Hi All, I am currently working on a Network Extension App for MacOS using 3 types of extensions provided by Apple's Network Extension Framework. Content Filter, App Proxy (Want to get/capture/log all HTTP/HTTPS traffic), DNS Proxy (Want to get/capture/log all DNS records). Later parse into human readable format. Is my selection of network extension types correct for the intended logs I need? I am able to run with one extension: Main App(Xcode Target1) <-> Content Filter Extension. Here there is a singleton class IPCConnection between App(ViewController.swift) which is working fine with NEMachServiceName from Info.plist of ContentFilter Extension(Xcode Target2) However, when I add an App Proxy extension as a new Xcode Target3, I think the App and extension's communication getting messed up and App not getting started/Crashing. Here, In the same Main App, I am adding new separate IPCConnection for this extension. Here is the project organization/folder structure. MyNetworkExtension ├──MyNetworkExtension(Xcode Target1) │ ├── AppDelegate.swift │ ├── Assets.xcassets │ ├── Info.plist │ ├── MyNetworkExtension.entitlement │ | ── Main │ |-----ViewController.swift │ └── Base.lproj │ └── Main.storyboard ├── ContentFilterExtension(Xcode Target2) │ ├── ContentFilterExtension.entitlement │ │ ├── FilterDataProvider.swift │ │ ├── Info.plist │ │ ├── IPCConnection.swift │ │ └── main.swift ├── AppProxyProviderExtension(Xcode Target3) │ ├── AppProxyProviderExtension.entitlement │ │ ├── AppProxyIPCConnection.swift │ │ ├── AppProxyProvider.swift │ │ ├── Info.plist │ │ └── main.swift └── Frameworks ├── libbsm.tbd └── NetworkExtension.framework Is my Approach for creating a single Network Extension App with Multiple extensions correct or is there any better approach of project organization that will make future modifications/working easier and makes the maintenance better? I want to keep the logic for each extension separate while having the same, single Main App that manages everything(installing, activating, managing identifiers, extensions, etc). What's the best approach to establish a Communication from MainApp to each extension separately, without affecting one another? Is it good idea to establish 3 separate IPC Connections(each is a singleton class) for each extension? Are there any suggestions you can provide that relates to my use case of capturing all the network traffic logs(including HTTP/HTTPS, DNS Records, etc), especially on App to Extension Communication, where my app unable to keep multiple IPC Connections and maintain them separately? I've been working on it for a while, and still unable to make the Network Extension App work with multiple extensions(each as a new Xcode target). Main App with single extension is working fine, but if I add new extension, App getting crashed. I suspect it's due to XPC/IPC connection things! I really appreciate any support on this either directly or by any suggestions/resources that will help me get better understand and make some progress. Please reach out if in case any clarifications or specific information that's needed to better understand my questions. Thank you very much

when i am running this app on Iphone13 facing these errors On starting Publisher: failed(-11992: Wi-Fi Aware) [L1 ready, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path satisfied (Path is satisfied), interface: nan0[802.11], ipv4, uses wifi, LQM: unknown, service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: waiting(POSIXErrorCode(rawValue: 50): Network is down) [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: ready [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: failed(-11992: Wi-Fi Aware) OnStarting Subscriber : -11992: Wi-Fi Aware B1 &lt;nw_browse_descriptor application_service _sat-simulation._udp bundle_id=com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L device_types=7f device_scope=ff custom:108&gt;, generic, interface: nan0, multipath service: interactive, attribution: developer: failed(-11992: Wi-Fi Aware)

I have been toying around with the URL filter API, and now a few installed configurations have piled up. I can't seem to remove them. I swear a few betas ago I could tap on one and then delete it. But now no tap, swipe, or long press does anything. Is this a bug?

