Dear Apple Developer Technical Support, I am currently developing a macOS network filtering solution using NetworkExtension with NEFilterDataProvider. During implementation of the handleOutboundData logic, we are using the following verdict: NEFilterNewFlowVerdict.filterDataVerdict( withFilterInbound: true, peekInboundBytes: InboundPeekBytes, filterOutbound: true, peekOutboundBytes: OutboundPeekBytes ) However, we have encountered an issue when SMB traffic is involved. When SMB protocol communication occurs, the network connection occasionally becomes unresponsive or appears to stall when peekOutboundBytes is set to a large value. Through testing, we observed the following behavior: On some systems, reducing the peekOutboundBytes value allows SMB communication to proceed normally. On other systems, even relatively small values can still cause the SMB connection to stall. This behavior appears inconsistent across different macOS environments. Because of this, we would like to clarify the following: Is there a documented or recommended maximum value for peekOutboundBytes when using NEFilterNewFlowVerdict.filterDataVerdict? Are there any internal limits or constraints within NetworkExtension that could cause SMB traffic to stall when the peek buffer size is too large? Are there best practices for selecting appropriate peekInboundBytes / peekOutboundBytes values when filtering high-throughput protocols such as SMB? If necessary, we can provide additional information such as macOS version, test environment details, and logs. Thank you for your assistance. Best regards, sangho

I'm building a macOS network monitor using NEFilterDataProvider as a system extension, distributed with Developer ID signing. On macOS 26.3 (Tahoe), sysextd consistently rejects the activation request with "no policy, cannot allow apps outside /Applications" — despite the app being in /Applications and passing every verification check. I'm aware of the known Xcode NE signing bug (r. 108838909) and have followed the manual signing process from Exporting a Developer ID Network Extension. I've also tried both xcodebuild build and xcodebuild archive workflows — identical failure. Environment macOS 26.3 (25D125), SIP enabled Xcode 26.3 (17C529) Hardware Apple M2 Pro Certificate Developer ID Application (issued Jan 30, 2026 — 27 days old) MDM/Profiles None installed Signing & Verification (all pass) $ spctl -a -vv /Applications/Chakshu.app /Applications/Chakshu.app: accepted source=Notarized Developer ID origin=Developer ID Application: ROBIN SHARMA (R65679C4F3) $ codesign --verify --deep --strict -vv /Applications/Chakshu.app /Applications/Chakshu.app: valid on disk /Applications/Chakshu.app: satisfies its Designated Requirement $ xcrun stapler validate /Applications/Chakshu.app The validate action worked! App signing: Authority=Developer ID Application: ROBIN SHARMA (R65679C4F3) Authority=Developer ID Certification Authority Authority=Apple Root CA TeamIdentifier=R65679C4F3 Runtime Version=26.2.0 Notarization Ticket=stapled App entitlements: com.apple.application-identifier = R65679C4F3.dev.indrasvat.chakshu com.apple.developer.team-identifier = R65679C4F3 com.apple.developer.system-extension.install = true com.apple.developer.networking.networkextension = [content-filter-provider-systemextension] keychain-access-groups = [R65679C4F3.*] Extension signing: Same Developer ID authority, same team, same timestamp. Extension entitlements match (minus system-extension.install). Developer ID provisioning profiles are embedded in both app and extension. What sysextd logs Captured Feb 26, 2026 from log stream --predicate 'process == "sysextd"': sysextd [com.apple.sx:XPC] client activation request for dev.indrasvat.chakshu.filter sysextd attempting to realize extension with identifier dev.indrasvat.chakshu.filter sysextd (Security) SecKeyVerifySignature ← pass (×2) sysextd (Security) SecTrustEvaluateIfNecessary ← pass (×2) sysextd [com.apple.xpc:connection] activating connection: name=com.apple.CodeSigningHelper sysextd [com.apple.xpc:connection] invalidated after the last release sysextd no policy, cannot allow apps outside /Applications sysextd [com.apple.sx:XPC] client connection invalidated Signature and trust evaluation pass. CodeSigningHelper completes. Then the policy check fails. The app receives OSSystemExtensionError code 4 (extensionNotFound). What I've tried and ruled out Build process: Approach Result xcodebuild build -configuration Release + manual re-sign Same failure xcodebuild archive + export from archive + manual re-sign (per thread/737894) Same failure Minimal hand-crafted Xcode project (no xcodegen, trivial code) Same failure Both workflows follow Quinn's process exactly: build with Apple Development → copy app → embed Developer ID provisioning profiles → re-sign inside-out (extension first, then app) with -systemextension suffix entitlements → notarize → staple → install to /Applications. System-level checks: Rebooting — no change Killing sysextd — no change Removing com.apple.quarantine xattr — no change chown root:wheel on app bundle — no change lsregister -r (reset Launch Services) — no change Waiting 27 days for certificate propagation — no change Reinstalling via Finder drag-to-Applications — no change No MDM or configuration profiles installed /Library/SystemExtensions/db.plist shows extensionPolicies: [] (empty) Key observation Pre-existing network extensions activated before macOS 26 work fine on this machine. For example, Tailscale's NEPacketTunnelProvider shows state: activated_enabled in the system extensions database — it was activated on a prior macOS version and is still running. Only new system extension activations fail. I've seen similar Tahoe-specific reports from LuLu (same NEFilterDataProvider type, Developer ID distribution): LuLu #825 LuLu #831 Questions Is this a known regression in macOS 26's sysextd policy evaluation for new Developer ID system extension activations? sysextd's policy check fails after all signature and trust evaluation succeeds. Is there a separate trust/policy path that sysextd consults beyond what spctl, codesign, and CodeSigningHelper verify? Is there anything else I should be checking? I have a sysdiagnose captured immediately after the failure, a minimal reproducer project, and full raw sysextd logs available on request.

