I'm developing an iOS app that needs to continuously inform a server whether the user's paired Apple Watch is currently reachable for interactive messaging. If this reachability is lost unexpectedly, the server should be alerted within seconds. This is a safety-critical feature where reliability is essential. The goal (abstractly): The iPhone app needs real-time or near-real-time awareness of whether the paired Apple Watch is reachable. The specific mechanism doesn't matter - I'm open to any approach that achieves this reliably. Context - what already works: The iPhone app successfully maintains continuous server connectivity using an NEAppPushProvider network extension. In practice, this runs reliably in the background and sends periodic heartbeats to the server regardless of main app state. This pattern works well for the phone component. I need to extend this to include the watch's connectivity status in those server updates. Note: WCSession APIs are only available in the main app process, not the Network Extension, so any watch connectivity information must be bridged via the main iOS app (e.g. shared UserDefaults and Darwin notifications). What I've tried: 1. Companion watchOS app sending heartbeats to iPhone via WCSession This was my primary approach: a watchOS app sends messages to the iPhone at short intervals using WCSession.sendMessage(). The iPhone forwards this to the server. If heartbeats stop, the server raises an alert. (I tested various intervals from 2-15 seconds; the specific interval doesn't matter because the fundamental problem is that the watch app is suspended regardless.) Problem: The watch app is suspended almost immediately when: The user presses the Digital Crown The user switches to another app The watch screen dims and shows the clock face (even without explicit backgrounding) Once suspended, Timer.scheduledTimer() stops firing and no heartbeats are sent. 2. WCSession.isReachable monitoring on iPhone I hoped the iPhone could monitor WCSession.isReachable to detect when the watch becomes unreachable. Problem: isReachable indicates whether the counterpart app is reachable for interactive messaging, not the underlying physical connection. It returns false for many reasons - watch app suspended, backgrounded, or various system conditions - making it unreliable as a proxy for actual watch connectivity. The iPhone cannot distinguish "watch app not ready for messaging" from "watch physically disconnected". 3. WKExtendedRuntimeSession on watchOS Problem: Only available for specific scenarios (workout, mindfulness, etc.). My use case is general activity, not fitness tracking. Misusing workout sessions would likely be rejected by App Review. 4. WKApplicationRefreshBackgroundTask on watchOS Problem: These tasks are system-scheduled with timing that varies from minutes to hours depending on system conditions. Far too slow and unpredictable for second-level detection. 5. BLE advertising from watchOS app Problem: BLE advertising stops when the watchOS app is suspended. Same fundamental limitation as the timer approach. 6. Server directly pinging the watch (ICMP or similar) Problem: While Apple Watch can have an IP address via Wi-Fi or cellular (on LTE models), inbound connections to the watch aren't feasible - the watch is behind NAT with no public address, and watchOS doesn't support inbound server sockets (especially in background). This approach isn't practical regardless of connection type. 7. CoreBluetooth scanning from iPhone Problem: Apple Watch doesn't advertise as a discoverable BLE peripheral to third-party apps. The system-level pairing isn't exposed. Why this works on Android/WearOS: On WearOS, a Foreground Service continues running in the background regardless of UI state or screen status (subject to standard OS background limits, but in practice it works reliably). The service sends heartbeats via MessageClient consistently. This "always-on background execution" pattern has no equivalent on watchOS. Questions: Is there any mechanism for an iPhone app to have continuous or regularly-updated knowledge of whether a paired Apple Watch is connected and reachable for interactive messaging - ideally without requiring a watchOS companion app to be in the foreground? Are there any system-level APIs or entitlements (perhaps requiring special approval) that expose watch pairing/connectivity events to iOS apps? Is there any watchOS background execution mechanism I've missed that could keep code running reliably when the app isn't in the foreground? Has anyone solved a similar "detect wearable connectivity loss in real-time" problem on the Apple platform? I understand Apple designed watchOS with aggressive power management for good reasons. If continuous connectivity monitoring truly isn't possible, I'd appreciate confirmation so I can set appropriate user expectations. But given this is a safety-critical use case, I'm hoping there's an approach I've overlooked.

