Hi all, I believe the behavior we're seeing is explained in the documentation "Using iCloud with macOS virtual machines" https://developer.apple.com/documentation/virtualization/using-icloud-with-macos-virtual-machines From the article: If someone moves a VM to a different Mac host and restarts it... Additionally, the Virtualization framework detects attempts to start multiple copies of the same VM simultaneously on the same Mac host... My interpretation of this is: The Virtualization framework will assign a new Secure Enclave-derived UDID if a VM is started on a different host. It will also assign a new UDID if a cloned VM is started on the same host while the original VM is running at the same time. Given these constraints, I don't think it's possible to reliably preserve a Secure Enclave-derived UDID across multiple cloned environments. However, at least for now, it's still possible to install macOS 15/26 using the older ChipID=0000FE00 style UDID. In my UTM workflow, the process looks like this: Locate en existing VM that uses the old UDID format (with the expected UDID), Create a new VM in UTM, but do not install macOS yet, quit UTM, Edit the new VM's config.plist, copy HardwareModel and MachineIdentifier from the old VM, I hope future versions of macOS will remain compatible with this old UDID format (DataRepresentationVersion=1), as it's currently the only practical method I'm aware of for preserving UDIDs. Shay

Hi Quinn, Thanks for your valuable information. Unfortunately I don't have experience with threat intelligence, and our threat intelligence team is also new to URL Filter and Private Information Retrieval. We are learning these technologies and will file enhancement requests if we need more from the OS frameworks. I filed FB18302351 for documentation improvement regarding question 3: The documentation itself needs to clarify the fuzzy matching behaviour of NEURLFilter. My colleague filed another feedback for question 4, I asked for the FB number but I haven't heard from him yet. Kindly Regards, Shay

I think you're testing connections to localhost (127.0.0.1 or ::1), which requires explicit network rules. Refer: NetworkExtensions/NENetworkRule.h If the address is a wildcard address (0.0.0.0 or ::) then the rule will match all destinations except for loopback (127.0.0.1 or ::1). To match loopback traffic set the address to the loopback address.

(..continued) NEFilterManager must be enabled after the System Extension is activated and enabled, it might be a disaster if NEFilterManager is enabled without a runnable System Extension (all network connection lost, or even T2 watchdog panic). A new status API/notification would help developer to implement this feature more easily.