At WWDC 25, Dr. Swetank mentioned, “DeviceDiscoveryUI is for making connections between apps and from an app to another device. It supports pairing with both Apple and third-party devices.” I find the pairing process in DeviceDiscoveryUI via Wi-Fi Aware intriguing. I have two questions: Can we pair devices via Bluetooth first and then establish a Wi-Fi Aware connection? If I use DeviceDiscoveryUI, how should I write an Android program to correspond with it and achieve iPhone-Android pairing? The app is an official Apple app: https://developer.apple.com/documentation/wifiaware/building-peer-to-peer-apps.

We’re implementing VPN application using the WireGuard protocol and aiming to support both split-tunnel and per-app VPN configurations. Each mode works correctly on its own: per-app VPN functions well when configured with a full tunnel and split-tunnel works as expected when per-app is disabled. However, combining both configurations leads to issues. Specifically, the routing table is not set up properly, resulting in traffic that should not be routed through the tunnel is routed through the tunnel. Detailed description: Through our backend, we are pushing these two plist files to the iPad one after the other: VPN config with allowed IPs 1.1.1.1/32 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version="1.0"> <dict> <key>PayloadUUID</key> <string>3fd861df-c917-4716-97e5-f5e96452436a</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadOrganization</key> <string>someorganization</string> <key>PayloadIdentifier</key> <string>config.11ff5059-369f-4a71-afea-d5fdbfa99c91</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadDisplayName</key> <string> test</string> <key>PayloadDescription</key> <string>(Version 13) </string> <key>PayloadRemovalDisallowed</key> <true /> <key>PayloadContent</key> <array> <dict> <key>VPN</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>ProviderType</key> <string>packet-tunnel</string> <key>OnDemandUserOverrideDisabled</key> <integer>1</integer> <key>RemoteAddress</key> <string>172.17.28.1:51820</string> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Connect</string> </dict> </array> <key>ProviderBundleIdentifier</key> <string>some.bundle.id.network-extension</string> </dict> <key>VPNSubType</key> <string>some.bundle.id</string> <key>VPNType</key> <string>VPN</string> <key>VPNUUID</key> <string>d2773557-b535-414f-968a-5447d9c02d52</string> <key>OnDemandMatchAppEnabled</key> <true /> <key>VendorConfig</key> <dict> <key>VPNConfig</key> <string> Some custom configuration here </string> </dict> <key>UserDefinedName</key> <string>TestVPNServerrra</string> <key>PayloadType</key> <string>com.apple.vpn.managed.applayer</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>vpn.5e6b56be-a4bb-41a5-949e-4e8195a83f0f</string> <key>PayloadUUID</key> <string>9bebe6e2-dbef-4849-a1fb-3cca37221116</string> <key>PayloadDisplayName</key> <string>Vpn</string> <key>PayloadDescription</key> <string>Configures VPN settings</string> <key>PayloadOrganization</key> <string>someorganization</string> </dict> </array> </dict> </plist> Command to set up per-app with Chrome browser <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>Settings</key> <array> <dict> <key>Identifier</key> <string>com.google.chrome.ios</string> <key>Attributes</key> <dict> <key>VPNUUID</key> <string>d2773557-b535-414f-968a-5447d9c02d52</string> <key>TapToPayScreenLock</key> <false /> <key>Removable</key> <true /> </dict> <key>Item</key> <string>ApplicationAttributes</string> </dict> </array> <key>RequestType</key> <string>Settings</string> </dict> <key>CommandUUID</key> <string>17ce3e19-35ef-4dbc-83d9-4ca2735ac430</string> </dict> </plist> From the log we see that our VPN application set up allowed IP 1.1.1.1 via NEIPv4Settings.includedRoutes but system routing all of the Chrome browser traffic through our application. Is this expected Apple iOS behavior, or are we misconfiguring the profiles?

