General: Forums subtopic: App & System Services > Networking DevForums tag: Network Extension Network Extension framework documentation Routing your VPN network traffic article Filtering traffic by URL sample code Filtering Network Traffic sample code TN3120 Expected use cases for Network Extension packet tunnel providers technote TN3134 Network Extension provider deployment technote TN3165 Packet Filter is not API technote Network Extension and VPN Glossary forums post Debugging a Network Extension Provider forums post Exporting a Developer ID Network Extension forums post Network Extension Framework Entitlements forums post Network Extension vs ad hoc techniques on macOS forums post Network Extension Provider Packaging forums post NWEndpoint History and Advice forums post Extra-ordinary Networking forums post Wi-Fi management: Understanding NEHotspotConfigurationErrorInternal forums post See also Networking Resources for general networking resources, including information about Wi-Fi. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I've searched these terms all over the place and have found only a confusing mishmash of things that were probably true years ago but no longer seem to reflect today's reality so I'm posting it here to hopefully add a definitive 2026 answer to these search results for myself and others. The existence of the DNS Proxy Network Extension protocol in 10.15 has given me an idea. I would like to test this idea to see if it is worth developing further or a complete waste of time. This test does not need to run on any device anywhere in the world other than the one in front of me so I would prefer not to spend $100 just to see if I can make a small code fragment do a silly trick. XCode sadly refuses to build my Network Extension target when I only have a "Personal Team" to sign with: Personal development teams, including "XXXX XXXX", do not support the Network Extensions capability. Can this be done or is Apple just 100% pay-to-play nowadays? I have zero problems disabling SIPS or any other consumer grade protections if that will actually achieve my goal but I've read enough comments from people saying it didn't work that I haven't bothered trying. Thanks for reading. OS: 15.7.5 (24G624) XCode Version 26.3 (17C529)

After an app update replaces our extension with the new version, the XPC connection between the app and the extension fails to work roughly 20% of the time. Once it's broken, it stays broken — our reconnect/retry logic doesn't recover it, stopping and starting the extension doesn't recover it, and the only thing that fixes it is a full machine restart. This obviously isn't ideal. I've seen a few other threads describing the same or a very similar issue: https://developer.apple.com/forums/thread/728063 https://developer.apple.com/forums/thread/779395 https://developer.apple.com/forums/thread/742992 On a broken upgrade cycle, when we run: sudo launchctl print system/NetworkExtension.com.company.example.app.filter.5.5.0.2248 the endpoints entry is missing from the output entirely. On a working upgrade cycle, the same command shows endpoints = {} is present. So it looks like our XPC service isn't actually getting registered with launchd in the broken case. We've tried various changes to our connection logic, but nothing prevents the issue — random upgrades still end up broken with no obvious cause. Is there a known way to recover the XPC registration without requiring a machine restart?

