Hello, Our app uses Network Extension / Packet Tunnel Provider to establish VPN connections on macOS and iOS. We have observed that after creating a utun device and adding any IPv4 routes (NEPacketTunnelNetworkSettings.IPv4Settings), the OS automatically adds several host routes via utun to services such as Akamai, Apple Push, etc. These routes appear to correspond to TCP flows that were active at the moment the VPN connection was established. When a particular TCP flow ends, the corresponding host route is deleted. We understand this is likely intended to avoid breaking existing TCP connections. However, we find the behavior of migrating existing TCP flows to the new utun interface simply because any IPv4 route is added somewhat questionable. This approach would make sense in a "full-tunnel" scenario — for example, when all IPv4 traffic (e.g., 0.0.0.0/0) is routed through the tunnel — but not necessarily in a "split-tunnel" configuration where only specific IPv4 routes are added. Is there any way to control or influence this behavior? Would it be possible for FlowDivert to differentiate between full-tunnel and split-tunnel cases, and only preserve existing TCP flows via utun in the full-tunnel scenario? Thank you.

Here's what the documentation says https://developer.apple.com/documentation/networkextension/maintaining-a-reliable-network-connection Confirm that your NEAppPushProvider implementation doesn’t create a retain cycle with itself. After you call the completionHandler that the system passes to stop(with:completionHandler:), the Network Extension framework releases your NEAppPushProvider instance. This instance typically deallocates from memory when released, but if the instance has a retain cycle with itself, it fails to deallocate and wastes memory. Failure to deallocate can also cause the system to have two or more instances of your push provider, leading to inconsistent behavior. Use Instruments or add a logging statement to deinit to verify that your NEAppPushProvider deinitializes when expected. I observe that when I turn off the wifi, the AppPushProvider subclass fully deinitializes. But when I call removeFromPreferences on the NEAppPushManager from the app, it calls stop() on my AppPushProvider subclass, but it does not initialize. Should I be alarmed by this behavior? Will this cause a memory leak? Will this cause multiple Extension/AppPushProviders to be operating concurrently? For testing, I've removed everything except for logs and some singleton calls. No closures capturing self, and no strong references of self being passed anywhere. I am also not using the debugger, and am using the console to debug.

I have written the Transparent App Proxy and can capture the network flow and send it to my local server. I want to avoid any processing on the traffic outgoing from my server and establish a connection with a remote server, but instead of connecting to the remote server, it again gets captured and sent back to my local server. I am not getting any clue on how to ignore these flows originating from my server. Any pointers, API, or mechanisms that will help me?

I've had no problem running my app in a simulator or on a device, but today my app is failing on a URLRequest to my local machine (in a sim). From the same simulator I can go to Safari and manually enter the URL that the app is using (and that appears in the error message), and it works fine. I think there was a recent Xcode update; did something change in this regard?

I'm a long-time developer, but pretty new to Swift. I'm trying to get information from a web service (and found code online that I adjusted to build the function below). (Note: AAA_Result -- referenced towards the end -- is another class in my project) Trouble is, I'm getting the subject error on the call to session.dataTask. Any help/suggestions/doc pointers will be greatly appreciated!!! var result: Bool = false var cancellable: AnyCancellable? self.name = name let params = "json={\"\"}}" // removed json details let base_url = URL(string: "https://aaa.yyy.com?params=\(params)&format=json")! // removed URL specifics do { let task = URLSession.shared.dataTask(with: base_url) { data, response, error in if let error = error { print("Error: \(error)") } guard let response = response as? HTTPURLResponse, (200...299).contains(response.statusCode) else { print("Error \(String(describing: response))") } do { let decoder = JSONDecoder() let ar = try decoder.decode(AAA_Result.self, from: response.value) // removed specific details... result = true } catch { print(error) } } task.resume() } catch { print(error) } return result }