Hi, I developed a network extension program on macOS. I tried to update the program by changing the version number. My update process was to first turn off network filtering via "NEFilterManager.sharedManager.enabled = NO", and then use "[OSSystemExtensionRequest activationRequestForExtension:bundleid queue:dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0)];" to let the system replace the old network extension program. However, sometimes the old network extension process will become a zombie process like pid=86621 in the figure. As long as the zombie process exists, the network cannot be used. After about 10 minutes, it will be cleared and the network will be available. Restarting Wi-Fi can also clear the zombie process immediately. Why is this? How to avoid this problem?

Hello, I am developing a macOS application that uses the Network Extension framework and I'm planning to distribute it outside the Mac App Store using a Developer ID certificate. I am running into a persistent provisioning error when I try to manually assign my profile in Xcode: "Provisioning profile "NetFilterCmd" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement." Here is the process I followed: 1.I added the "Network Extensions" capability in Xcode's "Signing & Capabilities" tab. This automatically created a new App ID in my Apple Developer account. 2.I went to the developer portal, confirmed the App ID had "Network Extensions" enabled, and then generated a "Developer ID" Provisioning Profile associated with this App ID. 3.I downloaded and installed this new profile ("NetFilterCmd.provisionprofile"). 4.Back in Xcode, I unchecked "Automatically manage signing" for my app target. 5.When I select the downloaded "NetFilterCmd" profile from the dropdown, the error message immediately appears. I suspect my issue might be related to the "System Extension" requirement for macOS Network Extensions, or perhaps a mismatch between the specific NE values (e.g., content-filter-provider) in the entitlements file and the App ID configuration. What is the correct, step-by-step sequence to configure a macOS app (main app + network system extension) for Developer ID distribution?

I am trying to create an application extension which provides vpn functionality over network extension with packet-tunnel. But when I enable vpn it doesn't call related callbacks. Currently, i didn't find any example in qt documentation. So I read the documents of ios and qt and trying to find the right path. Here is the CMakeLists.txt add_executable(overlay-service MACOSX_BUNDLE main.cpp tunnel_provider.h tunnel_provider.mm) set_target_properties(overlay-service PROPERTIES MACOSX_BUNDLE_IDENTIFIER org.zenarmor.zenoverlay.network-extension BUNDLE YES XCODE_PRODUCT_TYPE com.apple.product-type.app-extension # XCODE_EMBED_FRAMEWORKS /System/Library/Frameworks/NetworkExtension.framework ) target_link_libraries( overlay-service PUBLIC Qt6::CorePrivate overlay-lib ) tunnel_provider.h #ifndef _TUNNEL_PROVIDER_H #define _TUNNEL_PROVIDER_H #import <Foundation/Foundation.h> #import <NetworkExtension/NetworkExtension.h> @interface ZenTunnelProvider : NEPacketTunnelProvider { int fd; } - (void) startTunnelWithOptions:(NSDictionary<NSString *,NSObject *> *) options completionHandler:(void (^)(NSError * error)) completionHandler; - (void) stopTunnelWithReason:(NEProviderStopReason) reason completionHandler:(void (^)()) completionHandler; @end #endif tunnel_provider.mm #import <Foundation/Foundation.h> #import <os/log.h> @implementation ZenTunnelProvider - (void) startTunnelWithOptions:(NSDictionary<NSString *,NSObject *> *) options completionHandler:(void (^)(NSError * error)) completionHandler { NSLog(@"===================== Tunnel Started, x=%i, %@", 5, self.protocolConfiguration); completionHandler(nil); } - (void) stopTunnelWithReason:(NEProviderStopReason) reason completionHandler:(void (^)()) completionHandler{ NSLog(@"===================== Tunnel Stopped");; completionHandler(); } @end How I create configuration is: provider_protocol.providerBundleIdentifier = @"org.zenarmor.zenoverlay.packet-tunnel"; provider_protocol.serverAddress = @"0.0.0.0"; provider_protocol.providerConfiguration = @{ @"helloString" : @"Hello, World!", @"magicNumber" : @42 }; NSLog(@"===================== Vpn configuration is written, x=%i", 5); vpn_manager.protocolConfiguration = provider_protocol; vpn_manager.localizedDescription = @"ZenOverlayTunnel"; vpn_manager.enabled = true; [vpn_manager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if (error) { NSLog(@"err: %@", error); } else { NSLog(@"Successfully saved"); } }]; main.cpp #include <QCoreApplication> #include <iostream> int main(int argc, char **argv) { QCoreApplication app(argc, argv); std::cout << "Hello world" << std::endl; return app.exec(); } startTunnelWithOptions is not triggered when I enable vpn from settings on IOS. Could anyone. help to identify the issue?

