For a long time our app had this creation of a URLRequest: var urlRequest = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalAndRemoteCacheData, timeoutInterval: timeout) But since iOS 26 was released we started to get crashes in this call. It is created on a background thread. Thread 10 Crashed: 0 libsystem_malloc.dylib 0x00000001920e309c _xzm_xzone_malloc_freelist_outlined + 864 (xzone_malloc.c:1869) 1 libswiftCore.dylib 0x0000000184030360 swift::swift_slowAllocTyped(unsigned long, unsigned long, unsigned long long) + 56 (Heap.cpp:110) 2 libswiftCore.dylib 0x0000000184030754 swift_allocObject + 136 (HeapObject.cpp:245) 3 Foundation 0x00000001845dab9c specialized _ArrayBuffer._consumeAndCreateNew(bufferIsUnique:minimumCapacity:growForAppend:) + 120 4 Foundation 0x00000001845daa58 specialized static _SwiftURL._makeCFURL(from:baseURL:) + 2288 (URL_Swift.swift:1192) 5 Foundation 0x00000001845da118 closure #1 in _SwiftURL._nsurl.getter + 112 (URL_Swift.swift:64) 6 Foundation 0x00000001845da160 partial apply for closure #1 in _SwiftURL._nsurl.getter + 20 (<compiler-generated>:0) 7 Foundation 0x00000001845da0a0 closure #1 in _SwiftURL._nsurl.getterpartial apply + 16 8 Foundation 0x00000001845d9a6c protocol witness for _URLProtocol.bridgeToNSURL() in conformance _SwiftURL + 196 (<compiler-generated>:974) 9 Foundation 0x000000018470f31c URLRequest.init(url:cachePolicy:timeoutInterval:) + 92 (URLRequest.swift:44)# Live For Studio Any idea if this crash is caused by our code or if it is a known problem in iOS 26? I have attached one of the crash reports from Xcode: 2025-10-08_10-13-45.1128_+0200-8acf1536892bf0576f963e1534419cd29e6e10b8.crash

Why is the WiFiAware framework not importable in Mac Catalyst? Are there any plans to support Wi-Fi Aware technology on Mac Catalyst in the future?

As part of the OpenJDK testing we run several regression tests, including for Java SE networking APIs. These APIs ultimately end up calling BSD socket functions. On macos, starting macos 26, including on recent 26.2 version, we have started seeing some unexplained but consistent exception from one of these BSD socket APIs. We receive a "ENOBUFS" errno (No buffer space available) when trying to construct a socket(). These exact same tests continue to pass on many other older versions of macos (including 15.7.x). After looking into this more, we have been able to narrow this down to a very trivial C code which is as follows (also attached): #include <stdio.h> #include <sys/socket.h> #include <string.h> #include <unistd.h> #include <sys/errno.h> static int create_socket(const int attempt_number) { const int fd = socket(AF_INET6, SOCK_STREAM, 0); if (fd < 0) { fprintf(stderr, "socket creation failed on attempt %d," " due to: %s\n", attempt_number, strerror(errno)); return fd; } return fd; } int main() { const unsigned int num_times = 250000; for (unsigned int i = 1; i <= num_times; i++) { const int fd = create_socket(i); if (fd < 0) { return -1; } close(fd); } fprintf(stderr, "successfully created and closed %d sockets\n", num_times); } The code very trivially creates a socket() and close()s it. It does this repeatedly in a loop for a certain number of iterations. Compiling this as: clang sockbufspaceerr.c -o sockbufspaceerr.o and running it as: ./sockbufspaceerr.o consistently generates an error as follows on macos 26.x: socket creation failed on attempt 160995, due to: No buffer space available The iteration number on which the socket() creation fails varies, but the issue does reproduce. Running the same on older versions of macos doesn't reproduce the issue and the program terminates normally after those many iterations. Looking at the xnu source that is made available for each macos release here https://opensource.apple.com/releases/, I see that for macos 26.x there have been changes in this kernel code and there appears to be some kind of memory accountability code introduced in this code path. However, looking at the reproducer/application code in question, I believe it uses the right set of functions to both create as well as release the resources, so I can't see why this should cause the above error in macos 26.x. Does this look like some issue that needs attention in the macos kernel and should I report it through feedback assitant tool?