I'm developing a Matter-over-thread generic switch with 2 generic switch endpoints. This is configured as an Intermittently Connected Device with Long Idle Time. I have an Apple TV serving as the thread border router. I'm able to commission the device successfully in the Home app and assign actions to each of the buttons however when the device is rebooted the subscription doesn't appear to resume successfully and the buttons no longer work. I've tested this on various SOC's with their respective SDKs including ESP32-C6, nrf52840 and EFR32MG24 and the behaviour was consistent across all of them. It was working originally when I first started out on the ESP32-C6, then the issue popped up first when I was testing the nrf52840. In that SDK I set persistent subscriptions explicitly and it seemed to resolve the issue until it popped up again when I found that unplugging and restarting the Apple TV completely which appeared to fix the issue with subscriptions not resuming. Recently I've added a Home Pod Mini Gen 2 to the matter fabric so there are now two TBR on the network and restarting both the Apple TV and the HomePod doesn't appear to resolve the issue anymore and the subscriptions are not resuming across all three SOC's on device reboot I'm wondering if there might be something preventing the subscriptions from resuming?

For our outdoor power supply company that builds public WiFi networks at camping sites, we want to implement the following features in our app: Scan surrounding WiFi networks When detecting specific public WiFi SSIDs, provide users with corresponding passwords Automatically connect to those WiFi networks Regarding the NEHotspotHelper API permission application, when I clicked on https://developer.apple.com/contact/request/network-extension, it redirected me to https://developer.apple.com/unauthorized/. I'm not sure where to properly apply for this permission now.

multicast sockets fail to send/receive on macosx, errno 65 "no route to host". Wireshark and Terminal.app (which have root privileges) both show incoming multicast traffic just fine. Normal UDP broadcast sockets have no problems. Toggling the Security&Privacy -> Local Network setting may fix the problem for some Users. There is no pattern for when multicast socket fails. Sometimes, recreating the sockets fix the problem. Restart the app, sometimes multicast fails, sometimes success (intermittent, no pattern). Reboot machine (intermittent fail) Create a fresh new user on machine, install single version of app, give app permission. (intermittent fail, same as above). We have all the normal entitlements / notarized app. Similar posts here see FB16923535, Related to FB16512666 https://forum.xojo.com/t/udp-multicast-receive-on-mac-failing-intermittant/83221 see my post from 2012 "distinguishing between SENDING sockets and RECEIVING sockets" for source code example of how we bind multicast sockets. Our other socket code is standard "Stevens, et al." code. The bind() is the call that fails in this case. https://stackoverflow.com/questions/10692956/what-does-it-mean-to-bind-a-multicast-udp-socket . Note that this post from 2012 is still relevant, and that it is a workaround to a longstanding Apple bug that was never fixed. Namely, "Without this fix, multicast sending will intermittently get sendto() errno 'No route to host'. If anyone can shed light on why unplugging a DHCP gateway causes Mac OS X multicast SENDING sockets to get confused, I would love to hear it." This may be a hint as to the underlying bug that Apple really needs to fix, but if it's not, then please Apple, fix the Sequoia bug first. These are probably different bugs because in one case, sendto() fails when a socket becomes "unbound" after you unplug an unrelated network cable. In this case, bind() fails, so sendto() is never even called. Note, that we have also tried to use other implementations for network discovery, including Bonjour, CFNetwork, etc. Bonjour fails intermittently, and also suffers from both bugs mentioned above, amongst others.

I develop a terminal app with c++. Everything was fin until i upgraded to Sequoia. If i debug my program with Xcode, all requests to a local network like MQTT fails. How can i grant XCODE the privilege to access the local network?

We have a VPN app built using PacketTunnelProvider and support per-app VPN on iOS. We're currently investigating an issue specific to per-app VPN configurations that use split tunneling, where some URLs are routed through the VPN tunnel while others are intended to go directly. Tunneled traffic works as expected. However, for direct traffic, we observe intermittent failures where the browser does not receive an ACK, leading to repeated retransmissions and eventual page load failures. This issue appears only in per-app VPN scenarios, and we've reproduced it across multiple MDM solutions (Intune, CEM) and multiple managed browsers. It's intermittent but frequently reproducible with common public URLs routed directly. Key observations: writePackets returns true, confirming the VPN app writes packets to the TUN interface. Despite that, the browser often fails to acknowledge receipt (no ACK), suggesting it may not receive the packet at all. We suspect a possible packet loop, where packets written to TUN are immediately read back by the app. However, due to the intermittent nature of the issue, this is hard to confirm. A consistent loop would likely result in persistent failures, not sporadic ones. We are attaching: A Wireshark summary - highlighting the missing ACK and retransmission pattern. As we cannot attach the xlsx file or a zip file, we have took the screenshots of the files names as image1, image2, image3, image4 and image5 in sequence. Dails on the iOS device and MDM environment. NETunnelProviderProtocol configuration that reproduces the issue Any guidance on how to further debug this, particularly on confirming packet delivery to the browser and identifying potential loops would be greatly appreciated. Thank you. e t