I need to run multiple, slightly different copies of a modeling tool, which all need access to a model repository on a different machine. Security Settings -> Network tends to pick one modeling tool (and unfortunately the wrong one) for permission, but the dialog offers no way to add the other copies manually. Where can I configure the permission on low level. [macOS Sequoia 15.6.1]

Hello, A quick background: I am developing an App that receives a data stream from a device through its Wi-Fi network. The device itself is not connected to the internet, so the app won't be either. Now, I am adding a new feature to the App that would require internet connection during the data stream. Consequently, my users would need to use their cellular data. On later versions of iPhone, the phone would occasionally detect the lack of internet connection and asks the user via a pop-up if they want to use their cellular data. However, this behavior is not consistent. So my question is- can we programmatically invoke this pop-up so the user can connect to the internet? Or even better- can we program the App to use cellular data while still being connected to a Wi-Fi network? Note: I have seen mixed answers on the internet whether this is doable or not, and I know that users are able do it themselves by manually configuring their IP in their WiFi settings page, but I doubt this operation can be done through the App for security reasons. Thanks!

Hi all, We've been exploring the capabilities of the Network.framework for peer-to-peer communication and have run into some behavior that we haven't been able to fully explain with the existing documentation. In our tests, we’re working with 12 iOS devices, all disconnected from Wi-Fi to force communication over Apple Wireless Direct Link (AWDL). While using the Network.framework to create peer-to-peer connections, we observed that the number of connected peers never exceeded 8, despite all 12 devices being active and configured identically. Some questions we’re hoping to get clarification or discussion on: Is there a known upper limit to the number of peer-to-peer connections supported via AWDL? Are there conditions under which the framework or system limits or throttles visible peers? Does AWDL behavior vary by hardware model, iOS version, or backgrounding state of the app? Is there any official documentation or guidance around peer discovery or connection limits when using NWBrowser and NWConnection in a peer-to-peer context? We’d appreciate any insights from the Apple engineering team or other developers who have worked with larger peer groups using Network.framework in peer-to-peer mode.

NEAppProxyUDPFlow contains below property: open var localEndpoint: NWEndpoint? { get } Why is localEndpoint not available for NEAppProxyTCPFlow? Is there a way to determine the source port of a flow of type NEAppProxyTCPFlow within the following method of NETransparentProxyProvider? override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {

I'm establishing a connection with NWListener and NWConnection which is working great. However, if the listener disappears, a lot of logs are appearing: Is there a way to hide these logs? I'm aware of OS_ACTIVITY_MODE=disabled, but that will also hide a lot of other logs. I also know you can hide these using Xcode's filtering. I'm looking for a programmatically way to hide these completely. I'm not interested in seeing these at all, or, at least, I want to be in control. Thanks!

I have an app with lots of networking calls that are currently done through URLSession. We would like to implement the new carried constrained entitlements and begin moving data through the ultra constrained network path for core features of our application. I have successfully implemented the NWPathMonitor to identify when the current network path is ultra constrained and I have been consistently on a physical device in a real world environment. I'm aware that we will not be able to use URLSession to do this from other posts in this forum like this one. Because of this problem with URLSession I am attempting to fallback to using NWConnection when the current path is ultra constrained. I have setup a NWConnection with the NWParameters.allowUltraConstrainedPaths set to true. The request works perfectly when connected to wifi or cellular. However, it does not work at all when the current path is ultra constrained. When attempting this request through my NWConnection I receive an error that says: The operation couldn’t be completed. (Network.NWError error 50 - Network is down) Is this expected? I have confirmed my physical device is connecting to carrier provided satellite and I have been able to load data in other ios apps from Apple like the music app while on this carrier constrained connection. If this is not the correct way to move data when the path is ultra constrained what is the correct way?

Hi! I recently had an idea to build an iOS app that allows users to create a system-level block of specified web domains by curating a "blacklist" on their device. If the user, for instance, inputs "*example.com" to their list, their iPhone would be blocked from relaying that network traffic to their ISP/DNS, and hence return an error message ("iPhone can't open the page because the address is invalid") instead of successfully fetching the response from example.com's servers. The overarching goal of this app would be to allow users to time-block their use of specified websites/apps and grant them greater agency over their technology consumption, and I thought that an app that blocks traffic at the network level, combined with the ability to control when to/not to allow access, would be a powerful alternative to the existing implementations out there that work more on the browser-level (eg. via Safari extension, which is isolated to the scope of user's Safari browser) or via Screen Time (which can be easy to bypass by inputting one's passcode). Another thing to mention is that since the app would serve as a local DNS proxy (instead of relying on a third party DNS resolver), none of their internet activity will be collected/transmitted off-device and be used for commercial purposes. I feel particularly driven to create a privacy-centered app in this way, since no user data needs to be harvested to implement this kind of filtering. I'd also love to get suggestions for a transparent privacy policy that respects users control over their device. With all this said, I found that the Network Extension APIs may be the only way that an app like this could be built on iOS and, I wanted to ask if the above-mentioned use case of Network Extension would be eligible to be granted access to its entitlement before I go ahead and purchase the $99/year Apple Developer Program membership. Happy to provide further information, and I'd also particularly be open to any mentions of existing solutions out there (since I might have missed some in my search). Maybe something like this already exists, in which case it'd be great to know in any case! :). Thank you so much in advance!

