Post

Replies

Boosts

Views

Activity

Comment on macOS DNS Proxy system extension makes device stop processing MDM commands until reboot
Hi, Thank you for the diagnostic guidance — it pointed us in the right direction. Root cause: our upstream filtering nodes were blocking APNs domains. Port 5223 returned TCP RST (error 61), port 443 failed with CERTIFICATE_VERIFY_FAILED due to TLS inspection. This caused apsd to accumulate 20+ consecutive failures and stop retrying. After whitelisting push.apple.com, courier.push.apple.com and api.push.apple.com — everything works perfectly.
Topic: App & System Services SubTopic: Networking Tags:
2w
Comment on macOS DNS Proxy system extension makes device stop processing MDM commands until reboot
Thank you for the suggestion. We will reproduce the "stuck" state and then send a user‑visible push notification (via Find My / SimpleMDM Alert command) to the affected Mac to check whether APNs itself is functioning. We will report back with the result: whether the notification gets through or not, along with nesessionmanager and `mdmclient logs collected at the same time.
Topic: App & System Services SubTopic: Networking Tags:
2w
Comment on NEAppProxyUDPFlow.writeDatagrams fails with "The datagram was too large" on macOS 15.x, macOS 26.x
You were exactly right about the flow not being fully opened. I added an explicit await udpFlow.open(withLocalFlowEndpoint: nil) before starting the upstream TCP connection, and gated writeDatagrams on a “flow opened” flag. After this change the NEAppProxyFlowErrorDatagramTooLarge error is gone and dig google.com now resolves successfully with 67‑byte responses. Thank you for pointing me at the flow opening semantics.
Topic: App & System Services SubTopic: Networking Tags:
Apr ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
I updated the App ID for the DNS Proxy system extension and noticed that Dev Portal only exposes the legacy dns-proxy value under NetExtensions.There is no option for dns-proxy-systemextension. When I create a Mac App Development provisioning profile for this App ID and try to use it for signing the system extension target, Xcode fails with: Provisioning profile "Dev-Mac-App-DNSProxy" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.
Topic: App & System Services SubTopic: Networking Tags:
Jan ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
I updated the App ID for the DNS Proxy system extension and noticed that Dev Portal only exposes the legacy dns-proxy value under NExtensions. There is no option for dns-proxy-systemextension. When I create a Mac App Development provisioning profile for this App ID and try to use it for signing the system extension target, Xcode fails with: Provisioning profile "Dev-Mac-App-DNSProxy" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.
Topic: App & System Services SubTopic: Networking Tags:
Jan ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
I updated the App ID for the DNS Proxy system extension and noticed that Developer Portal only exposes the legacy dns-proxy value under Network Extensions. There is no option for dns-proxy-systemextension. My extension’s entitlements currently contain: xml com.apple.developer.networking.networkextension dns-proxy-systemextension look at my post down
Topic: App & System Services SubTopic: Networking Tags:
Jan ’26
Comment on macOS DNS Proxy system extension makes device stop processing MDM commands until reboot
Hi, Thank you for the diagnostic guidance — it pointed us in the right direction. Root cause: our upstream filtering nodes were blocking APNs domains. Port 5223 returned TCP RST (error 61), port 443 failed with CERTIFICATE_VERIFY_FAILED due to TLS inspection. This caused apsd to accumulate 20+ consecutive failures and stop retrying. After whitelisting push.apple.com, courier.push.apple.com and api.push.apple.com — everything works perfectly.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
2w
Comment on macOS DNS Proxy system extension makes device stop processing MDM commands until reboot
Thank you for the suggestion. We will reproduce the "stuck" state and then send a user‑visible push notification (via Find My / SimpleMDM Alert command) to the affected Mac to check whether APNs itself is functioning. We will report back with the result: whether the notification gets through or not, along with nesessionmanager and `mdmclient logs collected at the same time.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
2w
Comment on NEAppProxyUDPFlow.writeDatagrams fails with "The datagram was too large" on macOS 15.x, macOS 26.x
You were exactly right about the flow not being fully opened. I added an explicit await udpFlow.open(withLocalFlowEndpoint: nil) before starting the upstream TCP connection, and gated writeDatagrams on a “flow opened” flag. After this change the NEAppProxyFlowErrorDatagramTooLarge error is gone and dig google.com now resolves successfully with 67‑byte responses. Thank you for pointing me at the flow opening semantics.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Apr ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
Is r.168750762 considered fixed in Xcode 26..?
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Mar ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
I updated the App ID for the DNS Proxy system extension and noticed that Dev Portal only exposes the legacy dns-proxy value under NetExtensions.There is no option for dns-proxy-systemextension. When I create a Mac App Development provisioning profile for this App ID and try to use it for signing the system extension target, Xcode fails with: Provisioning profile "Dev-Mac-App-DNSProxy" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jan ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
I updated the App ID for the DNS Proxy system extension and noticed that Dev Portal only exposes the legacy dns-proxy value under NExtensions. There is no option for dns-proxy-systemextension. When I create a Mac App Development provisioning profile for this App ID and try to use it for signing the system extension target, Xcode fails with: Provisioning profile "Dev-Mac-App-DNSProxy" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jan ’26
Comment on DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
I updated the App ID for the DNS Proxy system extension and noticed that Developer Portal only exposes the legacy dns-proxy value under Network Extensions. There is no option for dns-proxy-systemextension. My extension’s entitlements currently contain: xml com.apple.developer.networking.networkextension dns-proxy-systemextension look at my post down
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jan ’26