Hi, Our project is a MacOS SwiftUI GUI application that bundles a System Network Extension, signed with a Developer ID certificate for distribution outside of the app store. The system network extension is used to write a packet tunnel provider. The signing of the app & network extension is handled by XCode (v16.0.0), we do not run codesign ourselves. We have no issues with XPC or the system network extension during normal usage, nor when the application is installed on a user's device for the first time. The problem only arises when the user upgrades the application. I have experienced this issue myself, as have our users. It's been reported on Apple Silicon macbooks running at least macOS 15.3.2. Much like the SimpleFirewall example (which we used as a reference), we use XPC for basic communication of state between the app and NE. These XPC connections stop working when the user installs a new version of the app, with OS logs from the process indicating that the connection is immediately invalidated. Subsequent connection attempts are also immediately invalidated. Toggling the VPN in system settings (or via the app) does not resolve the problem, nor does restarting the app, nor does deleting and reinstalling the app, nor does restarting the device. The only reliable workaround is to delete the system extension in Login Items & Extensions, under Network Extensions. No device restart is necessary to garbage collect the old extension - once the extension is reapproved by the user, the XPC issue resolves itself. This would be an acceptable workaround were it possible to automate the deleting of the system extension, but that appears deliberately not possible, and requiring our users to do this each time they update is unreasonable. When the upgraded app is opened for the first time, the OSSystemExtensionRequest request is sent, and the outcome is that the previously installed system network extension is replaced, as both the CFBundleVersion and CFBundleShortVersionString differ. When this issue is encountered, the output of systemextensionsctl list shows the later version is installed and activated. I've been able to reproduce this bug on my personal laptop, with SIP on and systemextensionsctl developer off, but on my work laptop with SIP off and systemextensionsctl developer on (where the network extension is replaced on each activation request, instead of only when the version strings differ), I do not encounter this issue, which leads me to believe it has something to do with the notarization process. We notarize the pkg using xcrun notarytool, and then staple to the pkg. This is actually the same issue described in: https://developer.apple.com/forums/thread/711713 https://developer.apple.com/forums/thread/667597 https://developer.apple.com/forums/thread/742992 https://developer.apple.com/forums/thread/728063 but it's been a while since any of these threads were updated, and we've made attempts to address it off the suggestions in the threads to no avail. Those suggestions are: Switching to a .pkg installer from a .dmg As part of the .pkg preinstall, doing all of the following: Stopping the VPN (scutil --nc stop), shutting down the app (using osascript 'quit app id'), and deleting the app (which claims to delete the network extension, but not the approval in Login Items & Extensions remains??), by running rm -rf on the bundle in /Applications As part of the .pkg postinstall: Forcing macOS to ingest the App bundle's notarization ticket using spctl --assess. Ensuring NSXPCListener.resume() is called after autoreleasepool { NEProvider.startSystemExtensionMode() } (mentioned in a forum thread above as a fix, did not help.) One thing I'm particularly interested in is the outcome of this feedback assistant ticket, as I can't view it: FB11086599. It was shared on this forum in the first thread above, and supposedly describes the same issue. I almost find it hard to believe that this issue has been around for this many years without a workaround (there's system network extension apps out there that appear to work fine when updating, are they not using XPC?), so I wonder if there's a fix described in that FB ticket. Since I can't view that above feedback ticket, I've created my own: FB17032197

Our app has a network extension (as I've mentioned lots 😄). We do an upgrade by downloading the new package, stopping & removing all of our components except for the network extension, and then installing the new package, which then loads a LaunchAgent causing the containing app to run. (The only difference between a new install and upgrade is the old extension is left running, but not having anything to tell it what to do, just logs and continues.) On some (but not all) upgrades... nothing ends up able to communicate via XPC with the Network Extension. My simplest cli program to talk to it gets Could not create proxy: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named blah was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named bla was invalidated: failed at lookup with error 3 - No such process.} Could not communicate with blah Restarting the extension by doing a kill -9 doesn't fix it; neither does restarting the control daemon. The only solution we've come across so far is rebooting. I filed FB11086599 about this, but has anyone thoughts about this?

I've seen a number of similar posts from other network system extension developers reporting kernel panics on M5 devices in macOS. These kernel panics occur when network system extensions are enabled and are not observed on earlier mac platforms or versions of macOS. Reference: https://developer.apple.com/forums/thread/821372 In this post, it appears like Apple is aware of a problem as noted by Kevin Elliott in versions of macOS. Do we know if there is any way to work around this problem (short of not enabling a network filter) until a fix is available?