Hi, On macOS 26.4 Beta (25E5218f) （macOS Tahoe 26 Developer Beta ）, the network filter causes network failures or slowdowns. This manifests as Chrome failing to access websites, while Safari can access the same websites without issue. The affected websites can be pinged locally. My situation is similar to this situation.The same question link is: https://github.com/objective-see/LuLu/issues/836 Have you been paying attention to this issue? Hopefully, it can be fixed in the official release. Thank you.

Hi Apple Network Team, Good day. Recently we are experiencing some issues that when iOS or iPad OS connected to a Wi-Fi with captive portal, iOS sometimes failed to launch the full captive portal website. Based on TCPDump and WLAN dump logs, when this failure happened, we only see web client on iOS queried AAAA and HTTPS DNS queries without A query. Not all the websites are supporting and being hosted on both IPv4 and IPv6 servers. Is there a know bug on iOS and iPad OS side including OS version >= 36.2.

Dear Apple Developer Support Team, I am writing to inquire about the process for obtaining approval for the following entitlement in my iOS/macOS app: <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> Specifically, I would like guidance on: The steps required to submit a request for this entitlement. Any necessary documentation or justification that needs to be provided to Apple. Typical review timelines and approval criteria. Any restrictions or compliance requirements associated with this entitlement. Our app intends to implement a content filtering functionality to enhance network security and user safety. We want to ensure full compliance with Apple’s policies and guidelines. Could you please provide detailed instructions or point us to the relevant resources to initiate this approval process? Thank you for your assistance.