I’m working on an iOS parental-control app that needs to block specific network traffic (e.g. certain domains or URLs). We’ve already obtained the Family Controls entitlement (since our app is explicitly a parental-control solution), but we do not use MDM to supervise devices. In testing, our NEFilterDataProvider extension only activates when the device is enrolled under a managed Family Controls profile. I am aware that we can use a PacketTunnel to achieve this but i was wondering if there is any simpler solution to this? Thanks for you time!

Hello, I am new to App development, so I am looking for some advice. I want to develop an app for iPhone, which downloads files (pdf, jpg)from a server to the local storage. I also want to get data from the server to be used in my app. This could be a database access or just simple xml files. I want a secure access based on userid and password. Since in a later version, my app should also run on Android Phones, I am reluctant to use iCloud. I was thinking sftp, but that does not seem to be supported for iOS.

I've built a VPN app that is based on wireguard on macOS (I have both AppStore ver. and Developer ID ver). I want to achieve split tunneling function without changing the system route table. Currently, I'm making changes in PacketTunnelProvider: NEPacketTunnelProvider. It has included/excluded routes that function as a split tunnel, just that all changes are immediately reflected on the route table: if I run netstat -rn in terminal, I would see all rules/CIDRs I added, displayed all at once. Since I have a CIDR list of ~800 entries, I'd like to avoid changing the route table directly. I've asked ChatGPT, Claude, DeepSeek, .etc. An idea was to implement an 'interceptor' to intercept all packets in packetFlow(_:readPacketsWithCompletionHandler:), extract the destination IP from each packet, check if it matches your CIDR list, and either reinject it back to the system interface (for local routing) or process it through your tunnel. Well, LLMs could have hallucinations and I've pretty new to macOS programming. I'm asking to make sure I'm on the right track, not going delusional with those LLMs :) So the question is, does the above method sounds feasible? If not, is it possible to achieve split tunneling without changing the route table?

I am trying to activate an application which sends my serial number to a server. The send is being blocked. The app is signed but not sandboxed. I am running Sequoia on a recent iMac. My network firewall is off and I do not have any third party virus software. I have selected Allow Applications from App Store & Known Developers. My local network is wifi using the eero product. There is no firewall or virus scanning installed with this product. Under what circumstances will Mac OS block outgoing internet connections from a non-sandboxed app? How else could the outgoing connection be blocked?