Hello, We have a security solution which intercepts network traffic for inspection using a combination of Transparent Proxy Provider and Content filter. Lately we are seeing reports from the market that on M5 Macbooks and A18 Neos the system will kernel panic using our solution, even though it never happens on M1-M4 and no significant code changes were made in the mean time. All crashes seem to be related to an internal double free in the kernel: panic(cpu 0 caller 0xfffffe003bb68224): skmem_slab_free_locked: attempt to free invalid or already-freed obj 0xf2fffe29e15f2400 on skm 0xf6fffe2518aaa200 @skmem_slab.c:646 Debugger message: panic Memory ID: 0xff OS release type: User OS version: 25D2128 Kernel version: Darwin Kernel Version 25.3.0: Wed Jan 28 20:54:38 PST 2026; root:xnu-12377.91.3~2/RELEASE_ARM64_T6050 Additionally, from further log inspection, before panics we find some weird kernel messages which seem to be related to some DMA operations gone wrong in the network driver on some machines: 2026-03-30 14:11:21.779124+0300 0x30f2 Default 0x0 873 0 Arc: (Network) [com.apple.network:connection] [C9.1.1.1 IPv4#e5b4bb04:443 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns, uses wifi, flow divert agg: 1, LQM: good)] event: flow:start_connect @0.075s 2026-03-30 14:11:21.780015+0300 0x1894 Default 0x0 0 0 kernel: (402262746): No more valid control units, disabling flow divert 2026-03-30 14:11:21.780017+0300 0x1894 Default 0x0 0 0 kernel: (402262746): Skipped all flow divert services, disabling flow divert 2026-03-30 14:11:21.780102+0300 0x1894 Default 0x0 0 0 kernel: SK[2]: flow_entry_alloc fe "0 proc kernel_task(0)Arc nx_port 1 flow_uuid D46E230E-B826-4E0A-8C59-4C4C8BF6AA60 flags 0x14120<CONNECTED,QOS_MARKING,EXT_PORT,EXT_FLOWID> ipver=4,src=<IPv4-redacted>.49703,dst=<IPv4-redacted>.443,proto=0x06 mask=0x0000003f,hash=0x04e0a750 tp_proto=0x06" 2026-03-30 14:11:21.780194+0300 0x1894 Default 0x0 0 0 kernel: tcp connect outgoing: [<IPv4-redacted>:49703<-><IPv4-redacted>:443] interface: en0 (skipped: 0) so_gencnt: 14634 t_state: SYN_SENT process: Arc:873 SYN in/out: 0/1 bytes in/out: 0/0 pkts in/out: 0/0 rtt: 0.0 ms rttvar: 250.0 ms base_rtt: 0 ms error: 0 so_error: 0 svc/tc: 0 flow: 0x9878386f 2026-03-30 14:11:21.934431+0300 0xed Default 0x0 0 0 kernel: Hit error condition (not panicking as we're in error handler): t8110dart <private> (dart-apcie0): invalid SID 2 TTBR access: level 1 table_index 0 page_offset 0x2 2026-03-30 14:11:21.934432+0300 0xed Default 0x0 0 0 kernel: [ 73.511690]: arm_cpu_init(): cpu 6 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.511696]: arm_cpu_init(): cpu 9 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.569033]: arm_cpu_init(): cpu 6 online 2026-03-30 14:11:21.934441+0300 0xed Default 0x0 0 0 kernel: [ 73.569038]: arm_cpu_init(): cpu 9 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.577453]: arm_cpu_init(): cpu 7 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.586328]: arm_cpu_init(): cpu 5 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.586332]: arm_cpu_init(): cpu 8 online 2026-03-30 14:11:21.934442+0300 0xed Default 0x0 0 0 kernel: [ 73.621392]: (dart-apcie0) AppleT8110DART::_fatalException: dart-apcie0 (<ptr>): DART DART SID exception ERROR_SID_SUMMARY 0x00003000 ERROR_ADDRESS 0x0000000000009800 2026-03-30 14:11:21.934443+0300 0xed Default 0x0 0 0 kernel: [ 73.621397]: Hit error condition (not panicking as we're in error handler): 2026-03-30 14:11:21.934443+0300 0xed Default 0x0 0 0 kernel: t8110dart <ptr> (dart-apcie0): invalid SID 2 TTBR access: level 1 table_index 0 page_offset 0x2Expect a `deadbeef` in the error messages below 2026-03-30 14:11:21.934452+0300 0xed Default 0x0 0 0 kernel: Expect a `deadbeef` in the error messages below 2026-03-30 14:11:21.934456+0300 0xed Default 0x0 0 0 kernel: (AppleEmbeddedPCIE) apcie[0:centauri-control]::_dartErrorHandler() InvalidPTE caused by read from address 0x9800 by SID 2 (RID 2:0:1/useCount 1/device <private>) 2026-03-30 14:11:21.934469+0300 0xed Default 0x0 0 0 kernel: (AppleT8110DART) Ignored dart-apcie0 (0xfbfffe18820b0000): DART(DART) error: SID 2 PTE invalid exception on read of DVA 0x9800 (SEG 0 PTE 0x2) ERROR_SID_SUMMARY 0x00003000 TIME 0x11242d43fd TTE 0xffffffffffffffff AXI_ID 0 We do not have any correlation between machines, usage pattern or installed applications. Uninstalling the network protection features seem to largely fix the issues, even though we have heard of crashes happening even in safe mode or with our network extension disabled from system settings. We weren't able to reproduce internally and it seems to happen completely random on client machines, but often enough to be disrupting. Can you tell us please if this is a known problem and if there's a workaround or what can we do to narrow it down? Thanks.

