I followed your advice and tried to first test access to the shared container and everything worked as expected: Filter Data and Filter Control Providers were able to read from app group container and main target was able to write data. After that I tried to add Core Data like this: private lazy var persistentContainer: NSPersistentContainer = { guard let sharedContainerURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "MyGroupIdentifier") else { fatalError("Shared container is not accessible.") } let storeURL = URL.storeURL(group: "MyGroupIdentifier", database: "MyCoreDataModel") let description = NSPersistentStoreDescription(url: storeURL) let container = NSPersistentContainer(name: "MyCoreDataModel") container.persistentStoreDescriptions = [description] container.loadPersistentStores(completionHandler: { (storeDescription, error) in if let error = error as NSError? { fatalError("Unresolved error \(error), \(error.userInfo)") } }) return container }() public extension URL { static func storeURL(group: String, database: String) -> URL { guard let fileContainer = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: group) else { fatalError("Shared file container could not be created.") } return fileContainer.appendingPathComponent("\(database).sqlite") } } My VM in the main app target stores Model shared instance and everything compiled as expected. However, if I try to call let's say fetch for database, Content Filter becomes Invalid. I had similar problem, when I tried to add async operation to my Filter Data Provider handleNewFlow func in order to store intercepted flows, that's why I moved logic to VM and UserDefaults at that time

I thought that I could do something wrong yesterday so I tried to rewrite my data related module using Core Data again. But I still receive this message in console failed to launch: 'Could not attach to pid : “1275”' -- Failed to get reply to handshake packet within timeout of 6.0 seconds Not sure what's wrong with my implementation

I see, that was my main concern regarding UserDefaults. This Content Filter is for iOS. The app also uses DNS Proxy, but its' logic is separated from the Content Filter

UPD: I tried to rewrite all data-storing logic using Core Data instead of UserDefaults and now Content Filter wouldn't work. Not sure if I did something wrong, but I had a couple projects with Core Data for db where everything worked well

I should also mention that I don't have UI in my app. It's basically just Network Extension. And from what I read it'd be easier to use Core Data if I don't have a View part. Please, correct me if I'm wrong

The problem was on MDM level. Removing app from the phone was not actually removing it from the device, that's why I had some unexpected behaviour as Proxy running even though the app is uninstalled. Removing profile and reinstalling the app fixed the problem

However, I have another question regarding DNS Proxy. Yesterday, I made it work in my main project with Content Filter and it worked as expected. Today after some testing (no changes were made to the project), the device is not functioning right. All flows are not going through even after removing all the filtering logic. And in safari I receive "Safari could not open the page because the server stopped responding". So I tried to isolate the problem and it seems that DNSProxy is the one that's not working properly, because Content Filter itself works properly. It says running in the System Settings for DNS Proxy and the principal class looks like this: class DNSProxyProvider: NEDNSProxyProvider { override func startProxy(options:[String: Any]? = nil, completionHandler: @escaping (Error?) -> Void) { // Add code here to start the DNS proxy. completionHandler(nil) } override func stopProxy(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { // Add code here to stop the DNS proxy. completionHandler() } override func sleep(completionHandler: @escaping () -> Void) { // Add code here to get ready to sleep. completionHandler() } override func wake() { // Add code here to wake up. } override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { // Add code here to handle the incoming flow. return true } } But it still wouldn't work. So I tried to run the project that had only DNSProxy with default settings, the same problem there. Not sure what's causing this problem. Would be grateful to hear any thoughts

So, I removed all existing profiles from the device and added a new payload for DNS Proxy, that is similar to the one I added earlier. After that I created an empty project to test if it's going to work (NEDNSProxyProvider principal class file added to compile sources of the main target), and it worked as expected. DNS Proxy now is displayed as Running in System Settings.

Yes, I was trying to install configuration payload profile via MDM. In this configuration profile I have two payloads (Content Filter and DNS Proxy). Content Filter works as expected, but not the DNS Proxy. That's why I had another post on my profile regarding async operations in Network Extension, as the initial idea of using DNS Proxy with specified resolver didn't work for me.

I used MDM solution for Content Filter. Now app works as expected. Thank you for your help!

Filter data providers only see TCP and UDP flows. Filter packet providers see all packets. I am working on the similar project but for iOS and so far I was able to intercept all UDP/TCP flows, however ICMP packets are still going through (I am using Network Tools app to send ping requests). Is it possible to intercept all packets on iOS as well?

And could you help me understand the work of the Content Filter in the following context. When I use the Network Tools app for testing ping commands for specified domains/IP addresses, the content filter (both socket and browser filtering enabled) is unable to intercept them. Is it the problem of sandbox restrictions? However, if I use DNSProxy with NEDNSManager which I tested before, I can intercept ping of the domains but not IP addresses, which is obvious. However, why is the content filter unable to intercept traffic from the Network Tools app?

Not sure if that's the right approach but by just adding files with Extension Targets' principle classes to the main app's target compile sources, the filter starts and works as expected. Could you give me some advice on this?

I tried to use configuration profile on the new project so it wasn't the initial project, but it didn't work. I only added two extension targets for Filter Data Provider and Filter Control Provider, and set handleNewFlow in Filter Data Provider to .drop() by default. I am just trying to test the concept of Content Filter, so that I could move on to implementing some custom filtering logic.

I decided to use configuration profile with MDM for Content Filter. I read this post about enabling plug-in content filter using configuration profile. I thought that I followed all the steps but for some reason I am unable to start my app's content filter.