For our outdoor power supply company that builds public WiFi networks at camping sites, we want to implement the following features in our app: Scan surrounding WiFi networks When detecting specific public WiFi SSIDs, provide users with corresponding passwords Automatically connect to those WiFi networks Regarding the NEHotspotHelper API permission application, when I clicked on https://developer.apple.com/contact/request/network-extension, it redirected me to https://developer.apple.com/unauthorized/. I'm not sure where to properly apply for this permission now.

Hello, im currently developing proxy app with XrayCore trying to bypass APNs when tunnel us up and i found .excludeAPNs property in NETunnelProviderProtocol that works only when includeAllNetworks property is also TRUE. I wonder if there is a possible way to make APNs bypass tunnel in split tunnelling mode? because we use excludedRoutes and full tunnel is not an option

Sometimes when adding a VPN configuration, it just redirects to the Settings app and doesn’t continue with the rest of the configuration process like prompting for passcode. But it proceeds as normal after the 2nd or 3rd try. This issue is occurring on iOS 18.5 build 22F5068a but it has been a problem over several versions now. Feedback ID: FB17458055

In our project, we download H5 resources to the local device and then open the H5 pages through WKWebView(-loadFileURL:allowingReadAccessToURL:). When the H5 pages request server resources, cookies are required. Before opening the H5 page, we set the required cookies in the WKHTTPCookieStore using the setCookie method. Additionally, we set the allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs properties for the WebView. On other mobile phones, the cookies can be carried normally. However, on mobile phones running the iOS 18.0 system, the cookies cannot be carried. Moreover, this problem only emerged after we upgraded Xcode to version 16.2. We've also tried injecting cookies via JavaScript, but it didn't work(document.cookie = xx=${xx}; path=/; expires=weekday, xx jan xxxx xx:xx:xx GMT; Domain=example.com; Secure; SameSite=None ;). Can anyone help me on this? Thanks in advance.

On an iOS 18 device, after installing the application and initially denying local network permission when prompted, manually enabling this permission in the system settings does not resolve the issue. After uninstalling and reinstalling the app, although local network access is granted, the app cannot discover smart hardware devices over the local area network (LAN) or proceed with configuration. The smart hardware sends configuration data packets over the LAN, but the app fails to receive these packets. This issue persists even after another uninstall and reinstall of the app. However, rebooting the device restores normal functionality. Steps to Reproduce: Install the application on an iOS 18 device. Upon first launch, deny the request for local network permissions. Manually enable local network permissions via "Settings" > [App Name]. Uninstall and then reinstall the application. Attempt to discover and configure smart hardware devices using the app. Notice that the app fails to receive configuration data packets sent by the smart hardware over the LAN. Expected Result: The application should be able to normally receive configuration data packets from smart hardware devices over the LAN and successfully complete the configuration process after obtaining local network permissions. Actual Result: Even after being granted local network permissions, the application cannot discover devices or receive configuration data packets over the LAN unless the iPhone device is rebooted. (reinstall app and obtaining local network permissions is not work too.)

We are developing a desktop app for macOS, built with Electron + Angular + Node.js. The app has the ability to access devices on the local network. We are having some trouble with the behavior of the "Local Network" feature added in macOS 15. Procedure: MacBook Pro 14inch (M1Pro) 2021, 16GB memory - macOS Sequoia15.4.1 Network Environment: The PC and the access point are connected by wire, and the target device and the access point are also connected by wire. Not connected to an external network Install the target app Start the application and allow the "Local Network" dialog that appears Open the "Local Network" item in "Privacy and Security" and make sure the target app is allowed. Confirm that you can access the target device on the local network Restart the PC Open the "Local Network" item in "Privacy and Security" and make sure the target app is allowed. Start the app and access the target device on the local network Result: Access to the target device may fail (this does not occur 100% of the time) If you turn the target app in the "Local Network" section of "Privacy and Security" OFF and then ON, you will be able to connect However, it seems that the problem may occur again if you restart your PC. According to our research, the probability of this happening increases if the target app is the only app allowed on the "local network". This happens not only with our app, but also when you follow the above steps in "Google Chrome". Based on the above investigation results, I suspect that this is a problem with the OS. What do you think?