Hi, We have a macOS app that uses NETransparentProxyManager (Transparent App Proxy) with a NETunnelProviderExtension. The Network Extension is configured and deployed via an MDM configuration profile. The profile is pushed through Intune MDM as a user-enrolled device (Company Portal enrollment, not ADE/supervised). The MDM profile sets up the Transparent Proxy extension as follows (sanitized snippet): <key>VPNType</key> <string>TransparentProxy</string> <key>TransparentProxy</key> <dict> <key>ProviderType</key> <string>app-proxy</string> <key>ProviderBundleIdentifier</key> <string>com.example.app.tunnel</string> <key>ProviderDesignatedRequirement</key> <string>identifier "com.example.app.tunnel" and anchor apple generic and certificate leaf[subject.OU] = TEAMID</string> <key>RemoteAddress</key> <string>100.64.0.0</string> </dict> <key>PayloadScope</key> <string>System</string> What we do in code: Call NETransparentProxyManager.loadAllFromPreferences — this correctly returns the MDM-managed profile (1 profile found) We do not call saveToPreferences — the profile already exists We call NEVPNConnection.startVPNTunnel() to connect and NEVPNConnection.stopVPNTunnel() to disconnect Problem: On a user-enrolled MDM device, when the app is running as a standard user (non-admin), every call to startVPNTunnel() or stopVPNTunnel() triggers the macOS VPN consent dialog: "VPN is trying to modify your system settings. Enter your password to allow this." Console log evidence: Failed to authorize 'system.preferences' by client '/System/Library/ExtensionKit/Extensions/VPN.appex' for authorization created by '/System/Library/ExtensionKit/Extensions/VPN.appex' (-60006) (engine 881) Key observations: Even if the user does not provide the admin credentials in the popup and cancel the window, still things work properly in the background i.e start/stop works. This does not happen for admin users on user-enrolled devices saveToPreferences is NOT called — the profile is MDM-managed and already present The prompt is triggered purely by startVPNTunnel() / stopVPNTunnel() from a standard user process Question: Is there a supported API, entitlement, or MDM configuration key that allows NETransparentProxyManager.startVPNTunnel() / stopVPNTunnel() to be invoked by a standard user process on a user-enrolled (non-supervised) device without triggering the system.preferences authorization dialog — given that the VPN profile is already deployed and managed by MDM?

