters with the same name, how can I avoid this phenomenon, is there a way to remove the wrong content filter without closing SIP.

WiFi and Bluetooth are both enabled on Mac and iPhone, neither device is connected to a network Running MultipeerConnectivity on the Mac as Advertiser and iPhone as Browser, the invitation is sent from the phone and accepted by the mac, but the connection is then dropped. This doesn’t happen when the Advertiser is another iOS device. STEPS TO REPRODUCE THE PROBLEM We have created a small sample project that demonstrates the problem. It can be found at: https://github.com/eidria/Multipeer-Progress-Demo.git. It contains both a Mac app and a iOS app. Run the Mac app and start Advertising Run iOS app and start Browsing The iOS app automatically issues an invitation to the browser (Mac) which accepts. Shortly after the connection is dropped.

Hi, We are developing an app using PacketTunnelProvider from Network Extension framework. It is packaged as a system extension. We are trying to implement an "always-on" functionality, but cannot manage to start the extension before user login, with or without on-demand enabled. However we see in other posts (1, 2) that a network extension packaged as sysex should automatically start before user login. Are we missing something? Is it a limitation of PacketTunnelProvider? Thanks

I have an iOS app which contains a Network Extension that subclasses the NEPacketTunnelProvider, acting as a packet-tunnel VPN. After deploying the app on the device as a regular app, it runs the following code fragment: NETunnelProviderManager.loadAllFromPreferences { managers, _ in self.manager = managers?.first ?? NETunnelProviderManager() self.manager.protocolConfiguration = getConfiguration() self.manager.saveToPreferences { error in // Handle errors or show a "Connect" button in the UI } } This asks the user to install the extension as a "Device VPN". I can then use try? self.manager?.connection.startVPNTunnel() to start the VPN (and later stop it when needed). So far, this works fine. Now, I want to deploy the app with an MDM and set it up as the "custom VPN" of a "Per-App VPN". I have tested the setup using a real MDM, AND using the "development" setup described in NETunnelProviderManager. In both cases, the "Per-App VPN" shows up as a VPN in the "Settings" app. However, in both cases I am unable to retrieve, configure or use the "Per-App VPN". The code fragment posted above returns no NETunnelProviderManager at all. When instantiating one on my own and triggering self.manager.saveToPreferences(), it queries the user to install a "Device VPN". While I can control and use the latter, this is clearly not what I want after having gone through the pain of installing the "Per-App VPN". How can I retrieve the NETunnelProviderManager of the "Per-App VPN"? And then use it to configure and control the VPN connection? (Ideally, I would like to use the same app and the same Network Extension for both use cases, leaving the choice of which VPN type to use to the user or the user's MDM administrator.)

hi all. I’m working on a content filter system extension on MacOS. I try to disable the filtering in system settings, and it will cause smb shared folder connection interrupted. what I do in stopFilterWithReason:completionHandler: is waiting for the connection that is being filtered be allowed, then invoked the completionHandler. did I do something wrong here? is there a way to avoid the connection interruption?

Dear Team, I was previously able to access a non-secure HTTP API in my Ionic-built app. However, I am now encountering an error where the API requests are being rejected. Interestingly, this API works perfectly on Android and web platforms without any issues. As part of my troubleshooting, I have already added the following lines to my Info.plist file: `<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>` Could you kindly suggest any alternative solutions or additional settings required to access this HTTP API? Your help would be greatly appreciated. Thank you, Mozib

I am developing an App for iOS/iPhone that communicates with an external hardware. The external hardware is a hotspot to which the iPhone connects and every 10 seconds this hardware sends data to the iPhone by opening a TCP connection on the local network to the indicated port. On the iPhone side I use NWListener to retrieve the connections. When a connection is opened, I retrieve the data sent by the hardware and I close the connection. Because I also need to have the exact position of the user I have activated the Location background mode using the CoreLocation framework. If I put my application in the background everything works correctly. I retrieve the data every 10s as well as the changes in the user's positions. After 15 minutes however, and it is very precise, the server (NWListener) no longer accepts connections as if there was a timeout or a limitation to having a server running in the background in an iOS application. Can you help me? Thanks

None of my app's functionalities make use of local network. However, on launching the app on an iPad running iOS 18.2.1, I see an iOS prompt asking for local network permission by the app with a null usage description. I know since the app does not have Privacy string for local network, I see the null message. But my app does not use of local network so I am confused why I see this alert.

Hi, I have couple of inquiries regarding the vmnet framework: Incorporating Global Variables: How should we integrate the new global variables in macOS 15.0+ vmnet_read_max_packets_key and vmnet_write_max_packets_key into our configuration to optimize packet transmission? Are those values populated dynamically or manually if so any recommended value ranges ? Buffer Allocation Issue: What strategies can we employ to mitigate this buffer allocation error and ensure more reliable packet transmission? We occasionally encounter the following error during packet writes: Error Domain=NSCocoaErrorDomain Code=512 "The file couldn’t be saved." Error Domain=NSPOSIXErrorDomain Code=55 "No buffer space available" Your insights on these matters would be greatly appreciated.

