I am developing a program on my chip and attempting to establish a connection with the WiFi Aware demo app launched by iOS 26. Currently, I am encountering an issue during the pairing phase. If I am the subscriber of the service and successfully complete the follow-up frame exchange of pairing bootstrapping, I see the PIN code displayed by iOS. Question 1: How should I use this PIN code? Question 2: Subsequently, I need to negotiate keys with iOS through PASN. What should I use as the password for the PASN SAE process? If I am the subscriber of the service and successfully complete the follow-up frame exchange of pairing bootstrapping, I should display the PIN code. Question 3: How do I generate this PIN code? Question 4: Subsequently, I need to negotiate keys with iOS through PASN. What should I use as the password for the PASN SAE process?

Our app server is having some TLS related issue with the new iOS 26 (It works with iOS 18 and below). When opening the domain url in iPhone Safari browser with iOS 26, it showing the error as below: We followed the instructions from this link (https://support.apple.com/en-sg/122756), to run the following command: nscurl --tls-diagnostics https://test.example in Terminal app. It shows TLS failed with error: -9808 Could anyone please help explain what exactly the issue is with our server certificate, and how we should fix it? Thanks so much!

I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic: onDemandRules = [NEOnDemandRuleConnect()] As for the tunnel's settings (at the Packet Tunnel Provider), I've configured a split tunnel, so some routes are excluded from the tunnel. Now I have the following scenario: The VPN is connected The Mac enters sleep The sleep() function is called (at my Packet Tunnel Provider) The Mac briefly awakes to check emails/push notifications/etc. This traffic is excluded from the tunnel. What is the expected behavior here? Should the wake function be called because of the on-demand rule? Or should the VPN remain asleep because this traffic is excluded from the tunnel?

I'm looking at implementing an iOS app that has includes a Content Filter Provider to block access to certain domains when accessed on the device. This uses NEFilterManager, NEFilterDataProvider and NEFilterControlProvider to handle configuration and manage the network flows and block as necessary. My question is can you deploy this in an iOS 18+ app on the App Store to devices which are unmanaged, unsupervised and don't use Screen Time APIs? Although not 100% clear, this technote seems to say it is not possible: https://developer.apple.com/documentation/Technotes/tn3134-network-extension-provider-deployment Testing this on a Developer device and build works successfully without any MDM profiles installed. A similar approach using the same APIs also works on macOS once user permissions have been given. If it can't work on unsupervised, unmanaged iOS devices, is possible for the user to first manually install a MDM profile which includes the required 'Content Filter' details and then have it work? If not, how would you filter iOS network traffic on an unmanaged, unsupervised device? Is it necessary to use a VPN or DNS approach instead (which may be a lot less privacy compliant)?

I did watch WWDC 2019 Session 716 and understand that an active audio session is key to unlocking low‑level networking on watchOS. I’m configuring my audio session and engine as follows: private func configureAudioSession(completion: @escaping (Bool) -> Void) { let audioSession = AVAudioSession.sharedInstance() do { try audioSession.setCategory(.playAndRecord, mode: .voiceChat, options: []) try audioSession.setActive(true, options: .notifyOthersOnDeactivation) // Retrieve sample rate and configure the audio format. let sampleRate = audioSession.sampleRate print("Active hardware sample rate: \(sampleRate)") audioFormat = AVAudioFormat(standardFormatWithSampleRate: sampleRate, channels: 1) // Configure the audio engine. audioInputNode = audioEngine.inputNode audioEngine.attach(audioPlayerNode) audioEngine.connect(audioPlayerNode, to: audioEngine.mainMixerNode, format: audioFormat) try audioEngine.start() completion(true) } catch { print("Error configuring audio session: \(error.localizedDescription)") completion(false) } } private func setupUDPConnection() { let parameters = NWParameters.udp parameters.includePeerToPeer = true connection = NWConnection(host: "***.***.xxxxx.***", port: 0000, using: parameters) setupNWConnectionHandlers() } private func setupTCPConnection() { let parameters = NWParameters.tcp connection = NWConnection(host: "***.***.xxxxx.***", port: 0000, using: parameters) setupNWConnectionHandlers() } private func setupWebSocketConnection() { guard let url = URL(string: "ws://***.***.xxxxx.***:0000") else { print("Invalid WebSocket URL") return } let session = URLSession(configuration: .default) webSocketTask = session.webSocketTask(with: url) webSocketTask?.resume() print("WebSocket connection initiated") sendAudioToServer() receiveDataFromServer() sendWebSocketPing(after: 0.6) } private func setupNWConnectionHandlers() { connection?.stateUpdateHandler = { [weak self] state in DispatchQueue.main.async { switch state { case .ready: print("Connected (NWConnection)") self?.isConnected = true self?.failToConnect = false self?.receiveDataFromServer() self?.sendAudioToServer() case .waiting(let error), .failed(let error): print("Connection error: \(error.localizedDescription)") DispatchQueue.main.asyncAfter(deadline: .now() + 2) { self?.setupNetwork() } case .cancelled: print("NWConnection cancelled") self?.isConnected = false default: break } } } connection?.start(queue: .main) } I am reaching out to seek further assistance regarding the challenges I've been experiencing with establishing a UDP, TCP & web socket connection on watchOS using NWConnection for duplex audio streaming. Despite implementing the recommendations provided earlier, I am still encountering difficulties. Or duplex audio streaming not possible on apple watch?

