The M5 Pro does not connect to the Wi-Fi AP using RADIUS when NetworkExtension Activiate. The M1 and M2 Pro worked, but only the M5 Pro MacBook Pro did not work. If you deactivate NetworkExtension, it connects to the AP, and afterwards, it works even if you activate NetworkExtension.

Dear Apple Developer Technical Support, I am currently developing a macOS network filtering solution using NetworkExtension with NEFilterDataProvider. During implementation of the handleOutboundData logic, we are using the following verdict: NEFilterNewFlowVerdict.filterDataVerdict( withFilterInbound: true, peekInboundBytes: InboundPeekBytes, filterOutbound: true, peekOutboundBytes: OutboundPeekBytes ) However, we have encountered an issue when SMB traffic is involved. When SMB protocol communication occurs, the network connection occasionally becomes unresponsive or appears to stall when peekOutboundBytes is set to a large value. Through testing, we observed the following behavior: On some systems, reducing the peekOutboundBytes value allows SMB communication to proceed normally. On other systems, even relatively small values can still cause the SMB connection to stall. This behavior appears inconsistent across different macOS environments. Because of this, we would like to clarify the following: Is there a documented or recommended maximum value for peekOutboundBytes when using NEFilterNewFlowVerdict.filterDataVerdict? Are there any internal limits or constraints within NetworkExtension that could cause SMB traffic to stall when the peek buffer size is too large? Are there best practices for selecting appropriate peekInboundBytes / peekOutboundBytes values when filtering high-throughput protocols such as SMB? If necessary, we can provide additional information such as macOS version, test environment details, and logs. Thank you for your assistance. Best regards, sangho

Hello, Starting with macOS 26 beta 4, I’ve noticed that the fflag field in es_event_open_t sometimes contains O_SEARCH instead of the expected FREAD or FWRITE values. According to the documentation, fflag should represent the kernel-applied flags (e.g., FREAD, FWRITE), not the open(2) oflag values. However, in my tests, when intercepting ES_EVENT_TYPE_AUTH_OPEN events, the value appears to match O_SEARCH in certain cases. Is this an intentional change in macOS 26, or could it be a bug in the current beta? If this is expected behavior, could you clarify under what conditions O_SEARCH or some oflag are returned? Environment: macOS 26 beta 4 Endpoint Security Framework Thanks in advance for any clarification!

I am using es_new_client and es_subscribe in SystemExtension and EndpointSecurity. I tested it on M3, and it is working. It also works on M1 versions 12, 13, and 14. Additionally, ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD is functioning correctly. However, there is a bug on M1 Big Sur where es_new_client's es_handler_block_t cannot receive ES_EVENT_TYPE_NOTIFY_KEXTLOAD. The tested command is: sudo kextload /System/Library/Extensions/msdosfs.kext sudo kextload /System/Library/Extensions/*.kext Is this intended behavior or a bug? Are there any plans to fix it?

Hello, I Use NetworkExtension NEFilterSocketFlow description. I received it to String, or UsafeMutableBufferPointer etc ... It always has memory leak. So, I just call it NEFilterSocketFlow.description or description.utf8String, and It was not received as any variable. But, It also has memoryleak. What do I do for?

DisplayPort(DP) to USB-C Monitor is not Working in iMAC 2019 Intel after update macOS14 Sonoma I used it before update. It was completly ok. but after update OS. 13 to 14. It never work.

I want to make API return the defined version in static library. How I get defined current library version on xcode "Build Setting - linking or versioning"? like VERSION : Clang version. some preprocessor macro? or static char was defined? If anyone knows, please share.

Hello, I have an issue when I develop NetworkExtension in Monterey and Safari. I want find a caller process name when metadata that sourceAppAuditToken is not exist. I compare blocked content with process fd information using IP:PORT. // 0. Input blockedSrc, blockedDest if([[blockedPacket metadata] sourceAppAuditToken] == nil ) { // 1. get a list of process pid. sysctl( procList ... ); kinfo_proc proc = procList[procIdx]; // 2. get process fd Information proc_pidinfo(proc.kp_proc.p_pid, PROC_PIDLISTFDS, socketInfo, ...); // 3. get IP, Port in process information. srcIP = (struct in_addr *)&socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_laddr.ina_46.i46a_addr4; srcPort = (int)socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_lport;  destIP = (struct in_addr *)&socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_faddr.ina_46.i46a_addr4;     destPort = (int)socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_fport; ... // 4. compare blocked content with information using srcIP:Port and destIP:Port if( blockedSrc == src && blockedDest == dest ) { // 5. found process name proc_pidpath(proc.kp_proc.p_pid, pathBuffer, sizeof(pathBuffer)-1); } } In BigSur Chrome, Safari and Monterey Chrome is working same routine. and In these case, I can found list of process that open TCP using terminal("lsof -i -P") But it is not works when use Safari in Monterey. So, I have checked a list of process that open TCP in Monterey. I have couldn't found it. How can I found caller process name in Monterey when Safari web is blocking? Thank you for reading.