My App is a rather small menu-bar status-item app with 2 informational windows. It does NOT make use of ANY of the APIs mentioned here: https://developer.apple.com/forums/thread/663874 that are bound to need "Local Network" hence trigger TCC dialog. Yet - on first run of the app, the dialog pops. App is Obj-C, and the only APIs used are Notification-Center (for scheduling local notifications to the user), XPC connections and calls to other (our) apps for gathering that information, plus normal AppKit windowing (Controls, Text-fields, etc.) nothing else. Obviously SOMETHING I do causes the thing - and I know for sure this app DOES NOT NEED access to the local network - only I do not know how to identify the specific API I need to avoid using (or change the way I'm using) Are there any specific system logs to watch for? Is there any official set of APIs that will trigger the dialog? Provided that I cannot avoid this - could this permission be granted via MDM profile payload? Our product comes with

I have been using networking multicast permissions in my Xamarin application for UDP device discovery, and it has been working reliably for years. However, I am now encountering an issue specific to iPadOS 18.1 (potentially also iPadOS 18, though I haven’t tested this). The issue is that my app no longer requests the required network permission on devices running iPadOS 18.1. On the other hand, the app works perfectly on iPhone and iPadOS 17.7 without any problems. Has there been any change in the networking or permissions framework in iPadOS 18.1 that could cause this behavior? I would appreciate any guidance or insights to resolve this issue. Thank you for your assistance!

During development, before things eventually go live, if the associated server for a message filter extension has a self signed SSL then if/how can test iPhones be configured such that the OS will connect to the server when they are performing a message filter query request?