We have a Man In The Middle proxy that supports all kind of protocols (http, tls, dns, mail protocols, grpc, etc...)... On apple devices we are running it using the Network Extension framework as a NETransparentProxy. First of all, thank you for the framework, took a while to learn the ins and outs but it works nicely and runs smooth... However now that we start to roll it out to customers we see issues here and there.. For most it works fine, but for some that use other proxy/vpn solutions they run into all kind of "connectivity" issues... E.g. some customers run products from companies like zscaler, fortinet, tailscale etc... First we weren't sure if you could even run multiple TransparentProxy's that have the same network capture rules (e.g. the entire TCP range), but turns out that is fine as we tested it with a demo proxy of ours as well as the product version, both deployed as system extensions NETransparentProxy, and it is all fine.. However also here the ordering is not clear? Traffic seems to flow through both but cannot tell what the order is and if the user or we have any control over it. Now... Our proxy is not a VPN and thus not open a tunnel to a remote location. It is local only there to protect the developer. As such in theory it should be compatible with any other VPN and proxy as any traffic we intercept (all traffic) is still ok to go through their proxy/client-vpn and than through a remote tunnel if desired. So the questions I have is: Is there a way, either from within the code or that our users can configure to, on the order of multiple (network extension or other) proxies? Is TransparentProxy the correct solution if I also want compatibility with these other products and want to MITM the traffic? The flows that current work fine are: ClientApp --> NETransparentProxy[ours] --> remote target server clientApp --> L7 HTTP/SOCKS5 Proxy (system or app-defined) --> NETransparentProxy[ours] --> remote target server clientApp --> L7 HTTP/SOCKS5 Proxy (system or app-defined) --> NETransparentProxy[ours/demo] --> NETransparentProxy[demo/ours] --> remote target server However when people also have products from zscaler, fortinet, tailscale or some others it seems to work sometimes but not always, which makes me think it is order defined? What all of them have in common is that they need to go through a remote tunnel, whereas we do not go through a remote tunnel... Which if I am correct (perhaps I am not) should mean that as long as traffic always goes first via us that it should work? e.g. clientApp --> NETransparentProxy[ours] --> NETransparentProxy/Tunnel/...[third party vpn] --> Vpn Server --> remote target server That should in that case just work. But it does not work in case we are behind the (vpn proxy) client. Please let me know if I provide enough detail and if I'm clear? I am mostly wondering about what I can expect in terms of compatibility if there is anything I (or our company user) can do about ordering/priority/something ?

Hi. I have a private cryptographic key that I want to generate and store for use by the system extension only (a network extension NETransparentProxyProvider). The ideal properties I want is: only accessible by extension never leave extension not be accessible by root user or other apps Here is what I have tried so far (by/within the system extension): app data container / local storage: this works, but is accessible by root user app data shared container (storage): this works, but also acccessible by root user system keyring: works, but also accesible by root user System extension by itself does not seem to be able to store/load secrets in app protected keyring. The host application however can store in app protected keyring.... So I though, let's use an app group (as access group) and have it like this shared between host and (system) extension... but nop... (system) extension cannot access the secret... Ok... so than I thought: manual low-level XPC calls.... Also that doesn't work, got something almost to work but seemed to require an entire 3rd (launchd/daemon) service.... way to complex for what I want... also seems that as a root user I can use debug tools to also access it There is however the SendMessage/HandleMessage thing available for TransparentProxy.... that does work... but (1) also doesn't seem the most secure (2) the docs clearly state cannot rely on that for this state as the system extension can be started while the host app is not active.... (e.g. at startup) So that is not a solution either.... I went in so many different directions and rabbit holes in the last days.... this feels like a lot harder than it should be? How do other VPN/Proxy like solutions store secrets that are unique to an extension???? I am hoping there is something available here that I am simply missing despite all my effort... any guidance greatly appreciated...