Currently in our app, to identify a network switch in device we are doing NEHotspotHelper.register and then NEHotspotHelperHandler block. When the command type is evaluate and if the network.didJustJoin, we are identifying it as a network switch. As a part of moving our code base to iOS 26, if is found that NEHotspotHelper is deprecated. What is the proper replacement for this?

My application needs local network access. When it is started for the first time, the user gets a prompt to enable local network access (as expected). The application is then shown as enabled in Privacy & Security / Local Network and local network access is working. If macOS is then shutdown and restarted, local network access is blocked for the application even though it is still shown as enabled in Privacy & Security / Local Network. Local network access can be restored either by toggling permission off and on in Privacy & Security / Local Network or by disabling and enabling Wi-Fi. This behaviour is consistent on Sequoia 15.1. It happens sometimes on 15.0 and 15.0.1 but not every time. Is my application doing something wrong or is this a Sequoia issue? If it is a Sequoia issue, is there some change I can make to my application to work around it?

Description Enterprise users are experiencing VPN resource access failures after upgrading to macOS Tahoe. Investigation indicates that configd (specifically IPMonitor) is incorrectly re-ranking network interfaces after a connectivity failure with probe server. This results in DNS queries routing through the physical network adapter (en0) instead of the VPN virtual adapter, even while the tunnel is active. This behaviour is not seen in previous macOS versions. Steps to Reproduce: Connect to an enterprise VPN (e.g., Ivanti Secure Access). Trigger a transient network condition where the Apple probe server is unreachable. For example make the DNS server down for 30 sec. Observe the system routing DNS queries for internal resources to the physical adapter. Expected Results The: VPN virtual interface should maintain its primary rank for enterprise DNS queries regardless of the physical adapter's probe status. Actual Results: IPMonitor detects an UplinkIssue, deprioritizes the VPN interface, and elevates the physical adapter to a higher priority rank. Technical Root Cause & Logs: The system logs show IPMonitor identifying an issue and modifying the interface priority at 16:03:54: IPMonitor Detection: The process identifies an inability to reach the Apple probe server and marks en0 with an advisory: Log snippet 2026-01-06 16:03:53.956399+0100 localhost configd[594]: [com.apple.SystemConfiguration:IPMonitor] configd[594] SetInterfaceAdvisory(en0) = UplinkIssue (2) reason='unable to reach probe server' Interface Re-ranking: Immediately following, IPMonitor recalculates the rank, placing the physical service ID at a higher priority (lower numerical rank) than the VPN service ID (net.pulsesecure...): Log snippet 2026-01-06 16:03:53.967935+0100 localhost configd[594]: [com.apple.SystemConfiguration:IPMonitor] 0. en0 serviceID=50CD9266-B097-4664-BFE6-7BAFCC5E9DC0 addr=192.168.0.128 rank=0x200000d 2026-01-06 16:03:53.967947+0100 localhost configd[594]: [com.apple.SystemConfiguration:IPMonitor] 1. en0 serviceID=net.pulsesecure.pulse.nc.main addr=192.168.0.128 rank=0x2ffffff 3.Physical adapter Is selected as Primary Interface: 2026-01-06 16:03:53.968145+0100 localhost configd[594]: [com.apple.SystemConfiguration:IPMonitor] 50CD9266-B097-4664-BFE6-7BAFCC5E9DC0 is the new primary IPv4 configd[594]: 50CD9266-B097-4664-BFE6-7BAFCC5E9DC0 is the new primary DNS Packet Trace Evidence Wireshark confirms that DNS queries for enterprise-specific DNS servers are being originated from the physical IP (192.168.0.128) instead of the virtual adapter: Time: 16:03:54.084 Source: 192.168.0.128 (Physical Adapter) Destination: 172.29.155.115 (Internal VPN DNS Server) Result: Connectivity Failure (Queries sent outside the tunnel)

Hello, I hope the title is self explanatory. As a system administrator I would like to use macOS server on Sequoia to manage the protected network behind this server: bootpd, natpmpd, paquet filter, postfix mail server, squid proxy… I am at a lost not to find in less than 15 minutes where this is available. Sorry for the silly question.