I filed FB19631435 about this just now. Basically: starting with 15.6, we've had reports (internally and outternally) that after some period of time, networking fails so badly that it can't even acquire a DHCP lease, and the system needs to be rebooted to fix this. The systems in question all have at least 2 VPN applications installed; ours is a transparent proxy provider, and the affected system also had Crowdstrike's Falcon installed. A customer system reported seemingly identical failures on their systems; they don't have Crowdstrike, but they do have Cyberhaven's. Has anyone else seen somethng like this? Since it seems to involve three different networking extensions, I'm assuming it's due to an interaction between them, not a bug in any individual one. But what do I know? 😄

I haven’t been able to get this to work at any level! I’m running into multiple issues, any light shed on any of these would be nice: I can’t implement a bloom filter that produces the same output as can be found in the SimpleURLFilter sample project, after following the textual description of it that’s available in the documentation. No clue what my implementation is doing wrong, and because of the nature of hashing, there is no way to know. Specifically: The web is full of implementations of FNV-1a and MurmurHash3, and they all produce different hashes for the same input. Can we get the proper hashes for some sample strings, so we know which is the “correct” one? Similarly, different implementations use different encodings for the strings to hash. Which should we use here? The formulas for numberOfBits and numberOfHashes give Doubles and assign them to Ints. It seems we should do this conversing by rounding them, is this correct? Can we get a sample correct value for the combined hash, so we can verify our implementations against it? Or ignoring all of the above, can we have the actual code instead of a textual description of it? 😓 I managed to get Settings to register my first attempt at this extension in beta 1. Now, in beta 2, any other project (including the sample code) will redirect to Settings, show the Allow/Deny message box, I tap Allow, and then nothing happens. This must be a bug, right? Whenever I try to enable the only extension that Settings accepted (by setting its isEnabled to true), its status goes to .stopped and the error is, of course, .unknown. How do I debug this? While the extension is .stopped, ALL URL LOADS are blocked on the device. Is this to be expected? (shouldFailClosed is set to false) Is there any way to manually reload the bloom filter? My app ships blocklist updates with background push, so it would be wasteful to fetch the filter at a fixed interval. If so, can we opt out of the periodic fetch altogether? I initially believed the API to be near useless because I didn’t know of its “fuzzy matching” capabilities, which I’ve discovered by accident in a forum post. It’d be nice if those were documented somewhere! Thanks!!

Hello, A customer has requested the development of a home assistance app to be published on the App Store. The app will connect to a server running locally at the end user's home, for example on a Raspberry Pi. Users would enter the IP address or hostname of their personal server into the app. A strict requirement is that, for data protection reasons, there must not be any proxy server. The app should only communicate directly with the local server (e.g., Raspberry Pi). We are able to solve technical challenges such as DNS, dynamic IP, and port forwarding, router configuration. However, I'm concerned about Apple's requirement that the endpoint – in this case, the Raspberry Pi at the user's home – must not use self-signed SSL certificates. While it may be technically possible to secure the home server with a certificate provider like Let's Encrypt, it is unrealistic to expect a typical user with no technical training to accomplish this setup independently. Is there a recommended solution to this problem, particularly in the context of IoT devices and apps? Any advice or experiences would be deeply appreciated.

I added a Content Filter to my app, and when running it in Xcode (Debug/Release), I get the expected permission prompt: "Would like to filter network content (Allow / Don't Allow)". However, when I install the app via TestFlight, this prompt doesn’t appear at all, and the feature doesn’t work. Is there a special configuration required for TestFlight? I already set the minimum deployment to be 17 for the extension and the app. Thanks!