We’re looking to implement a custom IPSec IKEv2 VPN using the Packet Tunnel Provider network extension on iOS because we need to add extra information to EAP, which the built-in IKEv2 VPN configuration does not support. Is it possible to handle the full IKEv2 negotiation and IPSec tunneling within the Packet Tunnel Provider extension? Or are there limitations that would prevent implementing a full IKEv2 stack this way? Any insights or alternative approaches would be appreciated. Thanks!

After Apple-to-Apple pairing is completed, the paired device will be recorded in “Settings → Privacy &amp; Security → Paired Devices”. However, after Android-to-Apple pairing is completed, the device is not saved to this list. Android device can be normally displayed on the Apple official Wi-Fi Aware Sample. However, the indicator is not green. During pairing, the Apple log shows: state: authenticated, and the Android side triggers the callback onPairingSetupSucceeded. During pairing verification, the Apple log shows: state: authenticated, and the Android side triggers the callback onPairingVerificationSucceed. My iPhone is iPhone 13， iOS 26.0 （23A5287g）

I’m building a Personal VPN app (non-MDM) that uses a NEPacketTunnelProvider extension for content filtering and blocking. When configuring the VPN locally using NETunnelProviderManager.saveToPreferences, the call fails with: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" Error Domain=NEVPNErrorDomain Code=5 "permission denied" The system does prompt for VPN permission (“Would Like to Add VPN Configurations”), but the error still occurs after the user allows it. Setup: • Main App ID – com.promisecouple.app • Extension ID – com.promisecouple.app.PromiseVPN • Capabilities – App Group + Personal VPN + Network Extensions • Main app entitlements:   com.apple.developer.networking.vpn.api = allow-vpn   com.apple.developer.networking.networkextension = packet-tunnel-provider • Extension entitlements: same + shared App Group Problem: • If I remove the networkextension entitlement, the app runs locally without the Code 5 error. • But App Store Connect then rejects the build with: Missing Entitlement: The bundle 'Promise.app' is missing entitlement 'com.apple.developer.networking.networkextension'. Question: What is the correct entitlement configuration for a Personal VPN app using NEPacketTunnelProvider (non-MDM)? Is com.apple.developer.networking.networkextension required on the main app or only on the extension? Why does including it cause saveToPreferences → Code 5/10 “permission denied” on device? Environment: Xcode 26.1 (17B55), iOS 17.3+ on physical device (non-MDM) Both provisioning profiles and certificates are valid.

I have 3 phones iPhone 14 iOS 18.3 iPhone Xr iOS 18.5 iPhone Xr iOS 18.4.1 My app has a network extension, and I've noticed each phone having their connectivity interupted by calls on the push provider, calling stop with the noNetworkAvailable reason. The point of confusion is that each phone seems to get it's interuption at different times. For example one will get an interuption at 1:00, while the others is fine, while at 3:00 another will get an interuption, while the others are fine. This is confusing since a "no network available" seems to imply a problem with the router, or access point, but if that were the case, one would believe it should affect all the phones on the wifi. I don't see less interuptions on the iPhone14 vs the iPhone Xr. Do you believe the iOS version is affecting the performance? Could you please give me some insight, as to what could be going on inside these phones? P.S. I also see an error pop up when using NWConnection, this is inside the App. The state update handler will sometimes return the state, waiting(POSIX(.ENETDOWN)) Is there any relation to what's going on in the extension?

Could anyone tell me how to detect status of Local Network for iOS 18+ systems ?

I'm creating a custom VPN app which should only work on Cellular. Apart from cellular interface binding VPN is working fine. Even though I specified cellular interface like let cellularParams = NWParameters.udp cellularParams.requiredInterfaceType = .cellular It is going via Wifi when it is ON. I know this is the default iOS behaviour. How can I prevent this and route through cellular only even when Wifi is enabled on device?