We are currently experiencing an issue that occurs only on iPhone 17 models. In our app, after connecting to an external device, users can download multiple video files stored on the device. When downloading several videos consecutively, the device consistently stops receiving responses midway through the process. As a result, no response is returned, and the connection between the app and the device is eventually lost. This issue does not occur on any iPhone models prior to iPhone 17. It is reproducible across all iPhone 17 devices within our company. This is a critical issue, and we need urgent assistance. The main error logs show two patterns: • Connection loss • Timeout At the OS level, the only error codes we receive are: • -1005 (Network connection lost) • -1001 (Request timed out) Unfortunately, we are unable to obtain more detailed error information beyond these codes, which makes further debugging difficult. We have attached the relevant logs below. We would greatly appreciate any guidance on how to further investigate or resolve this issue. 310.0 / :: 81 % ::: 251.21481481481482 310.0 / :: 82 % ::: 254.23280423280423 310.0 / :: 83 % ::: 257.3820105820106 310.0 / :: 84 % ::: 260.4 KeepAlive SEND id=423F1336-6239-4B3B-9414-5A987D85D564 at=2026-02-24T12:56:43Z timeout=60.000000s current: D20-Q2-PLUS, ssid: D20-Q2-PLUS_136a63 KeepAlive SKIP (in-flight) tcp_output [C10.1.1:3] flags=[R.] seq=4017430266, ack=4146413113, win=2048 state=CLOSED rcv_nxt=4146413113, snd_una=4017429847 nw_read_request_report [C10] Receive failed with error "Operation timed out" nw_flow_add_write_request [C10 192.168.000.0:443 failed parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good)] cannot accept write requests nw_write_request_report [C10] Send failed with error "Socket is not connected" Task <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7> HTTP load failed, 361/0 bytes (error code: -1005 [4:-4]) Task <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7> finished with error [-1005] Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x13e632160 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x14cfe5a90 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <5BDBE621-329A-45E9-B236-9C173E92A41F>.<7>" ), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://192.168.000.0/keepalive, NSErrorFailingURLKey=https://192.168.000.0/keepalive, _kCFStreamErrorDomainKey=4} KeepAlive FAIL id=423F1336-6239-4B3B-9414-5A987D85D564 elapsed=29.203s status=-1 error=Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x13e632160 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x14cfe5a90 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, ), NSLocalizedDescription=The network connection was lost., KeepAlive FAIL 1001 Log KeepAlive SEND id=FC433405-C1F7-47EF-AF9E-D12E67B071FA at=2026-02-24T12:22:38Z timeout=60.000000s current: D20-Q2-PLUS, ssid: VUEROID_D20-Q2-PLUS_136a63 KeepAlive FAIL id=FC433405-C1F7-47EF-AF9E-D12E67B071FA elapsed=7.834s status=-1 error=Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=60, NSUnderlyingError=0x135e612f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi, LQM: good, _kCFStreamErrorCodeKey=60, _kCFStreamErrorDomainKey=1}}, ), NSLocalizedDescription=The request timed out., NSErrorFailingURLKey=https://192.168.000.0/keepalive, _kCFStreamErrorDomainKey=1})) KeepAlive FAIL ignored count=1 error=Server error : Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=60, KeepAlive SEND id=A64AE4C0-28B4-41E3-AAC9-422C41D99D15 at=2026-02-24T12:22:58Z timeout=60.000000s KeepAlive FAIL id=110B96DA-4D88-45E0-B8F7-D0A9798593AE elapsed=43.605s status=-1 error=Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x135e60f60 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x144dfee40 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, ), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https://192.168.000.0/keepalive, NSErrorFailingURLKey=https://192.168.000.0/keepalive, _kCFStreamErrorDomainKey=4})) KeepAlive FAIL ignored count=2 error=Server error : Optional(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x135e60f60 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x144dfee40 [0x201746068]>{length = 16, capacity = 16, bytes = 0x100201bbc0a86f010000000000000000}, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, Network type changed, hasWiFiInterface :false We are sending a keepalive request every 30 seconds to maintain the connection state with the device. Most of the issues occur during this keepalive process, and this is when the logs mentioned earlier are generated. Based on our debugging so far, the keepalive function itself is being called as expected. However, the execution appears to stall while waiting for a response from the device. After remaining in that state for some time, the session eventually ends with either a timeout or a connection loss error. We are use almofire 4.0.1. According to the firmware developer, when this issue occurs, there are no corresponding values or logs received on the device side. Therefore, we are currently investigating whether this might be related to a networking issue on the iPhone side. All other features are functioning normally. The problem occurs only when downloading VOD video files, and the reproduction rate is 100% under that condition.

Dear Apple Carrier Relations / Engineering Team, I am writing to you from MKSmart, a leading smart card and digital security solution provider. We have successfully deployed our SM-DP+ (Subscription Management Data Preparation+) system, which is fully compliant with GSMA standards. Furthermore, MKSmart has officially achieved the GSMA SAS-SM (Security Accreditation Scheme for Subscription Management) certification. Currently, we are facing technical difficulties when attempting to download eSIM profiles onto iPhone devices. The download process fails, and we believe our SM-DP+ server address (FQDN) or Root Certificates may not yet be whitelisted or recognized by Apple’s ecosystem. To ensure a seamless experience for our customers on iOS devices, we would like to request your guidance on the following: Onboarding Process: What are the formal steps for MKSmart to have our SM-DP+ server recognized and trusted by Apple devices? Whitelisting: How can we submit our SM-DP+ FQDN and Root Certificates for Apple’s review and inclusion in the trusted list? Carrier Bundle: Does MKSmart need to coordinate with specific carrier partners to update the Carrier Bundle, or is there a direct integration path for our infrastructure? We have attached our GSMA SAS-SM certification and technical specifications for your reference. We are ready to provide any additional documentation or perform interoperability testing as required. We look forward to your guidance and a successful collaboration. Best regards, Nguyen Do Khanh Software Engineer MKSmart Joint Stock Company https:\mksmart.com.vn

