Thanks to @Etresoft & @DTS Engineer for your replies. You are quite right, I'd assumed that administrator authentication would be needed, when it is not; it can be like that with certain other OSs. @Etresoft, I get a similar outcome in which no permission is sought when I have no active LAN connection. But it is requested after a connection has been enabled. The demo is meant to be a minimalist example – and only the two networking entitlements were required to make it run. @DTS Engineer, I take it then that our only real option would be to #ifdef __APPLE__ an Apple-specific block into our code that would query a more specific reason for a socket connection failure using e.g. the Networking framework. There is a follow up question, then, on how to test and debug all of this. The advice is that Privacy & Security permissions will be forgotten when an app is deleted. We do not find this. Permissions are remembered across a cycle of deletion and installation. Commands such as tccutil do not affect LAN permissions. There does not seem to be any way of removing LAN permissions once they have been assigned to an app by a user. The only approach I have found that seems to work – and it is rather cumbersome – is to create a new user and then run the app from that account every time that I want to test the permissions handling of the app. Surely there is a better way?

We are having trouble that is similar to what jfriesne has described. Our apps worked perfectly well up to and including Sonoma. Now we are having issues with Sequoia's new privacy and security settings for local networks. We get a dialogue box that asks us whether to allow local network access or not on the first run of an installed program. User permission is sought when a connection is requested. However, the connection request fails even if 'Allow' has been selected in the dialogue box. Following the question of Floating Wrench with something more general, is there any type of entitlement that may be granted to an app that will allow it to access the local network? Nothing that I've yet found in the documentation seems to explicitly provide this, e.g. com.apple.developer.networking.networkextension. An entitlement that allows the dialogue box to be skipped, or presented at an earlier point (say, when the app is first launched) would be an improvement.