We're encountering an issue with our Network Extension (utilizing NEPacketTunnelProvider and NETransparentProxy) on macOS 14.5 (23F79). On some systems, the VPN fails to automatically start after a reboot despite calling startVPNTunnel(). There are no error messages. Our code attempts to start the tunnel: ....... do { try manager.connection.startVPNTunnel() Logger.default("Started tunnel successfully") } catch { Logger.error("Failed to launch tunnel") } ...... System log analysis reveals the tunnel stopping due to userLogout (NEProviderStopReason(rawValue: 12)) during reboot. However, the Transparent Proxy stops due to userInitiated (NEProviderStopReason(rawValue: 1)) for the same reboot. We need to understand: Why the VPNTunnel isn't starting automatically. Why the userLogout reason is triggered during reboot. Additional Context: We have manually started the VPN from System Settings before reboot.

We currently supporting proxy app with Tunnel.appEx and PacketTunnelProvider. Some users report about constant error "The VPN session failed because an internal error occurred." on VPN start (which fails rapidly). This error occur mostly after user updated app with active VPN. Rebooting device solves the problem and it doesnt come again, but it is still very frustrating. I can provide any required info about app setup to solve this issue if you need. Thanks

We have an app which is using CTSubscriber.simInserted (using the carrier entitlement com.apple.CommCenter.fine-grained). In iOS 18, simInserted returns false for every sim (where it should instead be returning true). Presumably this just is a temporary bug in 18 beta?

[Q] How many instances of the same NEFilterDataProvider subclass can there be in a single running Network Extension at any given time? I would expect that there can be only 1 instance but I'm looking at a memgraph where 2 instances are listed. As it's the Network Extension framework that is responsible for creating, starting and stopping these instances, this is rather strange.

My app has local network permission on macOS Sequoia and works in most cases. I've noticed that after unlocking my MacBook Pro, the very first request will regularly fail with a No Route to Host. A simple retry resolves the issue, but I would have expected the very first request to succeed. Is this is a known issue on macOS Sequoia or by design? I'd prefer not to add a retry for this particular request as the app is a network utility.

Hi everyone, I'm trying to establish a connection to a server that requires mutual TLS (mTLS) using NSURLSession in an iOS app. The server is configured with a self-signed root CA (in the project, we are using ca.cer) and requires clients to present a valid certificate during the TLS handshake. What I’ve done so far: Server trust is working: I manually trust the custom root CA using SecTrustSetAnchorCertificates and SecTrustEvaluateWithError. I also configured the necessary NSAppTransportSecurity exception in Info.plist to allow the server certificate to pass ATS. This is confirmed by logs showing: Server trust succeeded The .p12 identity is correctly created: Contains the client certificate and private key. Loaded using SecPKCS12Import with the correct password. I implemented the delegate method: func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust { // Server trust override code (working) ... } if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate { print("🔐 Client cert challenge triggered") if let identity = loadIdentity() { let credential = URLCredential(identity: identity, certificates: nil, persistence: .forSession) completionHandler(.useCredential, credential) } else { completionHandler(.cancelAuthenticationChallenge, nil) } return } completionHandler(.performDefaultHandling, nil) } The session is correctly created using my custom delegate: let delegate = MTLSDelegate(identity: identity, certificates: certs) let session = URLSession(configuration: .default, delegate: delegate, delegateQueue: nil) Despite everything above, the client certificate is never sent, and the request fails with: Error Domain=NSURLErrorDomain Code=-1206 "The server requires a client certificate." From logs, it's clear the delegate is being hit for NSURLAuthenticationMethodServerTrust, but not for NSURLAuthenticationMethodClientCertificate.