I've been working through some issues here attempting to migrate away from the MultiPeer Connectivity following the guidance in here, Moving from Multipeer Connectivity to Network Framework, and implementing a home-grown solution using NWBrowser and NWListener and NWConnections. I feel like I am 95% of the way there, but am experiencing an issue where my connection attempts seem to fail about 50% of the time. If I have two nodes say, one a physical iPad, and one a simulator on my Mac. I can start them both up, and they are both discovered with Bounjour no problem. Sometimes the "connect" no problem. Othertimes however when I attempt to "connect" from one device to the other, I get failures. I'd say it's about 50/50 success - fail at this point. The "dialing" device state enters "preparing" but never progesses past that, and on the "receiving end" I see receive error: POSIXErrorCode(rawValue: 61): Connection refused I'm at my wits end here with this, everything else in my migration I think is done...just need some insights maybe on potential causes for that error...

Hi everyone, I’m running into an issue with IP over Thunderbolt connectivity between my Mac and Windows PC after updating to macOS 26.2. Previously, this setup worked fine on macOS 15. However, since the update, I haven't been able to establish a connection. Here is what I have tested so far: Mac M1 and Mac M3 (Updated to macOS 26.2): Both are unable to connect to Windows. Mac M2 (Running macOS 15.4): This device still connects to Windows without any issues. macOS 26.2 (Mac M1) <-> macOS 26.2 (Mac M3): Connection successful. Since my M3 Mac worked correctly before the update (when it was on macOS 15), and Mac-to-Mac connection still works on the new OS, I have a few questions: Is there a new setting I need to configure? Has this feature changed in macOS 26? Could you please confirm if IP over Thunderbolt connections to Windows have been explicitly blocked or deprecated in macOS 26? Thanks for any help! Mac M3 macOS 26.2 FAIL Mac M2 macOS 15.4 OK

I use Iphone 17 wifi to test the device and mobile phone communicate,but I found the wifi disconnect innormal in hign frequency. This situation is only appears in iphone 17 series, iphone 14 and 15 is ok, so I think iphone 17 wifi chip or software has bugs. the local network disconnect in hign frequency.

Hello! I have read most of the "Background Tasks Resources" here https://developer.apple.com/forums/thread/707503 - but still have a few questions that I need clarified. To provide our context, our usecase is that our user wants to upload files to our servers. This is an active decision by the user to initiate the upload, but we also want make sure the files are uploaded, even if the user chooses to background our app. If we use a URLSession.backgroundto initiate the uploadTask, I understand that we are passing it of to the urlsession deamon to handle the upload. Which is great, if the user chooses to background our app. But, what if they just stay with the app in the foreground? Will it start uploading immediately? Can we expect the same latency that a standard URLSession will provide? And the potential delay will only occur if they actually background our app. Also, what happens if a background upload is in-progress and the user enters our app again? Will it gain priority, and run with similar latency as standard URL session? I.e., can we just always rely on using a background session, or should we kick of a beginBackgroundTask with a standard URL session, and only trigger a background uploadTask if we do not finish the standard upload before getting told we are about to get killed? A different question. I know there is the rate-limit delay added if we trigger multiple background URL tasks. Does that effect the following use case? We would like to send an additional HTTP request to our servers when the upload is completed, to notify it of the completion, but are we allowed to do that when the app is woken from the background? So, basically calling .dataTask from handleEventsForBackgroundURLSession for example?

General: Forums subtopic: App & System Services > Networking DevForums tag: Network Extension Network Extension framework documentation Routing your VPN network traffic article Filtering traffic by URL sample code Filtering Network Traffic sample code TN3120 Expected use cases for Network Extension packet tunnel providers technote TN3134 Network Extension provider deployment technote TN3165 Packet Filter is not API technote Network Extension and VPN Glossary forums post Debugging a Network Extension Provider forums post Exporting a Developer ID Network Extension forums post Network Extension Framework Entitlements forums post Network Extension vs ad hoc techniques on macOS forums post Network Extension Provider Packaging forums post NWEndpoint History and Advice forums post Extra-ordinary Networking forums post Wi-Fi management: Wi-Fi Fundamentals forums post TN3111 iOS Wi-Fi API overview technote How to modernize your captive network developer news post iOS Network Signal Strength forums post See also Networking Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have an application which is written in Swift, which activates Transparent Proxy network extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) Sometimes we have observed that on starting the transparent proxy extension, the startProxy overridden delegate method(override func startProxy(options: [String : Any]?, completionHandler: @escaping (Error?) -> Void) {) in our AppProxyProvider class which is derived from NETransparentProxyProvider being called more than once for the same extension(pid). This leads to Over-resume of an object crash as we invoke setTunnelNetworkSettings inside the startProxy delegate. As this is controlled by the system, we are not sure why this delegate being called more than once sometimes even if we call the start TransparentProxy only once. Note that, this issue is seen only in Mac OS Tahoe. Apple Feedback ticket: FB21464147 (startProxy delegate for NETransparentProxyProvider class is being called twice for the same pid extension sometimes)

