Thanks for the response. We’ve already tested this on macOS, and in our case obtaining the Wi-Fi SSID via CWWiFiClient does not work without Location authorization, even though: the app bundles an NEPacketTunnelProvider the user has explicitly installed and approved our VPN configuration What’s confusing to us is that there are multiple third-party macOS apps (including ones distributed on the Mac App Store) that visibly display the current Wi-Fi SSID and update it live as the network changes, without ever prompting the user for Location permission. Given that, we wanted to ask more directly: is there a supported API, entitlement, or configuration path on macOS that allows observing the current SSID and SSID changes without requesting Location access? We want to make sure we’re not missing a supported approach before committing to a Location permission prompt purely for UI state management.

Thanks for the response. Given that we can’t influence On-Demand decisions, we’re considering handling user-initiated override logic entirely in the container app while it is running, purely to drive UI state and call stopVPNTunnel() when the user presses a Disconnect button. For that app-side monitoring, we’d need to observe: active interface type (Wi-Fi vs Ethernet) current Wi-Fi SSID notifications when either of these change On macOS, is Location authorization mandatory to obtain the Wi-Fi SSID via CWWiFiClient (or related APIs), even when the app bundles an NEPacketTunnelProvider? Put differently, is there any supported way for a macOS VPN app to observe SSID changes without requesting Location access, or is that an explicit platform requirement?

Yes, a button in our app.

Thanks for following up. This is not a port from iOS; it’s a macOS-specific requirement. We use standard On-Demand rules to automatically connect the tunnel on specific Wifi for example. What we want is to allow the user to manually disconnect the tunnel via a UI button even while the On-Demand condition remains satisfied, without disabling or removing the On-Demand rules. After a manual disconnect, On-Demand monitoring should continue, and when a different On-Demand rule becomes satisfied, its action should be triggered normally. Is there a supported way on macOS to allow this kind of user-initiated override while keeping On-Demand enabled?