I'm developing an iOS app that needs to continuously inform a server whether the user's paired Apple Watch is currently reachable for interactive messaging. If this reachability is lost unexpectedly, the server should be alerted within seconds. This is a safety-critical feature where reliability is essential. The goal (abstractly): The iPhone app needs real-time or near-real-time awareness of whether the paired Apple Watch is reachable. The specific mechanism doesn't matter - I'm open to any approach that achieves this reliably. Context - what already works: The iPhone app successfully maintains continuous server connectivity using an NEAppPushProvider network extension. In practice, this runs reliably in the background and sends periodic heartbeats to the server regardless of main app state. This pattern works well for the phone component. I need to extend this to include the watch's connectivity status in those server updates. Note: WCSession APIs are only available in the main app process, not the Network Extension, so any watch connectivity information must be bridged via the main iOS app (e.g. shared UserDefaults and Darwin notifications). What I've tried: 1. Companion watchOS app sending heartbeats to iPhone via WCSession This was my primary approach: a watchOS app sends messages to the iPhone at short intervals using WCSession.sendMessage(). The iPhone forwards this to the server. If heartbeats stop, the server raises an alert. (I tested various intervals from 2-15 seconds; the specific interval doesn't matter because the fundamental problem is that the watch app is suspended regardless.) Problem: The watch app is suspended almost immediately when: The user presses the Digital Crown The user switches to another app The watch screen dims and shows the clock face (even without explicit backgrounding) Once suspended, Timer.scheduledTimer() stops firing and no heartbeats are sent. 2. WCSession.isReachable monitoring on iPhone I hoped the iPhone could monitor WCSession.isReachable to detect when the watch becomes unreachable. Problem: isReachable indicates whether the counterpart app is reachable for interactive messaging, not the underlying physical connection. It returns false for many reasons - watch app suspended, backgrounded, or various system conditions - making it unreliable as a proxy for actual watch connectivity. The iPhone cannot distinguish "watch app not ready for messaging" from "watch physically disconnected". 3. WKExtendedRuntimeSession on watchOS Problem: Only available for specific scenarios (workout, mindfulness, etc.). My use case is general activity, not fitness tracking. Misusing workout sessions would likely be rejected by App Review. 4. WKApplicationRefreshBackgroundTask on watchOS Problem: These tasks are system-scheduled with timing that varies from minutes to hours depending on system conditions. Far too slow and unpredictable for second-level detection. 5. BLE advertising from watchOS app Problem: BLE advertising stops when the watchOS app is suspended. Same fundamental limitation as the timer approach. 6. Server directly pinging the watch (ICMP or similar) Problem: While Apple Watch can have an IP address via Wi-Fi or cellular (on LTE models), inbound connections to the watch aren't feasible - the watch is behind NAT with no public address, and watchOS doesn't support inbound server sockets (especially in background). This approach isn't practical regardless of connection type. 7. CoreBluetooth scanning from iPhone Problem: Apple Watch doesn't advertise as a discoverable BLE peripheral to third-party apps. The system-level pairing isn't exposed. Why this works on Android/WearOS: On WearOS, a Foreground Service continues running in the background regardless of UI state or screen status (subject to standard OS background limits, but in practice it works reliably). The service sends heartbeats via MessageClient consistently. This "always-on background execution" pattern has no equivalent on watchOS. Questions: Is there any mechanism for an iPhone app to have continuous or regularly-updated knowledge of whether a paired Apple Watch is connected and reachable for interactive messaging - ideally without requiring a watchOS companion app to be in the foreground? Are there any system-level APIs or entitlements (perhaps requiring special approval) that expose watch pairing/connectivity events to iOS apps? Is there any watchOS background execution mechanism I've missed that could keep code running reliably when the app isn't in the foreground? Has anyone solved a similar "detect wearable connectivity loss in real-time" problem on the Apple platform? I understand Apple designed watchOS with aggressive power management for good reasons. If continuous connectivity monitoring truly isn't possible, I'd appreciate confirmation so I can set appropriate user expectations. But given this is a safety-critical use case, I'm hoping there's an approach I've overlooked.