Apple's Wi-Fi Aware demo shows that pairing is required before establishing a connection. Is this pairing mandatory? Can Android devices pair with Apple devices? My Android device strictly supports Wi-Fi Aware 4.0 and I want to achieve interoperability with Apple devices.

Hello, We have a SwiftUI-based application that runs as a LaunchAgent and communicates with other internal components using Unix domain sockets (UDS). On Sequoia (macOS virtualized environment), when installing the app, we encounter the Local Network Privacy Alert, asking: "Allow [AppName] to find and connect to devices on the local network?" We are not using any actual network communication — only interprocess communication via UDS. Is there a way to prevent this system prompt, either through MDM configuration or by adjusting our socket-related implementation? Here's a brief look at our Swift/NIO usage: class ClientHandler: ChannelInboundHandler { ... public func channelRead(context: ChannelHandlerContext, data: NIOAny) { ... } ... } // init bootstrap. var bootstrap: ClientBootstrap { return ClientBootstrap(group: group) // Also tried to remove the .so_reuseaddr, the prompt was still there. .channelOption(ChannelOptions.socketOption(.so_reuseaddr), value: 1) .channelInitializer { channel in // Add ChannelInboundHandler reader. channel.pipeline.addHandler(ClientHandler()) } } // connect to the UDS. self.bootstrap.connect(unixDomainSocketPath: self.path).whenSuccess { (channel) in .. self.channel = channel } ... ... // Send some data. self.channel?.writeAndFlush(buffer).wait() Any guidance would be greatly appreciated.

Hi everyone, I'm developing an enterprise iOS application and need to access the WiFi connection channel. I understand that Apple's privacy and security policies restrict direct access to certain network details, including the WiFi connection channel. After some research, I found that this data might be accessible via the private API MobileWiFi.framework. However, when I tried to use this framework, I encountered the following error: Missing com.apple.wifi.manager-access entitlement I reached out to Apple regarding this entitlement, but they were not familiar with it, suggesting it might be deprecated. Here are my questions: Is there an official or supported way to access the WiFi connection channel in an enterprise iOS app? If not, is there any workaround or additional steps required to use the MobileWiFi.framework without encountering the entitlement error? Are there any specific entitlements or provisioning profile configurations that I need to be aware of to resolve this issue? Any guidance or suggestions would be greatly appreciated. Thank you!

While updating our test devices to iOS 26, we noticed that the connection between devices are flaky. Often when connecting to a Peer from a device running iOS 26 we can observe the invite coming through and when accepting said invite, both ends going to .connecting state and a while later going back to .notConnected within the peer(_ peerID: MCPeerID, didChange state: MCSessionState) function. This happens regularly and retrying the invitation process several times usually resolves it. Do anyone have any information or guidance on how to resolve this issue?

Hello, Since the release of iOS 26.0, we are seeing DNS traffic being blocked from within our NEPacketTunnelExtension on some devices. We have not isolated exact reproduction steps, but DNS resolves successfully for a period of time after enabling "iCloud Private Relay" (varying from 1-day to 2-weeks), until it then fails as MDNSResponder then returns: mDNSResponder [Q37046] DetermineUnicastQuerySuppression: Query suppressed for <mask.hash: 'REDACTED'> Addr (blocked by policy) DNS resolution continues to fail for all domains with the above until the device is rebooted. The Packet Tunnel intentionally does not have a DNS server set and this occurs for traffic from the Extension yet off-tunnel, which needs resolution from the system DNS server (and this configuration works perfectly for a period of time before being "blocked by policy"). The following do not resolve the issue once DNS queries are being "blocked by policy" on affected devices: disconnecting then reconnecting the vpn; toggling airplane mode for 10+ seconds; switching connection between WiFi & cellular data; disabling iCloud Private Relay. We have currently only seen this on unmanaged devices running iOS 26.0 or 26.1 beta and with iCloud Private Relay enabled. We did not see this issue on iOS 16,17 nor 18. We also have not yet seen this when iCloud Private Relay is disabled nor on iOS 26.0.1, however we cannot confirm whether they too are also affected. Is there a known a bug with iOS 26.0 & 26.1 Beta 1 that could cause this? How can we prevent DNS requests from NEPacketTunnelExtension being sporadically "blocked by policy" until the device is rebooted? Many thanks in advance.