Hi All, I am working on a macOS System Extension using Apple’s Network Extension Framework, designed to observe and log network activity at multiple layers. The system extension is currently stable and working as expected for HTTP and DNS traffic with 3 providers, getting Socket, HTTP, and DNS logs. Current Architecture Overview The project consists of two Xcode targets: 1. Main App Process Responsible for: Managing system extension lifecycle (activation, configuration) Establishing IPC (XPC) communication with extensions Receiving structured logs from extensions Writing logs efficiently to disk using a persistent file handle Uses: OSSystemExtensionManager NEFilterManager, NETransparentProxyManager, NEDNSProxyManager NWPathMonitor for network availability handling Persistent logging mechanism (FileHandle) 2. System Extension Process Contains three providers, all running within a single system extension process: a) Content Filter (NEFilterDataProvider) Captures socket-level metadata Extracts: PID via audit token Local/remote endpoints Protocol (TCP/UDP, IPv4/IPv6) Direction (inbound/outbound) Sends structured JSON logs via shared IPC b) Transparent Proxy (NETransparentProxyProvider) Intercepts TCP flows Creates a corresponding NWConnection to the destination Captures both HTTP and HTTPS traffic, sends it to HTTPFlowLogger file which bypasses if it's not HTTP traffic. Uses a custom HTTPFlowLogger: Built using SwiftNIO library (NIO HTTP1) Parses up to HTTP/1.1 traffic Handles streaming, headers, and partial body capture (with size limits) Maintains per-flow state and lifecycle management Logs structured HTTP data via shared IPC c) DNS Proxy (NEDNSProxyProvider) Intercepts UDP DNS traffic Forwards queries to upstream resolver (system DNS or fallback) Maintains shared UDP connection Tracks pending requests using DNS IDs Parses DNS packets (queries + responses) using a custom parser Logs structured DNS metadata via shared IPC Shared Component: IPCConnection Single bidirectional XPC channel used by all providers Handles: App → Extension registration Extension → App logging Uses Mach service defined in system extension entitlements Project Structure NetworkExtension (Project) │ ├── NetworkExtension (Target 1: Main App) │ ├── AppDelegate.swift │ ├── Assets.xcassets │ ├── Info.plist │ ├── NetworkExtension.entitlements │ ├── Main.storyboard │ └──ViewController.swift │ ├── SystemExtensions (Target 2: Extension Process) │ ├── common/ │ │ ├── IPCConnection.swift │ │ └── main.swift │ │ │ ├── DNSProxyProvider/ │ │ ├──DNSDataParser.swift │ │ └──DNSProxyProvider.swift (DNS Proxy) │ │ │ ├── FilterDataProvider/ │ │ └── FilterDataProvider.swift │ │ │ ├── TransparentProxyProvider/ │ │ ├── HTTPLogParser.swift │ │ ├── LogDataModel.swift │ │ └──TransparentProxyProvider.swift │ │ │ ├── Info.plist │ └── SystemExtensions.entitlements │ Current Capabilities Unified logging pipeline across: Socket-level metadata HTTP traffic (HTTP/1.1) DNS queries/responses Efficient log handling using persistent file descriptors Stable IPC communication between app and extensions Flow-level tracking and lifecycle management Selective filtering (e.g., bypass rules for specific IPs) What's the best approach to add TLS Inspection with MITM proxy setup? Some context and constraints: Existing implementation handles HTTP parsing and should remain unchanged (Swift-based). I’m okay with bypassing apps/sites that use certificate pinning (e.g., banking apps) and legitimate sites. Performance is important — I want to avoid high CPU utilization. I’m relatively new to TLS inspection and MITM proxy design. Questions Is it a good idea to implement TLS inspection within a system extension, or does that typically introduce significant complexity and performance overhead? As NETransparentProxyProvider already intercepting HTTPS traffic, can we redirect it to a separate processing pipeline (e.g., another file/module), while keeping the existing HTTP parser(HTTPFlowLogger - HTTP only parser) intact? What are the recommended architectural approaches for adding HTTPS parsing via MITM in a performant way? Are there best practices for selectively bypassing pinned or sensitive domains while still inspecting other traffic? Any guidance on avoiding common pitfalls (e.g., certificate handling, connection reuse, latency issues)? I’m looking for a clean, maintainable approach to integrate HTTPS inspection into my existing system without unnecessary complexity or performance degradation. Please let me know if any additional details from my side would help in suggesting the most appropriate approach. Thanks in advance for your time and insights—I really appreciate it.

I’m encountering a persistent issue with my Network Extension (specifically NEFilterDataProvider) and would really appreciate any insights. The extension generally works as expected, but after some time — especially after sleep/wake cycles or network changes — a global network outage occurs. During this state, no network traffic works: pings fail, browsers can’t load pages, etc. As soon as I stop the extension (by disabling it in System Preferences), the network immediately recovers. If I re-enable it, the outage returns instantly. I’ve also noticed that once this happens, the extension stops receiving callbacks like handleNewFlow(), and reinstalling the app or restarting the extension doesn’t help. The only thing that resolves the issue is rebooting the system. After reboot, the extension works fine again — until the problem reoccurs later. I asked AI about this behavior, and it suggested the possibility that the kernel might have marked the extension as untrusted, causing the system to intentionally block all network traffic as a safety mechanism. Has anyone experienced similar behavior with NEFilterDataProvider? Could there be a way to detect or prevent this state without rebooting? Is there any logging or diagnostic data I should collect when it happens again? Any guidance or pointers would be greatly appreciated. Thanks in advance!