When connecting to my M1 mac mini over ssh, certain programs are often unable to reach network destinations in the corporate LAN, although they can usually reach external addresses like www.apple.com. For example, a java program attempting to download from teamcity.dev.corp.com:8111 often fails like: java.net.NoRouteToHostException: No route to host Running the exact same command from the Apple Terminal program works like normal, simply connecting over ethernet on en0 to a TeamCity server inside the same building. Basic diagnostics from the ssh session do not show anything unusual: > traceroute teamcity.dev.corp.com traceroute to teamcity.dev.corp.com (10.21.4.1), 64 hops max, 40 byte packets 1 teamcity.dev.corp.com (10.21.4.1) 1.702 ms 0.409 ms 0.336 ms > route -n get teamcity.dev.corp.com route to: 10.21.4.1 destination: 10.21.4.1 interface: en0 flags: <UP,HOST,DONE,LLINFO,WASCLONED,IFSCOPE,IFREF> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 1194 > uname -a Darwin mac 25.1.0 Darwin Kernel Version 25.1.0: Mon Oct 20 19:32:47 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T8103 arm64 Similar problems occur in docker commands to a remote daemon ("no route to host" or "connection refused"): docker -H tcp://<ip>:<port> ... Most other programs are never affected by this problem. Are there other diagnostic steps that might reveal the cause?

I want to configure one aspect of my networking configuration (the QUIC keepalive interval). This only seems to be configurable via Network.framework’s nw_quic_set_keepalive_interval. Is there any way to apply this to a URLSession? Or do I need to implement the whole connection management myself using Network.framework?

When setting new entitlements com.apple.developer.networking.carrier-constrained.appcategory and com.apple.developer.networking.carrier-constrained.app-optimized, I have a question about how URLSession should behave. I notice we have a way to specify whether a Network connection should allow ultra-constrained paths via NWParameters allowUltraConstrainedPaths: https://developer.apple.com/documentation/network/nwparameters/allowultraconstrainedpaths There does not appear to be a similar property on URLSessionConfiguration. In an ultra-constrained (eg. satellite) network, should we expect all requests made through an URLSession to fail? Does all network activity when ultra-constrained need to go through a NWConnection or NetworkConnection specifically configured with allowUltraConstrainedPaths, or can URLSession ever be configured to allow ultra-constrained paths?

Hello, I have a .app that runs as LaunchDaemon and configured to be an Agent (LSUIElement) that is stored in /Applications. Installing network extensions works, but deactivation fails with OSSystemExtensionErrorDomain error 13 (authorization required). requestNeedsUserApproval is not called for deactivation, but it's called when being activated. Any ideas? Thank you! P.S. It works on Debug, just not on Release...