Starting in iOS 26.4, PushKit has introduced a new "didReceiveIncomingVoIPPushWithPayload" delegate, making it explicit whether or not an app is required to report a call for any given push. The new delegate passes in a PKVoIPPushMetadata object which includes a "mustReport" property. We have not documented the exact criteria that will cause a mustReport to return false, but those criteria currently include: The app being in the foreground at the point the push is received. The app being on an active call at the point the push is received. The system determines that delivery delays have made the call old enough that it may no longer be viable. When mustReport is false, apps should call the PushKit completion handler (as they previously have) but are otherwise not required to take any other action. __ Kevin Elliott DTS Engineer, CoreOS/Hardware

I've been able to run this sample project with the PIRServer. But the urls are still not blocked. https://aninterestingwebsite.com/documentation/networkextension/filtering-traffic-by-url https://github.com/apple/pir-service-example I got this on the log Received filter status change: <FilterStatus: 'running'>

I'm debugging an app I'm building and everything I'm seeing suggests I need to put in a request to Apple to turn on NetworkExtension → Packet Tunnel Provider entitlement for our Team ID and bundle IDs. 1: Is this true? 2: Doesn't the option in xcode handle this?

I'm building a HomeKit app that discovers Thread devices and visualizes the mesh topology. I can detect device roles (Router vs End Device via characteristic 0x0703) and identify Border Routers (via _meshcop._udp), but I cannot determine which Router is the parent of a given End Device. Any Thread device can act as a Router (a Nanoleaf bulb, an Eve plug, not just HomePods), and End Devices attach to these Routers as children. That parent-child relationship is what I'm trying to map, but there's no RLOC16, neighbor table, or parent identifier exposed through any available API. I've tested every path I can find. Here's what I've tried on a network with 44 Thread devices and 6 Border Routers: What works (partially) HAP Thread Management Service (0x0701) gives me the device role from characteristic 0x0703, the OpenThread version from 0x0706, and node capabilities from 0x0702. That's the complete set of characteristics on that service. None of them contain RLOC16, parent Router, or neighbor data. This service also only exists on HAP-native Thread devices. My 20 Matter-over-Thread devices (Aqara, Eve Door, SmartWings, Onvis S4) don't have it at all. MeshCoP Bonjour (_meshcop._udp) identifies Border Routers and the network name/Extended PAN ID. No topology data about other mesh nodes. What doesn't work ThreadNetwork framework (THClient) - retrieveAllCredentials() returns error Code 3 because the app can't access credentials stored by Apple Home. Even if it worked, THCredentials only contains network config (name, PAN ID, channel), not topology. Direct CoAP queries - Border Routers don't route traffic from WiFi to Thread management ports. Mesh-local addresses aren't reachable. No Thread NWInterface in Network.framework. Network.framework - No visibility into the Thread mesh from the WiFi side. The only remaining path I can see (but it's not practical) Matter cluster 0x0035 (Thread Network Diagnostics) appears to have exactly what I need: RLOC16, NeighborTable with isChild boolean, RouteTable. I haven't implemented this because it requires commissioning each device individually onto my app's own Matter fabric via Multi-Admin. That's 21 separate user-initiated pairing actions on my network. I can't ask end users to do that. The core issue Every Thread Router (whether it's a HomePod acting as a Border Router or a Nanoleaf bulb acting as a mesh Router) knows its own children and neighbors. The Border Routers also maintain route tables covering the mesh backbone. This data exists on the user's own devices but none of it is exposed to third-party apps. Even something minimal would help. HMAccessory already exposes matterNodeID as a cross-protocol identifier. Exposing RLOC16 the same way would be enough, since parent-child relationships are encoded in the address itself (ParentRLOC = ChildRLOC & 0xFC00). Has anyone found another approach I'm missing? Thanks in advance for any pointers.