I haven’t been able to get this to work at any level! I’m running into multiple issues, any light shed on any of these would be nice: I can’t implement a bloom filter that produces the same output as can be found in the SimpleURLFilter sample project, after following the textual description of it that’s available in the documentation. No clue what my implementation is doing wrong, and because of the nature of hashing, there is no way to know. Specifically: The web is full of implementations of FNV-1a and MurmurHash3, and they all produce different hashes for the same input. Can we get the proper hashes for some sample strings, so we know which is the “correct” one? Similarly, different implementations use different encodings for the strings to hash. Which should we use here? The formulas for numberOfBits and numberOfHashes give Doubles and assign them to Ints. It seems we should do this conversing by rounding them, is this correct? Can we get a sample correct value for the combined hash, so we can verify our implementations against it? Or ignoring all of the above, can we have the actual code instead of a textual description of it? 😓 I managed to get Settings to register my first attempt at this extension in beta 1. Now, in beta 2, any other project (including the sample code) will redirect to Settings, show the Allow/Deny message box, I tap Allow, and then nothing happens. This must be a bug, right? Whenever I try to enable the only extension that Settings accepted (by setting its isEnabled to true), its status goes to .stopped and the error is, of course, .unknown. How do I debug this? While the extension is .stopped, ALL URL LOADS are blocked on the device. Is this to be expected? (shouldFailClosed is set to false) Is there any way to manually reload the bloom filter? My app ships blocklist updates with background push, so it would be wasteful to fetch the filter at a fixed interval. If so, can we opt out of the periodic fetch altogether? I initially believed the API to be near useless because I didn’t know of its “fuzzy matching” capabilities, which I’ve discovered by accident in a forum post. It’d be nice if those were documented somewhere! Thanks!!

Hi Apple team, Could you please let us know the estimated timeline for approval of our OHTTP relay request? We’d appreciate any updates on the current status or next steps from your side. My request number is GZ8425KHD9. Thanks in advance.

Hello, I am working on a DLP solution for macOS that relies on the Network Extension (NETransparentProxyProvider) for network traffic analysis. Could you please clarify: is it technically possible and officially supported to use a LaunchAgent as the container app to install and manage the Network Extension? If not, what is the recommended approach in case of GUI less application? Thank you in advance.

Here’s the formatted summary in English for your issue submission: Issue Summary We are activating a Network Extension system extension (filter-data) from a signed and notarized macOS app. Activation consistently fails with the following error: Error Message: OSSystemExtensionErrorDomain code=4 Extension not found in App bundle. Unable to find any matched extension with identifier: com.seaskylight.yksmacos.ExamNetFilter.data At the same time, sysextd logs show: no policy, cannot allow apps outside /Applications However, our host app and executable paths are already under /Applications, and the extension bundle physically exists in the expected app bundle location. Environment Information macOS: Darwin 25.4.0 Host App: /Applications/xxx.app Host Bundle ID: com.seaskylight.yksmacos System Extension Bundle ID: com.seaskylight.yksmacos.ExamNetFilter.data Team ID: BVU65MZFLK Device Management: Enrolled via DEP: No MDM Enrollment: No Reproduction Steps Install the host app to /Applications. Launch the host app via Finder or using the command: open -a "/Applications/xxx.app" Trigger OSSystemExtensionRequest activationRequestForExtension for: com.seaskylight.yksmacos.ExamNetFilter.data. Observe failure callback (code=4). Collect logs: log show --last 2m --style compact --info --debug --predicate 'process == "sysextd"' Check extension status using: systemextensionsctl list (shows 0 extension(s)) Observed Results sysextd client activation request for com.seaskylight.yksmacos.ExamNetFilter.data attempts to realize extension with identifier com.seaskylight.yksmacos.ExamNetFilter.data. Log indicates: no policy, cannot allow apps outside /Applications App-side Diagnostics (captured at failure) PID: 3249 Bundle Path: /Applications/xxx.app Real Path: /Applications/xxx.app Exec Path: /Applications/xxx.app/Contents/MacOS/xxx Real Exec Path: /Applications/xxx.app/Contents/MacOS/xxx Ext Path: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension Ext Exists: true Running From Helper: false Error Callback: NSError{domain=OSSystemExtensionErrorDomain code=4 desc=Extension not found in App bundle...} Additional Validation We reproduced the same failure using a minimal native host app (SysExtProbe) in /Applications that only submits the activation request for the same extension identifier. It also fails with OSSystemExtensionErrorDomain code=4, indicating this is not specific to Electron app logic. Signing / Packaging Notes Host app and system extension are signed with the same Team ID (BVU65MZFLK). System extension bundle exists under: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension Extension Info.plist contains bundle id: com.seaskylight.yksmacos.ExamNetFilter.data Host app includes NSSystemExtensionUsageDescription. Questions for DTS In non-MDM personal-device scenarios, what exact conditions trigger sysextd to emit: no policy, cannot allow apps outside /Applications even when both bundlePath and realpath are in /Applications? Can code=4 (“Extension not found in App bundle”) be returned for policy/state reasons even when the extension bundle is present and the identifier matches? Are there known sysextd policy/cache states that cause this behavior, and what is the recommended recovery procedure? Feel free to copy and paste this summary for your submission. If you need any further modifications or assistance, let me know!