For important background information, read Extra-ordinary Networking before reading this. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Don’t Try to Get the Device’s IP Address I regularly see questions like: How do I find the IP address of the device? How do I find the IP address of the Wi-Fi interface? How do I identify the Wi-Fi interface? I also see a lot of really bad answers to these questions. That’s understandable, because the questions themselves don’t make sense. Networking on Apple platforms is complicated and many of the things that are ‘obviously’ true are, in fact, not true at all. For example: There’s no single IP address that represents the device, or an interface. A device can have 0 or more interfaces, each of which can have 0 or more IP addresses, each of which can be IPv4 and IPv6. A device can have multiple interfaces of a given type. It’s common for iPhones to have multiple WWAN interfaces, for example. It’s not possible to give a simple answer to any of these questions, because the correct answer depends on the context. Why do you need this particular information? What are you planning to do with it? This post describes the scenarios I most commonly encounter, with my advice on how to handle each scenario. IMPORTANT BSD interface names, like en0, are not considered API. There’s no guarantee, for example, that an iPhone’s Wi-Fi interface is en0. If you write code that relies on a hard-coded interface name, it will fail in some situations. Service Discovery Some folks want to identify the Wi-Fi interface so that they can run a custom service discovery protocol over it. Before you do that, I strongly recommend that you look at Bonjour. This has a bunch of advantages: It’s an industry standard [1]. It’s going to be more efficient on the ‘wire’. You don’t have to implement it yourself, you can just call an API [2]. For information about the APIs available, see TN3151 Choosing the right networking API. If you must implement your own service discovery protocol, don’t think in terms of finding the Wi-Fi interface. Rather, write your code to work with all Wi-Fi interfaces, or perhaps even all Ethernet-like interfaces. That’s what Apple’s Bonjour implementation does, and it means that things will work in odd situations [3]. To find all Wi-Fi interfaces, get the interface list and filter it for ones with the Wi-Fi functional type. To find all broadcast-capable interfaces, get the interface list and filter it for interfaces with the IFF_BROADCAST flag set. If the service you’re trying to discover only supports IPv4, filter out any IPv6-only interfaces. For advice on how to do this, see Interface List and Network Interface Type in Network Interface APIs. When working with multiple interfaces, it’s generally a good idea to create a socket per interface and then bind that socket to the interface. That ensures that, when you send a packet, it’ll definitely go out the interface you expect. For more information on how to implement broadcasts correctly, see Broadcasts and Multicasts, Hints and Tips. [1] Bonjour is an Apple term for: RFC 3927 Dynamic Configuration of IPv4 Link-Local Addresses RFC 6762 Multicast DNS RFC 6763 DNS-Based Service Discovery [2] That’s true even on non-Apple platforms. It’s even true on most embedded platforms. If you’re talking to a Wi-Fi accessory, see Working with a Wi-Fi Accessory. [3] Even if the service you’re trying to discover can only be found on Wi-Fi, it’s possible for a user to have their iPhone on an Ethernet that’s bridged to a Wi-Fi. Why on earth would they do that? Well, security, of course. Some organisations forbid their staff from using Wi-Fi. Logging and Diagnostics Some folks want to log the IP address of the Wi-Fi interface, or the WWAN, or both for diagnostic purposes. This is quite feasible, with the only caveat being there may be multiple interfaces of each type. To find all interfaces of a particular type, get the interface list and filter it for interfaces with that functional type. See Interface List and Network Interface Type in Network Interface APIs. Interface for an Outgoing Connection There are situations where you need to get the interface used by a particular connection. A classic example of that is FTP. When you set up a transfer in FTP, you start with a control connection to the FTP server. You then open a listener and send its IP address and port to the FTP server over your control connection. What IP address should you use? There’s an easy answer here: Use the local IP address for the control connection. That’s the one that the server is most likely to be able to connect to. To get the local address of a connection: In Network framework, first get the currentPath property and then get its localEndpoint property. In BSD Sockets, use getsockname. See its man page for details. Now, this isn’t a particularly realistic example. Most folks don’t use FTP these days [1] but, even if they do, they use FTP passive mode, which avoids the need for this technique. However, this sort of thing still does come up in practice. I recently encountered two different variants of the same problem: One developer was implementing VoIP software and needed to pass the devices IP address to their VoIP stack. The best IP address to use was the local IP address of their control connection to the VoIP server. A different developer was upgrading the firmware of an accessory. They do this by starting a server within their app and sending a command to the accessory to download the firmware from that server. Again, the best IP address to use is the local address of the control connection. [1] See the discussion in TN3151 Choosing the right networking API. Listening for Connections If you’re listening for incoming network connections, you don’t need to bind to a specific address. Rather, listen on all local addresses. In Network framework, this is the default for NWListener. In BSD Sockets, set the address to INADDR_ANY (IPv4) or in6addr_any (IPv6). If you only want to listen on a specific interface, don’t try to bind to that interface’s IP address. If you do that, things will go wrong if the interface’s IP address changes. Rather, bind to the interface itself: In Network framework, set either the requiredInterfaceType property or the requiredInterface property on the NWParameters you use to create your NWListener. In BSD Sockets, set the IP_BOUND_IF (IPv4) or IPV6_BOUND_IF (IPv6) socket option. How do you work out what interface to use? The standard technique is to get the interface list and filter it for interfaces with the desired functional type. See Interface List and Network Interface Type in Network Interface APIs. Remember that their may be multiple interfaces of a given type. If you’re using BSD Sockets, where you can only bind to a single interface, you’ll need to create multiple listeners, one for each interface. Listener UI Some apps have an embedded network server and they want to populate a UI with information on how to connect to that server. This is a surprisingly tricky task to do correctly. For the details, see Showing Connection Information for a Local Server. Outgoing Connections In some situations you might want to force an outgoing connection to run over a specific interface. There are four common cases here: Set the local address of a connection [1]. Force a connection to run over a specific interface. Force a connection to run over a type of interface. Force a connection to run over an interface with specific characteristics. For example, you want to download some large resource without exhausting the user’s cellular data allowance. The last case should be the most common — see the Constraints section of Network Interface Techniques — but all four are useful in specific circumstances. The following sections explain how to tackle these tasks in the most common networking APIs. [1] This implicitly forces the connection to use the interface with that address. For an explanation as to why, see the discussion of scoped routing in Network Interface Techniques. Network Framework Network framework has good support for all of these cases. Set one or more of the following properties on the NWParameters object you use to create your NWConnection: requiredLocalEndpoint property requiredInterface property prohibitedInterfaces property requiredInterfaceType property prohibitedInterfaceTypes property prohibitConstrainedPaths property prohibitExpensivePaths property Foundation URL Loading System URLSession has fewer options than Network framework but they work in a similar way: Set one or more of the following properties on the URLSessionConfiguration object you use to create your session: allowsCellularAccess property allowsConstrainedNetworkAccess property allowsExpensiveNetworkAccess property Note While these session configuration properties are also available on URLRequest, it’s better to configure this on the session. There’s no option that forces a connection to run over a specific interface. In most cases you don’t need this — it’s better to use the allowsConstrainedNetworkAccess and allowsExpensiveNetworkAccess properties — but there are some situations where that’s necessary. For advice on this front, see Running an HTTP Request over WWAN. BSD Sockets BSD Sockets has very few options in this space. One thing that’s easy and obvious is setting the local address of a connection: Do that by passing the address to bind. Alternatively, to force a connection to run over a specific interface, set the IP_BOUND_IF (IPv4) or IPV6_BOUND_IF (IPv6) socket options. Revision History 2025-01-21 Added a link to Broadcasts and Multicasts, Hints and Tips. Made other minor editorial changes. 2023-07-18 First posted.