On iOS 26 beta 5, it is impossible to add a VPN configuration when a passcode is set on the device. Every time, all it does is redirect to the Settings app with no prompt for passcode. The only way around this is to disable passcode on the device so adding a VPN configuration doesn’t have to open the Settings app. This issue happened intermittently in the past with previous iOS 26 betas and even on iOS 18, but the problem has worsened on iOS 26 beta 5 to the point where you have to turn off passcode to add a VPN. Feedback ID: FB17974765

I've had a Unreal Engine project that uses libwebsocket to make a websocket connection with SSL to a server. Recently I made a build using Unreal Engine 5.4.4 on MacOS Sequoia 15.5 and XCode 16.4 and for some reason the websocket connection now fails because it can't get the local issuer certificate. It fails to access the root certificate store on my device (Even though, running the project in the Unreal Editor works fine, it's only when making a packaged build with XCode that it breaks) I am not sure why this is suddenly happening now. If I run it in the Unreal editor on my macOS it works fine and connects. But when I make a packaged build which uses XCode to build, it can't get the local issuer certificate. I tried different code signing options, such as sign to run locally or just using sign automatically with a valid team, but I'm not sure if code signing is the cause of this issue or not. This app is only for development and not meant to be published, so that's why I had been using sign to run locally, and that used to work fine but not anymore. Any guidance would be appreciated, also any information on what may have changed that now causes this certificate issue to happen. I know Apple made changes and has made notarizing MacOS apps mandatory, but I'm not sure if that also means a non-notarized app will now no longer have access to the root certificate store of a device, in my research I haven't found anything about that specifically, but I'm wondering if any Apple engineers might know something about this that hasn't been put out publicly.

But the NMI and NDI of Samsung's Wi Fi Aware are not the same MAC address. May I ask Apple engineers why they are different from Samsung？

Hi everyone, I’m encountering what appears to be a system-level issue with NEAppPushProvider extensions being unable to communicate with other devices on the local network, even when the main app has already been granted Local Network permission by the user. Context The following problem occurs in an iPad app running iOS 18.5. The main app successfully requests and is granted Local Network access via NSLocalNetworkUsageDescription in its Info.plist configuration. It can connect to a WebSocket server hosted on the local network without any issues, resolving its address by name. The extension (NEAppPushProvider) uses the same networking code as the app, extended via target membership of a controller class. It attempts to connect to the same hostname and port but consistently fails to establish a connection. The system log shows it properly resolving DNS but being stopped due to "local network prohibited". An extract of the logs from the Unified Logging System: 12:34:10.086064+0200 PushProvider [C526 Hostname#fd7b1452:8443 initial parent-flow ((null))] event: path:start @0.000s 12:34:10.087363+0200 PushProvider [C526 Hostname#fd7b1452:8443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: path:satisfied @0.005s 12:34:10.090074+0200 PushProvider [C526 Hostname#fd7b1452:8443 in_progress parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: flow:start_connect @0.006s 12:34:10.093190+0200 PushProvider [C526.1 Hostname#fd7b1452:8443 in_progress resolver (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: resolver:start_dns @0.009s 12:34:10.094403+0200 PushProvider [C526.1.1 IPv4#f261a0dc:8443 waiting path (unsatisfied (Local network prohibited), interface: en0[802.11], ipv4, uses wifi)] event: path:unsatisfied @0.010s 12:34:10.098370+0200 PushProvider [C526.1.1.1 IPv4#f261a0dc:8443 failed path (unsatisfied (Local network prohibited), interface: en0[802.11], ipv4, uses wifi)] event: null:null @0.014s 12:34:10.098716+0200 PushProvider [C526.1 Hostname#fd7b1452:8443 failed resolver (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: resolver:children_failed @0.015s 12:34:10.099297+0200 PushProvider [C526 Hostname#fd7b1452:8443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: flow:child_failed @0.016s What I’ve Confirmed: The extension works perfectly if the DNS is changed to resolve the name to a public IP instead of a local one. The extension always connects by hostname. Devices on the local network can resolve each other’s IP addresses correctly and respond to pings. What I’ve Tried Adding NSLocalNetworkUsageDescription to the main app’s Info.plist, as recommended. Clean building the project again. Removing and reinstalling the app to ensure permission prompts are triggered fresh. Restarting the iPad. Ensuring main app cannot access the local network until the permission is granted. Ensuring the main app has connected to the same hostname and port before the extension attempts a connection Toggling the permission manually in Settings. Apple’s documentation states (TN3179): “In general, app extensions share the Local Network privilege state of their container app.” It also notes that some background-running extension types may be denied access if the privilege is undetermined. But in my case, the main app clearly has Local Network access, and the extension never receives it, even after repeated successful connections by the main app. Question Is this a known limitation with NEAppPushProvider? Is there a recommended way to ensure the extension is able to use the local network permission once the user has granted it on the app? Any feedback, suggestions, or confirmation would be greatly appreciated. Thanks in advance.