We have used ::gethostname to retrieve hostname in our tunnel provider extension and found it returns "localhost" on iOS 17+. So we changed to use [[NSProcessInfo processInfo] hostName]. However it often caused 30+ delay in the extension process on a few devices and always returns "localhost". The sysdiagnose shows a lot of DNS query logs as below: default mDNSResponder 2025-03-19 17:15:12.453769 +0800 75281: 0x11ad501 [R80937] DNSServiceCreateConnection START PID[79767](ACExtension) default mDNSResponder 2025-03-19 17:15:12.453892 +0800 75281: 0x11ad501 [R80938] DNSServiceQueryRecord START -- qname: <mask.hash: 'fNnSAdyuhKXqCny8+neXvw=='>, qtype: PTR, flags: 0x15000, interface index: -1, client pid: 79767 (ACExtension), name hash: 84de01e1 default mDNSResponder 2025-03-19 17:15:12.458395 +0800 75281: 0x11ad501 [R80939] DNSServiceQueryRecord START -- qname: <mask.hash: '2X6qN/YT0yh2psKwrGWokg=='>, qtype: PTR, flags: 0x15000, interface index: 0, client pid: 79767 (ACExtension), name hash: f25c923e default mDNSResponder 2025-03-19 17:15:12.462924 +0800 75281: 0x11ad501 [R80940] DNSServiceQueryRecord START -- qname: <mask.hash: 'peyRWEblLKbNvcOXPjSeMQ=='>, qtype: PTR, flags: 0x15000, interface index: 0, client pid: 79767 (ACExtension), name hash: 83323cc4

My app attempts to upload events and logging data when the user backgrounds the app (i.e., when applicationDidEnterBackground is triggered) by creating an uploadTask using a URLSession with a URLSessionConfiguration.background. When uploading these events after being backgrounded, we call beginBackgroundTask on UIApplication, which gives us about 25-30 seconds before the expirationHandler gets triggered. I am noticing, however, that the expirationHandler is frequently called and no upload attempts have even started. This might be reasonable if, for example, I had other uploads in progress initiated prior to backgrounding, but this is not the case. Could someone confirm that, when initiating an uploadTask while the app is backgrounded using a backgroundSession, there's really no way to predict when that upload is going to begin? My observation is that about 10-20% of the time it does not begin within 20 seconds of backgrounding, and I have many events coming from clients in the field showing as much.

I am developing a program on my chip and attempting to establish a connection with the WiFi Aware demo app launched by iOS 26. Currently, I am encountering an issue during the pairing phase. If I am the subscriber of the service and successfully complete the follow-up frame exchange of pairing bootstrapping, I see the PIN code displayed by iOS. Question 1: How should I use this PIN code? Question 2: Subsequently, I need to negotiate keys with iOS through PASN. What should I use as the password for the PASN SAE process? If I am the subscriber of the service and successfully complete the follow-up frame exchange of pairing bootstrapping, I should display the PIN code. Question 3: How do I generate this PIN code? Question 4: Subsequently, I need to negotiate keys with iOS through PASN. What should I use as the password for the PASN SAE process?

We have a content filter system extension as part of our macOS app. The filter normally works correctly, activation and deactivation works as expected but occasionally we see an issue when the content filter is activated. When this issues occurs, the filter activation appears to behave correctly, no errors are reported. Using "systemextensionsctl list" we see the filter is labelled as "[activated enabled]". However, the installed content filter executable does not run. We have seen this issue on macOS 15.3 and later and on the beta macOS 26.1 RC. It happens only occasionally but when it does there is no indication as to why the executable is not running. There are no crash logs or errors in launchd logs. Both rebooting and deactivating/activating the filter do not resolve the issue. The only fix appears to be completely uninstalling the app (including content filter) and reinstalling. I have raised a FB ticket, FB20866080. Does anyone have any idea what could cause this?