I'm using NWBrowser to search for a server that I hosted. The browser does find my service but when it tries to connect to it, it gets stuck in the preparing phase in NWConnection.stateUpdateHandler. When I hardcode the local IP address of my computer (where the server is hosted) into NWConnection it works perfectly fine and is able to connect. When it gets stuck in the preparing phase, it gives me the warnings and error messages in the image below. You can also see that the service name is correct and it is found. I have tried _http._tcp and _ssh._tcp types and neither work. This is what my code looks like: func findServerAndConnect(port: UInt16) { print("Searching for server...") let browser = NWBrowser(for: .bonjour(type: "_ssh._tcp", domain: "local."), using: .tcp) browser.browseResultsChangedHandler = { results, _ in print("Found results: \(results)") for result in results { if case let NWEndpoint.service(name, type_, domain, interface) = result.endpoint { if name == "PocketPadServer" { print("Found service: \(name) of type \(type_) in domain \(domain) on interface \(interface)") // Construct the full service name, including type and domain let fullServiceName = "\(name).\(type_).\(domain)" print("Full service name: \(fullServiceName), \(result.endpoint)") self.connect(to: result.endpoint, port: port) browser.cancel() break } } } } browser.start(queue: .main) } func connect(to endpoint: NWEndpoint, port: UInt16) { print("Connecting to \(endpoint) on port \(port)...") // endpoint = NWEndpoint( let tcpParams = NWProtocolTCP.Options() tcpParams.enableFastOpen = true tcpParams.keepaliveIdle = 2 let params = NWParameters(tls: nil, tcp: tcpParams) params.includePeerToPeer = true // connection = NWConnection(host: NWEndpoint.Host("xx.xxx.xxx.xxx"), port: NWEndpoint.Port(3000), using: params) connection = NWConnection(to: endpoint, using: params) connection?.pathUpdateHandler = { path in print("Connection path update: \(path)") if path.status == .satisfied { print("Connection path is satisfied") } else { print("Connection path is not satisfied: \(path.status)") } } connection?.stateUpdateHandler = { newState in DispatchQueue.main.async { switch newState { case .ready: print("Connected to server") self.pairing = true self.receiveMessage() case .failed(let error): print("Connection failed: \(error)") self.isConnected = false case .waiting(let error): print("Waiting for connection... \(error)") self.isConnected = false case .cancelled: print("Connection cancelled") self.isConnected = false case .preparing: print("Preparing connection...") self.isConnected = false default: print("Connection state changed: \(newState)") break } } } connection?.start(queue: .main) }

Description I am seeing a consistent crash in a NEDNSProxyProvider on iOS when migrating from completion handlers to the new Swift Concurrency async/await variants of readDatagrams() and writeDatagrams() on NEAppProxyUDPFlow. The crash occurs inside the Swift Concurrency runtime during task resumption. Specifically, it seems the Task attempts to return to the flow’s internal serial executor (NEFlow queue) after a suspension point, but fails if the flow was invalidated or deallocated by the kernel while the task was suspended. Error Signature Thread 4: EXC_BAD_ACCESS (code=1, address=0x28) Thread 4 Queue : NEFlow queue (serial) #0 0x000000018fe919cc in swift::AsyncTask::flagAsAndEnqueueOnExecutor () #9 0x00000001ee25c3b8 in _pthread_wqthread () Steps The crash is highly timing-dependent. To reproduce it reliably: Use an iOS device with Developer Settings enabled. Go to Developer > Network Link Conditioner -> High Latency DNS. Intercept a DNS query and perform a DoH (DNS-over-HTTPS) request using URLSession. The first few network requests should trigger the crash Minimum Working Example (MWE) class DNSProxyProvider: NEDNSProxyProvider { override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { guard let udpFlow = flow as? NEAppProxyUDPFlow else { return false } Task(priority: .userInitiated) { await handleUDPFlow(udpFlow) } return true } func handleUDPFlow(_ flow: NEAppProxyUDPFlow) async { do { try await flow.open(withLocalFlowEndpoint: nil) while !Task.isCancelled { // Suspension point 1: Waiting for datagrams let (flowData, error) = await flow.readDatagrams() if let error { throw error } guard let flowData, !flowData.isEmpty else { return } var responses: [(Data, Network.NWEndpoint)] = [] for (data, endpoint) in flowData { // Suspension point 2: External DoH resolution let response = try await resolveViaDoH(data) responses.append((response, endpoint)) } // Suspension point 3: Writing back to the flow // Extension will crash here on task resumption try await flow.writeDatagrams(responses) } } catch { flow.closeReadWithError(error) flow.closeWriteWithError(error) } } private func handleFlowData(_ packet: Data, endpoint: Network.NWEndpoint, using parameters: NWParameters) async throws -> Data { let url = URL(string: "https://dns.google/dns-query")! var request = URLRequest(url: url) request.httpMethod = "POST" request.httpBody = packet request.setValue("application/dns-message", forHTTPHeaderField: "Content-Type") let (data, _) = try await URLSession.shared.data(for: request) return data } } Crash Details & Analysis The disassembly at the crash point indicates a null dereference of an internal executor pointer (Voucher context): ldr x20, [TPIDRRO_EL0 + 0x340] ldr x0, [x20, #0x28] // x20 is NULL/0x0 here, resulting in address 0x28 It appears that NEAppProxyUDPFlow’s async methods bind the Task to a specific internal executor. When the kernel reclaims the flow memory, the pointer in x20 becomes invalid. Because the Swift runtime is unaware that the NEFlow queue executor has vanished, it attempts to resume on non-existing flow and then crashes. Checking !Task.isCancelled does not prevent this, as the crash happens during the transition into the task body before the cancellation check can even run. Questions Is this a known issue of the NetworkExtension async bridge? Why does Task.isCancelled not reflect the deallocation of the underlying NEAppProxyFlow? Is the only safe workaround? Please feel free to correct me if I misunderstood anything here. I'll be happy to hear any insights or suggestions :) Thank you!