We are currently working on enhancing our iOS app with satellite mode support, allowing users to access a limited set of core features even in the absence of traditional cellular or Wi-Fi connectivity. As part of this capability, we're introducing a chatbot feature that relies on both WebSocket and HTTP connections for real-time interaction and data exchange. Given the constrained nature of satellite networks—especially in terms of latency, bandwidth, and connection stability—we're evaluating the feasibility of supporting these communication protocols under such conditions. Could you please advise whether WebSocket and HTTP connections are expected to work over satellite networks?

In my Packet Tunnel Provider, I'm setting the NEDNSSettings to localhost as I have a local DNS server listening on port 53 (this is a dns forwarder which conditionally forwards to different upstreams based on rules). On iOS it works just fine, I'm able to listen on localhost:53 in the Network Extension, then set NEDNSSettings servers to "127.0.0.1". However on macOS due to the port being under 1024, I get a Permission denied OS code 13 error. I'm assuming this is due to the Network Extension not running as root. Can this be changed? This could be rectified if you could customize the port in NEDNSSettings, as the listener could be on port 5353, but it doesn't look like it is possible? Just wondering if there is some other way to accomplish what I'm trying to do in the macOS Network Extension?

Are the Wifi-Aware's WAEndpoint's discovered ephemeral? I'm trying to understand what's the best way to reconnect a disconnected WifiAware connection - Can I just cache the endpoint and start a new connection with the same endpoint or do I need to browse again and get a new WAEndpoint? My use case requires both WifiAware connection to another device and the devices also need to be connected to infrastructure wifi most of the time. I'm concerned about the WifiAware's connection having any impact on infrastructure wifi. What is the impact on the infrastructure wifi here in comparison to using the Apple peer to peer wifi(That Multipeer framework or Network framework use)?

I am currently creating a MacOS app that uses NetworkExtension and SystemExtension without going through the Store. Using entitlements, I manually codesign and create a pkg Installer, but when I run it I get an error message saying "No matching profile found." Below is the log /Applications/Runetale.app/Contents/MacOS/Runetale not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Applications/Runetale.app/, unsatisfiedEntitlements=<CFArray 0x71c040fa0 [0x1f7bec120]>{type = immutable, count = 3, values ​​= ( 0 : <CFString 0x71c04f340 [0x1f7bec120]>{contents = "com.apple.developer.system-extension.install"} 1 : <CFString 0x71c1ccaf0 [0x1f7bec120]>{contents = "com.apple.developer.networking.networkextension"} 2 : <CFString 0x71c04fc00 [0x1f7bec120]>{contents = "com.apple.developer.team-identifier"} )}, NSLocalizedDescription=No matching profile found} I looked into it myself and found that if you want to install the app without going through the Store, you need to use packet-tunnel-provider-systemextension instead of packet-tunnel-provider. here However, simply changing to packet-tunnel-provider-systemextension does not allow the build to pass. I use a build method that changes the value of entitlements only during codesign in order to pass the build. SYSEXT="$APP_BUNDLE/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension" if [ -d "$SYSEXT" ]; then echo "Signing PacketTunnel system extension with entitlements..." cp macos/PacketTunnel/PacketTunnelRelease.entitlements macos/PacketTunnel/PacketTunnelRelease-sign.entitlements sed -i '' 's/packet-tunnel-provider/packet-tunnel-provider-systemextension/' macos/PacketTunnel/PacketTunnelRelease-sign.entitlements codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_FILE" --sign "$DEV_ID_APP_CERT" "$SYSEXT" fi # 3. Sign the entire .app bundle (deep sign by signing the outer app after inner ones) echo "Signing Runetale App with entitlements..." cp macos/Runner/Release.entitlements macos/PacketTunnel/Release-sign.entitlements sed -i '' 's/packet-tunnel-provider/packet-tunnel-provider-systemextension/' macos/PacketTunnel/Release-sign.entitlementsmacos/PacketTunnel/Release-sign.entitlements codesign --force --options runtime --timestamp --entitlements "$APP_ENTITLEMENTS_FILE" --sign "$DEV_ID_APP_CERT" "$APP_BUNDLE" Is this build method wrong? The next solution I'm thinking of is as follows. Is there a way to write packet-tunnel-provider-systemextension directly to entitlments and pass the build? (provisioning profile?) Apply to forum and get permission to use packet-tunnel-provider-systemextension Thank you.

I want to detect if the adapter is connected to the iPhone even if no IP has been given to the iPhone. I can detect that the interface is connected when the iPhone has been given an IP address, but how can I detect the adapter when not?