Thank you, this clarification is very helpful. Based on your explanation, our primary requirement is per-process network connection metadata for typical application behavior (process identity, destination IP/port, timestamps). We are not attempting to inspect or reconstruct raw packet traffic, nor are we trying to handle extremely low-level or adversarial networking scenarios (ex. raw Ethernet packet generation). Given that, it sounds like NEFilterDataProvider may be the most appropriate fit, even if it does not capture every possible low-level network path. Our goal is to monitor “normal” application-generated traffic on managed enterprise endpoints, rather than achieve complete packet-level visibility. Could you please confirm: Whether NEFilterDataProvider is the recommended approach for this type of per-process connection metadata (typical app usage) Whether it provides reliable process attribution + remote endpoint information sufficient for this use case If there are any specific limitations or edge cases we should explicitly account for in a managed enterprise deployment Our deployment model is strictly MDM-managed macOS devices, and we are aiming to stay fully within supported/public APIs. Thanks again for your guidance.

Thank you. I've been waiting for Apple Support (a month ago) for advise; crickets...