We have filed a bug report: FB22135575

Thanks for your reply. I'll file a bug report. Just to make it very clear we have VPN app which connects to our vpn server fine and routes traffic through tunnel so tunnel is up and running correctly on the client. it's just that our server drops the packets.

MFA stands for Multi-Factor Authentication. But that detail isn't critical here — the key point is simply that the tunnel is up and established successfully (startTunnel completes without error, setTunnelNetworkSettings is applied), routing is in place, but the server is not forwarding traffic. The sample code I shared reproduces this exact state — it's a loopback tunnel that never forwards packets. The core issue remains: with includeAllNetworks = true, push notifications are not delivered over Wi-Fi regardless of the excludeAPNS setting, while on cellular they work as expected when excludeAPNS = true.

Thanks for the response. We’ve already tested this on macOS, and in our case obtaining the Wi-Fi SSID via CWWiFiClient does not work without Location authorization, even though: the app bundles an NEPacketTunnelProvider the user has explicitly installed and approved our VPN configuration What’s confusing to us is that there are multiple third-party macOS apps (including ones distributed on the Mac App Store) that visibly display the current Wi-Fi SSID and update it live as the network changes, without ever prompting the user for Location permission. Given that, we wanted to ask more directly: is there a supported API, entitlement, or configuration path on macOS that allows observing the current SSID and SSID changes without requesting Location access? We want to make sure we’re not missing a supported approach before committing to a Location permission prompt purely for UI state management.

Thanks for the response. Given that we can’t influence On-Demand decisions, we’re considering handling user-initiated override logic entirely in the container app while it is running, purely to drive UI state and call stopVPNTunnel() when the user presses a Disconnect button. For that app-side monitoring, we’d need to observe: active interface type (Wi-Fi vs Ethernet) current Wi-Fi SSID notifications when either of these change On macOS, is Location authorization mandatory to obtain the Wi-Fi SSID via CWWiFiClient (or related APIs), even when the app bundles an NEPacketTunnelProvider? Put differently, is there any supported way for a macOS VPN app to observe SSID changes without requesting Location access, or is that an explicit platform requirement?

Yes, a button in our app.

Thanks for following up. This is not a port from iOS; it’s a macOS-specific requirement. We use standard On-Demand rules to automatically connect the tunnel on specific Wifi for example. What we want is to allow the user to manually disconnect the tunnel via a UI button even while the On-Demand condition remains satisfied, without disabling or removing the On-Demand rules. After a manual disconnect, On-Demand monitoring should continue, and when a different On-Demand rule becomes satisfied, its action should be triggered normally. Is there a supported way on macOS to allow this kind of user-initiated override while keeping On-Demand enabled?