My team is developing an enterprise VPN application that needs to respond to Mobile Device Management (MDM) profile installations and removals in real-time. Our app uses the NetworkExtension framework and needs to update the UI immediately when VPN configurations are added or removed via MDM. We are currently observing NEVPNConfigurationChangeNotification to detect VPN configuration changes: While NEVPNConfigurationChangeNotification fires reliably when users manually remove VPN profiles through Settings > General > VPN & Device Management, it appears to have inconsistent behavior when MDM profiles containing VPN configurations are installed programmatically via MDM systems. STEPS TO REPRODUCE From MDM Admin Console: Deploy a new VPN profile to the test device On Device: Wait for MDM profile installation (usually silent, no user interaction required) Check Device Settings: Go to Settings > General > VPN & Device Management to confirm profile is installed Return to App: Check if the UI shows the new VPN profile

Hello team, I am trying to find out a way to block urls in the chrome browser if it is found in local blocked list cache. I found URL Filter Network very much suitable for my requirement. But I see at multiple places that this solution is only for Enterprise level or MDM or supervised device. So can I run this for normal user ? as my targeting audience would be bank users. One more thing how can I test this in development environment if we need supervised devices and do we need special entitlement ? When trying to run sample project in the simulator then getting below error

Hey! Wa are developing a VPN app for iOS and whenever we enable enforceRoutes we see 20% to 30% download and upload speed drop. Here are example results from our environment: | Upload | Download | ------------------------------------------ enforceRoutes off | 337.65 | 485.38 | ------------------------------------------ enforceRoutes on | 236.75 | 357.80 | ------------------------------------------ Is this behavior known and expected? Is there anything we can do to mitigate the effect of enforceRoutes in our application? Test were performed on iOS 26.2.1.

I’m using Network Framework with UDP and calling: connection.receive(minimumIncompleteLength: 1, maximumLength: 1500) { data, context, isComplete, error in ... // Some Logic } Is it possible for this completion handler to be called with data==nil if I haven't received any kind of error, i.e., error==nil and the connection is still in the .ready state?

Hello, We are implementing a Transparent Proxy using NETransparentProxyProvider and configuring NETransparentProxyNetworkSettings with NENetworkRule. Currently, NENetworkRule requires: NENetworkRule( destinationHost: NWHostEndpoint(hostname: String, port: String), protocol: .TCP / .UDP / .any ) NWHostEndpoint.port accepts only a single port value (as a String) or an empty string for all ports. At present, we are creating a separate NENetworkRule for each port in the range (ex for range 49152–65535 approximately 16,384 rules). After deploying this configuration, we observe the following behavior: nesessionmanager starts consuming very high CPU (near 100%) The system becomes unresponsive The device eventually hangs and restarts automatically The behavior resembles a kernel panic scenario This strongly suggests that creating thousands of NENetworkRule entries may not be a supported or scalable approach. Questions: Is there any officially supported way to specify a port range in NENetworkRule? Is creating thousands of rules (one per port) considered acceptable or supported? Is the recommended design to intercept broadly (e.g., port = "") and filter port ranges inside handleNewTCPFlow / handleNewUDPFlow instead? Are there documented system limits for the number of NENetworkRule entries allowed in NETransparentProxyNetworkSettings?