Hi everyone, I'm developing a visionOS app that allows users to download large video files (similar to a movie download experience, with each file being around 10 GB). I've successfully implemented the core video download functionality using URLSession, and everything works as expected while the app is active. Now, I’m looking to support background downloading. Specifically, I want users to be able to start a download and then leave the app (e.g., switch apps or return to the home screen) while the download continues in the background. Additionally, I’d like to confirm a specific scenario: If the user starts a download, then removes the headset (keeping the device turned on and connected to power), will the download continue in the background? Or does visionOS suspend the app or downloads in this case? I’m considering using a background URLSessionConfiguration (as done in iOS/macOS) to enable this behavior, but I’m not sure if it behaves the same way on visionOS or if there are special limitations or best practices when handling large downloads on this platform. Any insights or official guidance would be greatly appreciated! Thanks!

Hi folks, I'm building an iOS companion app to a local hosted server app (hosted on 0.0.0.0). The MacOS app locally connects to this server hosted, and I took the approach of advertising the server using a Daemon and BonjourwithTXT(for port) and then net service to resolve a local name. Unfortunately if there's not enough time given after the iPhone/iPad is plugged in (usb or ethernet), the app will cycle through attempts and disconnects many times before connecting and I'm trying to find a way to only connect when a viable en interface is available. I've run into a weird thing in which the en interface only becomes seen on the NWMonitor after multiple connection attempts have been made and failed. If I screen for en before connecting it simply never appears. Is there any way to handle this such that my app can intelligently wait for an en connection before trying to connect? Attaching my code although I have tried a few other setups but none has been perfect. func startMonitoringAndBrowse() { DebugLogger.shared.append("Starting Bonjour + Ethernet monitoring") if !browserStarted { let params = NWParameters.tcp params.includePeerToPeer = false params.requiredInterfaceType = .wiredEthernet browser = NWBrowser(for: .bonjourWithTXTRecord(type: "_mytcpapp._tcp", domain: nil), using: params) browser?.stateUpdateHandler = { state in if case .ready = state { DebugLogger.shared.append("Bonjour browser ready.") } } browser?.browseResultsChangedHandler = { results, _ in self.handleBrowseResults(results) } browser?.start(queue: .main) browserStarted = true } // Start monitoring for wired ethernet monitor = NWPathMonitor() monitor?.pathUpdateHandler = { path in let hasEthernet = path.availableInterfaces.contains { $0.type == .wiredEthernet } let ethernetInUse = path.usesInterfaceType(.wiredEthernet) DebugLogger.shared.append(""" NWPathMonitor: - Status: \(path.status) - Interfaces: \(path.availableInterfaces.map { "\($0.name)[\($0.type)]" }.joined(separator: ", ")) - Wired Ethernet: \(hasEthernet), In Use: \(ethernetInUse) """) self.tryToConnectIfReady() self.stopMonitoring() } monitor?.start(queue: monitorQueue) } // MARK: - Internal Logic private func handleBrowseResults(_ results: Set<NWBrowser.Result>) { guard !self.isResolving, !self.hasResolvedService else { return } for result in results { guard case let .bonjour(txtRecord) = result.metadata, let portString = txtRecord["actual_port"], let actualPort = Int(portString), case let .service(name, type, domain, _) = result.endpoint else { continue } DebugLogger.shared.append("Bonjour result — port: \(actualPort)") self.resolvedPort = actualPort self.isResolving = true self.resolveWithNetService(name: name, type: type, domain: domain) break } } private func resolveWithNetService(name: String, type: String, domain: String) { let netService = NetService(domain: domain, type: type, name: name) netService.delegate = self netService.includesPeerToPeer = false netService.resolve(withTimeout: 5.0) resolvingNetService = netService DebugLogger.shared.append("Resolving NetService: \(name).\(type)\(domain)") } private func tryToConnectIfReady() { guard hasResolvedService, let host = resolvedHost, let port = resolvedPort else { return } DebugLogger.shared.append("Attempting to connect: \(host):\(port)") discoveredIP = host discoveredPort = port connectionPublisher.send(.connecting(ip: host, port: port)) stopBrowsing() socketManager.connectToServer(ip: host, port: port) hasResolvedService = false } } // MARK: - NetServiceDelegate extension BonjourManager: NetServiceDelegate { func netServiceDidResolveAddress(_ sender: NetService) { guard let hostname = sender.hostName else { DebugLogger.shared.append("Resolved service with no hostname") return } DebugLogger.shared.append("Resolved NetService hostname: \(hostname)") resolvedHost = hostname isResolving = false hasResolvedService = true tryToConnectIfReady() } func netService(_ sender: NetService, didNotResolve errorDict: [String : NSNumber]) { DebugLogger.shared.append("NetService failed to resolve: \(errorDict)") } }