I filed FB19631435 about this just now. Basically: starting with 15.6, we've had reports (internally and outternally) that after some period of time, networking fails so badly that it can't even acquire a DHCP lease, and the system needs to be rebooted to fix this. The systems in question all have at least 2 VPN applications installed; ours is a transparent proxy provider, and the affected system also had Crowdstrike's Falcon installed. A customer system reported seemingly identical failures on their systems; they don't have Crowdstrike, but they do have Cyberhaven's. Has anyone else seen somethng like this? Since it seems to involve three different networking extensions, I'm assuming it's due to an interaction between them, not a bug in any individual one. But what do I know? 😄

Hello, A customer has requested the development of a home assistance app to be published on the App Store. The app will connect to a server running locally at the end user's home, for example on a Raspberry Pi. Users would enter the IP address or hostname of their personal server into the app. A strict requirement is that, for data protection reasons, there must not be any proxy server. The app should only communicate directly with the local server (e.g., Raspberry Pi). We are able to solve technical challenges such as DNS, dynamic IP, and port forwarding, router configuration. However, I'm concerned about Apple's requirement that the endpoint – in this case, the Raspberry Pi at the user's home – must not use self-signed SSL certificates. While it may be technically possible to secure the home server with a certificate provider like Let's Encrypt, it is unrealistic to expect a typical user with no technical training to accomplish this setup independently. Is there a recommended solution to this problem, particularly in the context of IoT devices and apps? Any advice or experiences would be deeply appreciated.

I added a Content Filter to my app, and when running it in Xcode (Debug/Release), I get the expected permission prompt: "Would like to filter network content (Allow / Don't Allow)". However, when I install the app via TestFlight, this prompt doesn’t appear at all, and the feature doesn’t work. Is there a special configuration required for TestFlight? I already set the minimum deployment to be 17 for the extension and the app. Thanks!

I've been working through some issues here attempting to migrate away from the MultiPeer Connectivity following the guidance in here, Moving from Multipeer Connectivity to Network Framework, and implementing a home-grown solution using NWBrowser and NWListener and NWConnections. I feel like I am 95% of the way there, but am experiencing an issue where my connection attempts seem to fail about 50% of the time. If I have two nodes say, one a physical iPad, and one a simulator on my Mac. I can start them both up, and they are both discovered with Bounjour no problem. Sometimes the "connect" no problem. Othertimes however when I attempt to "connect" from one device to the other, I get failures. I'd say it's about 50/50 success - fail at this point. The "dialing" device state enters "preparing" but never progesses past that, and on the "receiving end" I see receive error: POSIXErrorCode(rawValue: 61): Connection refused I'm at my wits end here with this, everything else in my migration I think is done...just need some insights maybe on potential causes for that error...

Hi everyone, I’m running into an issue with IP over Thunderbolt connectivity between my Mac and Windows PC after updating to macOS 26.2. Previously, this setup worked fine on macOS 15. However, since the update, I haven't been able to establish a connection. Here is what I have tested so far: Mac M1 and Mac M3 (Updated to macOS 26.2): Both are unable to connect to Windows. Mac M2 (Running macOS 15.4): This device still connects to Windows without any issues. macOS 26.2 (Mac M1) <-> macOS 26.2 (Mac M3): Connection successful. Since my M3 Mac worked correctly before the update (when it was on macOS 15), and Mac-to-Mac connection still works on the new OS, I have a few questions: Is there a new setting I need to configure? Has this feature changed in macOS 26? Could you please confirm if IP over Thunderbolt connections to Windows have been explicitly blocked or deprecated in macOS 26? Thanks for any help! Mac M3 macOS 26.2 FAIL Mac M2 macOS 15.4 OK

I use Iphone 17 wifi to test the device and mobile phone communicate,but I found the wifi disconnect innormal in hign frequency. This situation is only appears in iphone 17 series, iphone 14 and 15 is ok, so I think iphone 17 wifi chip or software has bugs. the local network disconnect in hign frequency.

Hello! I have read most of the "Background Tasks Resources" here https://developer.apple.com/forums/thread/707503 - but still have a few questions that I need clarified. To provide our context, our usecase is that our user wants to upload files to our servers. This is an active decision by the user to initiate the upload, but we also want make sure the files are uploaded, even if the user chooses to background our app. If we use a URLSession.backgroundto initiate the uploadTask, I understand that we are passing it of to the urlsession deamon to handle the upload. Which is great, if the user chooses to background our app. But, what if they just stay with the app in the foreground? Will it start uploading immediately? Can we expect the same latency that a standard URLSession will provide? And the potential delay will only occur if they actually background our app. Also, what happens if a background upload is in-progress and the user enters our app again? Will it gain priority, and run with similar latency as standard URL session? I.e., can we just always rely on using a background session, or should we kick of a beginBackgroundTask with a standard URL session, and only trigger a background uploadTask if we do not finish the standard upload before getting told we are about to get killed? A different question. I know there is the rate-limit delay added if we trigger multiple background URL tasks. Does that effect the following use case? We would like to send an additional HTTP request to our servers when the upload is completed, to notify it of the completion, but are we allowed to do that when the app is woken from the background? So, basically calling .dataTask from handleEventsForBackgroundURLSession for example?