iOS mTLS Client Certificate Authentication Fails in TestFlight with Error -25303 Problem I'm building an iOS app that uses mTLS (client certificates received from server at runtime). Storing SecCertificate to keychain fails with error -25303 in both development and TestFlight builds, preventing SecIdentity creation needed for URLSession authentication. Environment: iOS 18.2, iPad Pro, TestFlight internal testing, keychain-access-groups properly configured Diagnostic Results Testing keychain operations shows an interesting pattern: ✅ Generic Password - Works: let addQuery: [CFString: Any] = [ kSecClass: kSecClassGenericPassword, kSecAttrAccount: "test", kSecValueData: "password".data(using: .utf8)! ] SecItemAdd(addQuery as CFDictionary, nil) // Returns: 0 (success) ✅ SecKey - Works: let addKeyQuery: [CFString: Any] = [ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tag ] SecItemAdd(addKeyQuery as CFDictionary, nil) // Returns: 0 (success) ❌ SecCertificate - Fails: let addCertQuery: [CFString: Any] = [ kSecClass: kSecClassCertificate, kSecValueRef: certificate, // Created from server-provided PEM kSecAttrApplicationTag: tag ] SecItemAdd(addCertQuery as CFDictionary, nil) // Returns: -25303 Code Context Attempting to create SecIdentity for mTLS: private func createIdentity(fromCert certPEM: String, key keyPEM: String) throws -> SecIdentity { // 1. Parse PEM to DER and create SecCertificate - succeeds guard let certData = extractPEMData(from: certPEM, type: "CERTIFICATE"), let certificate = SecCertificateCreateWithData(nil, certData as CFData) else { throw CertificateError.invalidCertificate } // 2. Parse PEM key and create SecKey - succeeds guard let keyData = extractPEMData(from: keyPEM, type: "PRIVATE KEY"), let privateKey = SecKeyCreateWithData(keyData as CFData, attrs as CFDictionary, &error) else { throw CertificateError.invalidKey } // 3. Add key to keychain - SUCCEEDS (errSecSuccess) let tempTag = UUID().uuidString.data(using: .utf8)! SecItemAdd([ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ✅ Works // 4. Add certificate to keychain - FAILS (-25303) let status = SecItemAdd([ kSecClass: kSecClassCertificate, kSecValueRef: certificate, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ❌ Fails with -25303 guard status == errSecSuccess else { throw CertificateError.keychainError(status) } // 5. Would query for SecIdentity (never reached) // ... } Network Behavior When mTLS fails, console shows: Connection: asked for TLS Client Certificates Connection: received response for client certificates (-1 elements) Connection: providing TLS Client Identity (-1 elements) Task received response, status 403 The -1 elements indicates no certificates were provided. Entitlements <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.ellin.tshios</string> </array> Keychain Sharing capability is enabled. What I've Tried Both kSecValueRef and kSecValueData approaches - same error Various kSecAttrAccessible values - same error Different keychain access groups - same error TestFlight build (vs dev build) - same error PKCS#12 creation - requires complex ASN.1/DER encoding, no iOS API Questions Is error -25303 expected when adding SecCertificate in development/TestFlight builds? Will App Store distribution resolve this? Or is there a fundamental limitation? Why does SecKey succeed but SecCertificate fails with identical entitlements? Is there an alternative to create SecIdentity without keychain access? Constraints Certificates come from server at runtime (cannot bundle) Need SecIdentity for URLSession client certificate authentication Server provides PEM format certificates Tested on: Simulator (dev), iPad Pro (dev), iPad Pro (TestFlight) - all fail Any insights appreciated - specifically whether this is a provisioning profile limitation that App Store distribution would resolve.

Hi, I’m implementing a NetworkExtension content filter provider on iOS and I can’t get it to activate on device. I have an iOS app (App Store distribution) with a content filter provider extension (NEFilterDataProvider). The app builds, installs, and runs fine, and the extension is embedded correctly. Entitlements appear to be set for both the app and the extension, and the extension’s Info.plist is configured as expected. However, when I try to enable the filter via NEFilterManager (loadFromPreferences → set configuration → isEnabled = true → saveToPreferences), saveToPreferences fails with NEFilterErrorDomain code 1 and the message “Configuration invalid or read/write failed.” The extension never starts and startFilter() is never called. Main app bundle ID: uk.co.getnovi.student Extension bundle ID: uk.co.getnovi.student.NoviContentFilter Extension type: NEFilterDataProvider We are testing on an iPhone 15 running iOS 18.6.2 (22G100), the app is designed to run on iPhone. This app is intended for education use on student-owned personal iPhones installed from the App Store. The devices we are testing on are not supervised and not enrolled in MDM. We already use the Family Controls framework (ManagedSettings) for app restrictions and have the com.apple.developer.family-controls entitlement enabled for App Store distribution. I’ve read TN3134 and noticed content filter providers on iOS are described as “supervised devices only” in general, with additional notes around iOS 15.0 for “apps using Screen Time APIs” and iOS 16.0 for “per-app on managed devices,” plus a note that in the Screen Time case content filters are only supported on child devices. My question is whether this error is what you’d expect when attempting to enable a content filter provider on a non-supervised, non-managed device, or whether this should still work if the entitlement and configuration are correct. If non-supervised devices are not supported, is there any supported path for enabling NEFilter on iOS without supervision/MDM (for example via the Screen Time / Family Controls child authorization pathway), or will the system always refuse to enable the filter on standard devices? In summary: is NEFilterDataProvider supported on non-supervised devices for consumer App Store apps, or is this a platform restriction that cannot be worked around? Thanks, Matt