I’m trying to use the TLS Session Resumption feature in TLS 1.2 and 1.3. I first tested this on iOS, but it didn’t work as expected. To investigate via packet capture, I ran the same code on macOS and saw the same issue. Using URLSession to establish a WebSocket connection, I captured packets in Wireshark to check if Session Resumption was working. The behavior differed from what I expected: 1st TLS handshake – Client Hello does not contain the session_ticket extension (required for session resumption per the TLS spec). 2nd TLS handshake – Client Hello does not contain a pre_shared_key. Test apps: https://github.com/sf-jed-kyung/tls-session-resumption-test Test environment: Xcode 16.3, macOS 15.6, OpenSSL 3.5.1 This repo contains: tls-urlsession-macos – WebSocket via URLSession (shows missing extensions). tls-openssl-macos – Manual TLS handshake via OpenSSL (shows both session_ticket and pre_shared_key). To run this, adjust Header Search Paths and Library Search Paths for your local OpenSSL install. URLSession – 1st Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 508 Version: TLS 1.2 (0x0303) Random: 0502b10cf04223658... Session ID Length: 32 Session ID: e3b276b14f2deaced... Cipher Suites Length: 42 Cipher Suites (21 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 393 ... Extension: server_name (len=26) name=echo.websocket.events Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Extension: supported_groups (len=12) Extension: ec_point_formats (len=2) Extension: application_layer_protocol_negotiation (len=11) Extension: status_request (len=5) Extension: signature_algorithms (len=22) Extension: signed_certificate_timestamp (len=0) Extension: key_share (len=43) x25519 Extension: psk_key_exchange_modes (len=2) Extension: supported_versions (len=7) TLS 1.3, TLS 1.2 Extension: compress_certificate (len=3) ... URLSession – 2nd Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 508 Version: TLS 1.2 (0x0303) Random: 1e485f35ad66c8598... Session ID Length: 32 Session ID: 99d02000c7ed403a5... Cipher Suites Length: 42 Cipher Suites (21 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 393 ... Extension: server_name (len=26) name=echo.websocket.events Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Extension: supported_groups (len=12) Extension: ec_point_formats (len=2) Extension: application_layer_protocol_negotiation (len=11) Extension: status_request (len=5) Extension: signature_algorithms (len=22) Extension: signed_certificate_timestamp (len=0) Extension: key_share (len=43) x25519 Extension: psk_key_exchange_modes (len=2) Extension: supported_versions (len=7) TLS 1.3, TLS 1.2 Extension: compress_certificate (len=3) ... OpenSSL – 1st Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1564 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1560 Version: TLS 1.2 (0x0303) Random: aec30b0aad542252... Session ID Length: 32 Session ID: f7ee7178cab8716a625... Cipher Suites Length: 60 Cipher Suites (30 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 1427 Extension: renegotiation_info (len=1) Extension: server_name (len=26) name=echo.websocket.events Extension: ec_point_formats (len=4) Extension: supported_groups (len=18) Extension: session_ticket (len=0) Extension: application_layer_protocol_negotiation (len=11) Extension: encrypt_then_mac (len=0) Extension: extended_master_secret (len=0) Extension: signature_algorithms (len=54) Extension: supported_versions (len=5) TLS 1.3, TLS 1.2 Extension: psk_key_exchange_modes (len=2) Extension: key_share (len=1258) X25519MLKEM768, x25519 OpenSSL – 2nd Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1716 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1712 Version: TLS 1.2 (0x0303) Random: 3fb3938a88166e4eb... Session ID Length: 32 Session ID: 7f13e54a231c17ccff70... Cipher Suites Length: 60 Cipher Suites (30 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 1579 Extension: renegotiation_info (len=1) Extension: server_name (len=26) name=echo.websocket.events Extension: ec_point_formats (len=4) Extension: supported_groups (len=18) Extension: session_ticket (len=0) Extension: application_layer_protocol_negotiation (len=11) Extension: encrypt_then_mac (len=0) Extension: extended_master_secret (len=0) Extension: signature_algorithms (len=54) Extension: supported_versions (len=5) TLS 1.3, TLS 1.2 Extension: psk_key_exchange_modes (len=2) Extension: key_share (len=1258) X25519MLKEM768, x25519 Extension: pre_shared_key (len=148) Since the Client Hello is generated by the client, I believe the session_ticket should be included in the first handshake regardless of server support. However, URLSession omits it entirely. Question: How can I enable TLS Session Resumption when using URLSession?

