No, this doesn't require to have an app with a CryptoTokenKit app extension installed or any software installed. The strange things is that the same code running in a separate test application retrieves the cert properly. In both cases (the actual app and the test app) Security and SecurityInterface FWs are added to theXCode project and both are notarized In the console app when the cert is retrieved these logs are printed out: debug 22:55:37.310517+0530 ctkd Platform rule matched debug 22:55:37.310595+0530 ctkd Request from: '(null)' to access '' was granted When the cert is not retrieved using the same code in the app nothing is printed out for ctkd. Is it possible that some permissions be affecting this? Thanks

Also I tried the same on Big Sur 11.5.2 + Safari Beta 15 (16612.1.28.1, 16612) and the same problem happens using my Application and also other applications: the URL is not redirected

Is it possible that the issue be related with an update on for XProtect and MRT Configuration Data? https://eclecticlight.co/2021/08/23/apple-has-pushed-updates-to-xprotect-and-mrt-27/

Hi @meaton What happening if you add a rule for all public address ranges expect for the one(s) you are looking to exclude? -> That approach worked excluding the IPs. Now I only have include rules. I will fill a bug for the combination of wildcard rule (to accept all TCP flows) + particular exclude rule Thanks