I'm using NERelayManager to set Relay configuration which all works perfectly fine. I then do a curl with the included domain and while I see QUIC connection succeeds with relay server and H3 request goes to the server, the connection gets abruptly closed by the client with "Software caused connection abort". Console has this information: default 09:43:04.459517-0700 curl nw_flow_connected [C1.1.1 192.168.4.197:4433 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] Transport protocol connected (quic) default 09:43:04.459901-0700 curl [C1.1.1 192.168.4.197:4433 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] event: flow:finish_transport @0.131s default 09:43:04.460745-0700 curl nw_flow_connected [C1.1.1 192.168.4.197:4433 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] Joined protocol connected (http3) default 09:43:04.461049-0700 curl [C1.1.1 192.168.4.197:4433 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] event: flow:finish_transport @0.133s default 09:43:04.465115-0700 curl [C2 E47A3A0C-7275-4F6B-AEDF-59077ABAE34B 192.168.4.197:4433 quic, multipath service: 1, tls, definite, attribution: developer] cancel default 09:43:04.465238-0700 curl [C2 E47A3A0C-7275-4F6B-AEDF-59077ABAE34B 192.168.4.197:4433 quic, multipath service: 1, tls, definite, attribution: developer] cancelled [C2 FCB1CFD1-4BF9-4E37-810E-81265D141087 192.168.4.139:53898<->192.168.4.197:4433] Connected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi Duration: 0.121s, QUIC @0.000s took 0.000s, TLS 1.3 took 0.111s bytes in/out: 2880/4322, packets in/out: 4/8, rtt: 0.074s, retransmitted bytes: 0, out-of-order bytes: 0 ecn packets sent/acked/marked/lost: 3/1/0/0 default 09:43:04.465975-0700 curl nw_flow_disconnected [C2 192.168.4.197:4433 cancelled multipath-socket-flow ((null))] Output protocol disconnected default 09:43:04.469189-0700 curl nw_endpoint_proxy_receive_report [C1.1 IPv4#124bdc4d:80 in_progress proxy (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns, proxy, uses wifi)] Privacy proxy failed with error 53 ([C1.1.1] masque Proxy: http://192.168.4.197:4433) default 09:43:04.469289-0700 curl [C1.1.1 192.168.4.197:4433 failed socket-flow (satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] event: flow:failed_connect @0.141s, error Software caused connection abort Relay server otherwise works fine with our QUIC MASQUE clients but not with built-in macOS MASQUE client. Anything I'm missing?

Dear Apple: In our app, we will call the - (void) applyConfiguration:(NEHotspotConfiguration *) configuration completionHandler:(void (^)(NSError * error)) completionHandler; interface of NEHotspotConfigurationManager on Apple devices. However, we are encountering a problem where the connection to the 2.4G hotspot fails, and the error is nil when it fails. We checked the Wi-Fi air interface and found that the Apple phone does not send a probe request before connecting to the hotspot. However, we are unclear why the Apple device does not send the probe request frame. Could you please help us understand when the probe request frame is not sent during the hotspot connection and how to trigger it to send the probe request frame every time? Thank you.