Hello team, I am trying to find out a way to block urls in the chrome browser if it is found in local blocked list cache. I found URL Filter Network very much suitable for my requirement. But I see at multiple places that this solution is only for Enterprise level or MDM or supervised device. So can I run this for normal user ? as my targeting audience would be bank users. One more thing how can I test this in development environment if we need supervised devices and do we need special entitlement ? When trying to run sample project in the simulator then getting below error

Hello, I am currently developing a PIR server using the pir-server-example repository. We are anticipating a total of 10 million URLs for our dataset. In this context, what would be the optimal shard size (number of records per shard) to balance computational latency and communication overhead? Any advice or best practices for handling a dataset of this scale would be greatly appreciated. Thank you.

Hi I tried to follow this guide https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url I downloaded the sample app and put our pir service server address in the app. The service is already running and the app is connected to the pir service but the url is still not blocked. We tried to block example.com. Is there anything that we need to do in iOS code? This is the sample when there's dataset This is the sample when there's no dataset

We are building a VPN using NEPacketTunnelProvider where the intent is to route HTTP/S traffic through a local proxy server, while non-HTTP/S traffic flows directly to the network without being tunnelled at the IP layer. The configuration claims no included IP routes — it relies entirely on NEProxySettings to intercept HTTP/S traffic via the URL loading layer. private func configureIPSettings(_ settings: NEPacketTunnelNetworkSettings) { settings.ipv4Settings = NEIPv4Settings( addresses: ["192.168.1.1"], subnetMasks: ["255.255.255.255"] ) // No includedRoutes set — no IP traffic enters the tunnel } private func configureProxySettings(_ settings: NEPacketTunnelNetworkSettings) { let proxySettings = NEProxySettings() proxySettings.httpEnabled = true proxySettings.httpServer = NEProxyServer(address: "127.0.0.1", port: 9000) proxySettings.httpsEnabled = true proxySettings.httpsServer = NEProxyServer(address: "127.0.0.1", port: 9000) proxySettings.matchDomains = [""] settings.proxySettings = proxySettings } When matchDomains is nil or not set, HTTP/S traffic does not reach the local proxy in this configuration. Setting matchDomains = [""] makes it work correctly. The matchDomains documentation states: "If the destination host name of a HTTP connection shares a suffix with one of these strings then the proxy settings will be used." An empty string is a suffix of every string, so [""] matching all hostnames follows from that definition. But this isn't explicitly documented. Questions: Is matchDomains = [""] a supported and stable way to apply proxy settings to all HTTP/S traffic when no IP routes are claimed, or is this an unintended side-effect? Why does matchDomains = nil not apply the proxy globally in this configuration? The documentation doesn't describe its behaviour relative to IP routing. NEDNSSettings.matchDomains explicitly documents an empty string as matching all domains — is the same semantics intended for NEProxySettings.matchDomains?

I've been able to run this sample project with the PIRServer. But the urls are still not blocked. https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url https://github.com/apple/pir-service-example I got this on the log Received filter status change: <FilterStatus: 'running'>