General: Forums subtopic: App & System Services > Networking DevForums tag: Network Extension Network Extension framework documentation Routing your VPN network traffic article Filtering traffic by URL sample code Filtering Network Traffic sample code TN3120 Expected use cases for Network Extension packet tunnel providers technote TN3134 Network Extension provider deployment technote TN3165 Packet Filter is not API technote Network Extension and VPN Glossary forums post Debugging a Network Extension Provider forums post Exporting a Developer ID Network Extension forums post Network Extension Framework Entitlements forums post Network Extension vs ad hoc techniques on macOS forums post Network Extension Provider Packaging forums post NWEndpoint History and Advice forums post Extra-ordinary Networking forums post Wi-Fi management: Wi-Fi Fundamentals forums post TN3111 iOS Wi-Fi API overview technote How to modernize your captive network developer news post iOS Network Signal Strength forums post See also Networking Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have an application which is written in Swift, which activates Transparent Proxy network extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) Sometimes we have observed that on starting the transparent proxy extension, the startProxy overridden delegate method(override func startProxy(options: [String : Any]?, completionHandler: @escaping (Error?) -> Void) {) in our AppProxyProvider class which is derived from NETransparentProxyProvider being called more than once for the same extension(pid). This leads to Over-resume of an object crash as we invoke setTunnelNetworkSettings inside the startProxy delegate. As this is controlled by the system, we are not sure why this delegate being called more than once sometimes even if we call the start TransparentProxy only once. Note that, this issue is seen only in Mac OS Tahoe. Apple Feedback ticket: FB21464147 (startProxy delegate for NETransparentProxyProvider class is being called twice for the same pid extension sometimes)

When connecting to my M1 mac mini over ssh, certain programs are often unable to reach network destinations in the corporate LAN, although they can usually reach external addresses like www.apple.com. For example, a java program attempting to download from teamcity.dev.corp.com:8111 often fails like: java.net.NoRouteToHostException: No route to host Running the exact same command from the Apple Terminal program works like normal, simply connecting over ethernet on en0 to a TeamCity server inside the same building. Basic diagnostics from the ssh session do not show anything unusual: > traceroute teamcity.dev.corp.com traceroute to teamcity.dev.corp.com (10.21.4.1), 64 hops max, 40 byte packets 1 teamcity.dev.corp.com (10.21.4.1) 1.702 ms 0.409 ms 0.336 ms > route -n get teamcity.dev.corp.com route to: 10.21.4.1 destination: 10.21.4.1 interface: en0 flags: <UP,HOST,DONE,LLINFO,WASCLONED,IFSCOPE,IFREF> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 1194 > uname -a Darwin mac 25.1.0 Darwin Kernel Version 25.1.0: Mon Oct 20 19:32:47 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T8103 arm64 Similar problems occur in docker commands to a remote daemon ("no route to host" or "connection refused"): docker -H tcp://<ip>:<port> ... Most other programs are never affected by this problem. Are there other diagnostic steps that might reveal the cause?

I want to configure one aspect of my networking configuration (the QUIC keepalive interval). This only seems to be configurable via Network.framework’s nw_quic_set_keepalive_interval. Is there any way to apply this to a URLSession? Or do I need to implement the whole connection management myself using Network.framework?

When setting new entitlements com.apple.developer.networking.carrier-constrained.appcategory and com.apple.developer.networking.carrier-constrained.app-optimized, I have a question about how URLSession should behave. I notice we have a way to specify whether a Network connection should allow ultra-constrained paths via NWParameters allowUltraConstrainedPaths: https://developer.apple.com/documentation/network/nwparameters/allowultraconstrainedpaths There does not appear to be a similar property on URLSessionConfiguration. In an ultra-constrained (eg. satellite) network, should we expect all requests made through an URLSession to fail? Does all network activity when ultra-constrained need to go through a NWConnection or NetworkConnection specifically configured with allowUltraConstrainedPaths, or can URLSession ever be configured to allow ultra-constrained paths?