Hi all, I have a working macOS (Intel) system extension app that currently uses only a Content Filter (NEFilterDataProvider). I need to capture/log HTTP and HTTPS traffic in plain text, and I understand NETransparentProxyProvider is the right extension type for that. For HTTPS I will need TLS inspection / a MITM proxy — I’m new to that and unsure how complex it will be. For DNS data (in plain text), can I use the same extension, or do I need a separate extension type such as NEPacketTunnelProvider, NEFilterPacketProvider, or NEDNSProxyProvider? Current architecture: Two Xcode targets: MainApp and a SystemExtension target. The SystemExtension target contains multiple network extension types. MainApp ↔ SystemExtension communicate via a bidirectional NSXPC connection. I can already enable two extensions (Content Filter and TransparentProxy). With the NETransparentProxy, I still need to implement HTTPS capture. Questions I’d appreciate help with: Can NETransparentProxy capture the DNS fields I need (dns_hostname, dns_query_type, dns_response_code, dns_answer_number, etc.), or do I need an additional extension type to capture DNS in plain text? If a separate extension is required, is it possible or problematic to include that extension type (Packet Tunnel / DNS Proxy / etc.) in the same SystemExtension Xcode target as the TransparentProxy? Any recommended resources or guidance on TLS inspection / MITM proxy setup for capturing HTTPS logs? There are multiple DNS transport types — am I correct that capturing DNS over UDP (port 53) is not necessarily sufficient? Which DNS types should I plan to handle? I’ve read that TransparentProxy and other extension types (e.g., Packet Tunnel) cannot coexist in the same Xcode target. Is that true? Best approach for delivering logs from multiple extensions to the main app (is it feasible)? Or what’s the best way to capture logs so an external/independent process (or C/C++ daemon) can consume them? Required data to capture (not limited to): All HTTP/HTTPS (request, body, URL, response, etc.) DNS fields: dns_hostname, dns_query_type, dns_response_code, dns_answer_number, and other DNS data — all in plain text. I’ve read various resources but remain unclear which extension(s) to use and whether multiple extension types can be combined in one Xcode target. Please ask if you need more details. Thank you.

Hello team, I am developing a security app where I am denying certain flows/packets if the are communicating with known malicious endpoints. Therefore I want to make use of NetworkExtensions such as the new URLFilter or ContentFilter (NEURLFilterManager, NEFilterDataProvider, NEFilterControlProvider). Does NEURLFilterManager require the user's device to be at a minimun of ios 26? Does any of these APIs/Extensions require the device to be managed/supervised or can it be released to all consumers? Thanks,

Hello, I am working to integrate the new com.apple.developer.networking.carrier-constrained.app-optimized entitlement in my iOS 26 app so that my app can use a carrier-provided satellite network, and want to confirm my understanding of how to detect and optimize for satellite network conditions. (Ref: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.carrier-constrained.app-optimized ) My current approach: I plan to set the entitlement to true once my app is optimized for satellite networks. To detect if the device is connected to a satellite network, I intend to use the Network framework’s NWPath properties: isUltraConstrained — I understand this should be set to true when the device is connected to a satellite network. (Ref: https://developer.apple.com/documentation/network/nwpath/isultraconstrained ) linkQuality == .minimal — I believe this will also be set in satellite scenarios, though it may not be exclusive to satellite connections. (Ref: https://developer.apple.com/documentation/network/nwpath/linkquality-swift.enum/minimal ) Questions: Is it correct that isUltraConstrained will reliably indicate a satellite connection? Should I also check for linkQuality == .minimal, or is isUltraConstrained sufficient? Are there any additional APIs or best practices for detecting and optimizing for satellite connectivity that I should be aware of? Thank you for confirming whether my understanding and approach are correct, and for any additional guidance.

What is the best way to detect if the Wifi is being used for Wireless Carplay or is just a normal network interface?

There are multiple report of crashes on URLConnectionLoader::loadWithWhatToDo. The crashed thread in the stack traces pointing to calls inside CFNetwork which seems to be internal library in iOS. The crash has happened quite a while already (but we cannot detect when the crash started to occur) and impacted multiple iOS versions recorded from iOS 15.4 to 18.4.1 that was recorded in Xcode crash report organizer so far. Unfortunately, we have no idea on how to reproduce it yet but the crash keeps on increasing and affect more on iOS 18 users (which makes sense because many people updated their iOS to the newer version) and we haven’t found any clue on what actually happened and how to fix it on the crash reports. What we understand is it seems to come from a network request that happened to trigger the crash but we need more information on what (condition) actually cause it and how to solve it. Hereby, I attach sample crash report for both iOS 15 and 18. I also have submitted a report (that include more crash reports) with number: FB17775979. Will appreciate any insight regarding this issue and any resolution that we can do to avoid it. iOS 15.crash iOS 18.crash