URL Filters not activating on iOS 27 beta

Question

KayleeSC OP

Created 5d

Replies 2

Boosts 2

Participants 2

(Also submitted as FB23072541)

iOS 27 beta 1 brings a brand new error which ends up resulting in a state of .serverSetupIncomplete:

<NEPIRChecker: 0x7de6c79b60>: -[NEPIRChecker start:responseQueue:completionHandler:]_block_invoke - PIR status returned error <Error Domain=com.apple.CipherML Code=1100 "Unable to query status due to errors: Error details were logged and redacted." UserInfo={NSLocalizedDescription=Unable to query status due to errors: Error details were logged and redacted., NSUnderlyingError=0x7de712f4e0 {Error Domain=com.apple.CipherML Code=1800 "Error details were logged and redacted." UserInfo={NSLocalizedDescription=Error details were logged and redacted.}}}>
 
<NEAgentURLFilterExtension: 0x7de6d24e60>: -[NEAgentURLFilterExtension startURLFilter]_block_invoke - Failed to startFilter <Error Domain=NEMembershipCheckerErrorDomain Code=3 "(null)">

What’s a NEMembershipChecker? Member of what?

Digging deeper I found these:

Failed to prefetch tokens for group 'site.kaylees.Wipr2': Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey=https://pirissuer.kaylees.site/token-key-for-user-token, NSUnderlyingError=0x7517125a40 {Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" UserInfo={NSDescription=Network is down}}, _NSURLErrorPrivacyProxyFailureKey=true, NSLocalizedDescription=The Internet connection appears to be offline.}
 
queryStatus(for:options:) threw an error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, NSErrorFailingURLKey=https://pirissuer.kaylees.site/token-key-for-user-token, NSUnderlyingError=0x7517125b00 {Error Domain=NSPOSIXErrorDomain Code=50 "Network is down" UserInfo={NSDescription=Network is down}}, _NSURLErrorPrivacyProxyFailureKey=true, NSLocalizedDescription=The Internet connection appears to be offline.}

The connection and the URL mentioned are fine of course, but "Network is down” now? This new problem only affects the App Store version of my app – not present if I install from Xcode.

Users report that oddly, having an active VPN on the device works around this bug.

Answer 1

evanroden OP

2d

The issue appears to be an OS-level provisioning bug with how Apple's internal Privacy Proxy handles production bundle identifiers.

Apple's CipherML is trying to route PIR token requests through a Privacy Proxy. In the beta, the App Store (production) build fails the ⁠NEMembershipChecker⁠ (Code 3). Because the membership check fails, the proxy isn't provisioned. Since CipherML is designed to "fail closed" if a proxy can't be established, the connection drops entirely, resulting in your ⁠-1009 Offline⁠ error and the ⁠_NSURLErrorPrivacyProxyFailureKey=true⁠ flag.
Dev-signed builds route to a proxy, so that's why Xcode works.
When a VPN is active, iOS bypasses internal system Privacy Proxies to avoid tunnel-in-tunnel conflicts. That's why VPNs work.

If you haven't already, install the VPN (NetworkExtension) debug profile on your test device. This will un-redact the ⁠com.apple.CipherML Code 1800⁠ errors in the macOS Console and should explicitly confirm the proxy provisioning failure.

Update your Feedback/Radar ticket to highlight that ⁠NEMembershipChecker⁠ Code 3 is failing specifically for production-signed profiles, causing CipherML to fail closed on the privacy proxy.

Also, if the ⁠NEURLFilterManager⁠ or PIR configuration APIs allow it, see if there is a temporary parameter to set the proxy behavior to "fail open" (direct connection fallback) for the duration of the beta cycle.

Answer 2

KayleeSC OP

1d

If you haven't already, install the VPN (NetworkExtension) debug profile on your test device. This will un-redact the ⁠com.apple.CipherML Code 1800⁠ errors in the macOS Console and should explicitly confirm the proxy provisioning failure.

I’m pretty sure I had this already, that’s how I was able to get the logs above. Maybe it’s a different profile that will un-redact them?

Update your Feedback/Radar ticket to highlight that ⁠NEMembershipChecker⁠ Code 3 is failing specifically for production-signed profiles, causing CipherML to fail closed on the privacy proxy.

It was already in there, but why not, done 😅

Also, if the ⁠NEURLFilterManager⁠ or PIR configuration APIs allow it, see if there is a temporary parameter to set the proxy behavior to "fail open" (direct connection fallback) for the duration of the beta cycle.

There is a “fail open/close” parameter but I think it means a different thing in this context. Fail open means that the URL Filter won’t block a load that gets caught by the local prefilter if the server can’t be consulted, fail closed means it will block it.