I am learning how to use DNS-SD from swift and have created a basic CLI app, however I am not getting callback results. I can get results from cli. Something I am doing wrong here? dns-sd -G v6 adet.local 10:06:08.423 Add 40000002 22 adet.local. FE80:0000... dns-sd -B _adt._udp. 11:19:10.696 Add 2 22 local. _adt._udp. adet import Foundation import dnssd var reference: DNSServiceRef? func dnsServiceGetAddrInfoReply(ref: DNSServiceRef?, flags: DNSServiceFlags, interfaceIndex: UInt32, errorCode: DNSServiceErrorType, hostname: UnsafePointer&lt;CChar&gt;?, address: UnsafePointer&lt;sockaddr&gt;?, ttl: UInt32, context: UnsafeMutableRawPointer?) { print("GetAddr'd") print(hostname.debugDescription.utf8CString) print(address.debugDescription.utf8CString) } var error = DNSServiceGetAddrInfo(&amp;reference, 0, 0, DNSServiceProtocol(kDNSServiceProtocol_IPv6), "adet.local", dnsServiceGetAddrInfoReply, nil) print("GetAddr: \(error)") func dnsServiceBrowseReply(ref: DNSServiceRef?, flags: DNSServiceFlags, interfaceIndex: UInt32, errorCode: DNSServiceErrorType, serviceName: UnsafePointer&lt;CChar&gt;?, regType: UnsafePointer&lt;CChar&gt;?, replyDomain: UnsafePointer&lt;CChar&gt;?, context: UnsafeMutableRawPointer?) { print("Browsed") print(serviceName.debugDescription.utf8CString) print(replyDomain.debugDescription.utf8CString) } error = DNSServiceBrowse(&amp;reference, 0, 0, "_adt._udp", nil, dnsServiceBrowseReply, nil) print("Browse: \(error)") Foundation.RunLoop.main.run() Info.plist &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;NSLocalNetworkUsageDescription&lt;/key&gt; &lt;string&gt;By the Hammer of Grabthor&lt;/string&gt; &lt;key&gt;NSBonjourServices&lt;/key&gt; &lt;array&gt; &lt;string&gt;_adt._udp.&lt;/string&gt; &lt;string&gt;_http._tcp.&lt;/string&gt; &lt;string&gt;_http._tcp&lt;/string&gt; &lt;string&gt;_adt._udp&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt;

If the includeAllNetworks flag to true, we cannot update our app via Xcode, TestFlight or the AppStore. In the AppStore and TestFlight cases, it seems that the packet tunnel process is stopped before the new app is downloaded - once the packet tunnel process is stopped, it can’t be started again via Settings/VPN profiles, nor can it be started via the app.

Hello team, I am developing a security app where I am denying certain flows/packets if the are communicating with known malicious endpoints. Therefore I want to make use of NetworkExtensions such as the new URLFilter or ContentFilter (NEURLFilterManager, NEFilterDataProvider, NEFilterControlProvider). Does NEURLFilterManager require the user's device to be at a minimun of ios 26? Does any of these APIs/Extensions require the device to be managed/supervised or can it be released to all consumers? Thanks,