Yes, it is a macOS device, which should belong to B. After its app is turned on, it can access specific addresses like a browser or other apps. However, I did not receive a reminder of permission upgrade when installing it, because I am a supervised device and I don’t know whether some permission files have been issued to allow its installation. However, after the software is turned on, the proxy’s automatic configuration proxy will be automatically turned on and the pac file connection will be configured. After adding the whitelist, I first turned on my network filter and then logged into the vpn app. Because the whitelist has been set, I printed all intercepted traffic information through the network filter. I no longer see the tcp connection of my vpn in the log printed by the network filter. Is it because I configured its whitelist (NEFilterActionAllow) before? In fact, what I want to know most is that when I configure the network rules to allow a certain ip to be NEFilterActionAllow and put the rule at the front, is it true that when I turn on the network filter, the tcp connection that already exists with the ip will not be cut off by the NEFilterActionFilterData rule behind it.

Yes, it is developed by a third-party app. I used the above code configuration to avoid the inability to access websites that can only be accessed through VPN after turning on the network filter. I observed the VPN connection through the “netstat -an | grep tcp” command line, and did not add allowfilterRule1 before the configuration rule filterRule. After turning on the network filter, I observed that my VPN connection disappeared through "netstat -an | grep tcp". However, when configuring the rule (filterSettings = [[NEFilterSettings alloc] initWithRules:@[allowfilterRule1, filterRule] defaultAction:NEFilterActionAllow]; ), I added allowfilterRule1 before filterRule. I turned on the network filter and observed that my VPN connection was still there through "netstat -an | grep tcp", and the status was "ESTABLISHED". Will NEFilterSettings filter in the order of the configuration rules? If NEFilterActionAllow is configured to allow my VPN network rule, will my VPN network connection not be cut off? From my test so far, this is the case.

I can't see it in the network settings of the computer preferences. It is built into the app and can be used after logging into the app. I added the following code to allow the VPN-related domain name and IP before defining the filtering rules. After testing, I found that it would not cause the VPN to disconnect. Why is this? When adding the following code rules and starting the network filter, will the connection of the VPN domain name in the rule not be cut off? NWHostEndpoint remoteEndpoint1 = [NWHostEndpoint endpointWithHostname:@".vpn..com" port:@"443"]; NENetworkRule* allownetworkRule1 = [[NENetworkRule alloc] initWithRemoteNetwork:remoteEndpoint1 remotePrefix:32 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound ]; NEFilterRule* allowfilterRule1 = [[NEFilterRule alloc] initWithNetworkRule:allownetworkRule1 action:NEFilterActionAllow]; networkRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound]; filterRule = [[NEFilterRule alloc] initWithNetworkRule:networkRule action:NEFilterActionFilterData]; filterSettings = [[NEFilterSettings alloc] initWithRules:@[allowfilterRule1, filterRule] defaultAction:NEFilterActionAllow];

In addition, 12.6.0 and 14.5.0 sometimes trigger SIGPIPE when starting the network filter, but not every time. How can I avoid triggering SIGPIPE?

Hi , team: Will configuring filters through MDM create a new network? I analyzed that my security app was killed because it had created a network channel and continued to communicate, while MDM would create a new network, so the original channel of the security app no longer exists, so it received SIGPIPE. However, by configuring the network filter through code, it will use loadFromPreferencesWithCompletionHandler (Load the filter configuration from the Network Extension preferences.) and then saveTPreferencesWithCompletionHandler to save the network configuration. Therefore, using saveTPreferencesWithCompletionHandler: will not cause my app to be killed, is that correct? Is there a way to achieve the effect of using MDM to implement code saveTPreferencesWithCompletionHandler:?