Hi, I’m implementing a NetworkExtension content filter provider on iOS and I can’t get it to activate on device. I have an iOS app (App Store distribution) with a content filter provider extension (NEFilterDataProvider). The app builds, installs, and runs fine, and the extension is embedded correctly. Entitlements appear to be set for both the app and the extension, and the extension’s Info.plist is configured as expected. However, when I try to enable the filter via NEFilterManager (loadFromPreferences → set configuration → isEnabled = true → saveToPreferences), saveToPreferences fails with NEFilterErrorDomain code 1 and the message “Configuration invalid or read/write failed.” The extension never starts and startFilter() is never called. Main app bundle ID: uk.co.getnovi.student Extension bundle ID: uk.co.getnovi.student.NoviContentFilter Extension type: NEFilterDataProvider We are testing on an iPhone 15 running iOS 18.6.2 (22G100). This app is intended for education use on student-owned personal iPhones installed from the App Store. The devices we are testing on are not supervised and not enrolled in MDM. We already use the Family Controls framework (ManagedSettings) for app restrictions and have the com.apple.developer.family-controls entitlement enabled for App Store distribution. I’ve read TN3134 and noticed content filter providers on iOS are described as “supervised devices only” in general, with additional notes around iOS 15.0 for “apps using Screen Time APIs” and iOS 16.0 for “per-app on managed devices,” plus a note that in the Screen Time case content filters are only supported on child devices. My question is whether this error is what you’d expect when attempting to enable a content filter provider on a non-supervised, non-managed device, or whether this should still work if the entitlement and configuration are correct. If non-supervised devices are not supported, is there any supported path for enabling NEFilter on iOS without supervision/MDM (for example via the Screen Time / Family Controls child authorization pathway), or will the system always refuse to enable the filter on standard devices? TLDR: is NEFilterDataProvider supported on non-supervised devices for consumer App Store apps, or is this a platform restriction that cannot be worked around? Thanks, Matt

I’m building a macOS app with a DNS Proxy system extension for Developer ID + notarization, deployed via MDM, and Xcode fails the Developer ID Release build with a provisioning profile mismatch for com.apple.developer.networking.networkextension. Environment macOS: Sequoia (15.7.2) Xcode: 26.2 Distribution: Developer ID + notarization, deployed via MDM Host bundle ID: com.mydns.agent.MyDNSMacProxy DNS Proxy system extension bundle ID: com.mydns.agent.MyDNSMacProxy.dnsProxy Host entitlements (Release): File: MyDNSMacProxy/MyDNSMacProxyRelease.entitlements: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>B234657989.com.mydns.agent.MyDNSMacProxy</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>dns-proxy</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>B234657989</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.mydns.MyDNSmac</string> </array> <key>keychain-access-groups</key> <array> <string>B234657989.*</string> </array> </dict> </plist> xcodebuild -showBuildSettings -scheme MyDNSMacProxy -configuration Release : PROVISIONING_PROFILE_SPECIFIER = main MyDNSMacProxy5 CODE_SIGN_IDENTITY = Developer ID Application Host Developer ID profile main_MyDNSMacProxy5.provisionprofile (via security cms -D): "Entitlements" => { "com.apple.application-identifier" => "B234657989.com.mydns.agent.MyDNSMacProxy" "com.apple.developer.team-identifier" => "B234657989" "com.apple.security.application-groups" => [ "group.com.mydns.MyDNSmac", ..., "B234657989.*" ] "keychain-access-groups" => [ "B234657989.*" ] "com.apple.developer.system-extension.install" => 1 "com.apple.developer.networking.networkextension" => [ "packet-tunnel-provider-systemextension", "app-proxy-provider-systemextension", "content-filter-provider-systemextension", "dns-proxy-systemextension", "dns-settings", "relay", "url-filter-provider", "hotspot-provider" ] } So: App ID, team ID, keychain and system‑extension.install match. The profile’s com.apple.developer.networking.networkextension is a superset of what I request in the host entitlements (dns-proxy only). System extension (for context) DNS Proxy system extension target: NSExtensionPointIdentifier = com.apple.dns-proxy NetworkExtension → NEProviderClasses → com.apple.networkextension.dns-proxy → my provider class Entitlements: com.apple.developer.networking.networkextension = ["dns-proxy-systemextension"] This target uses a separate Developer ID profile and builds successfully. Xcode error Release build of the host fails with: …MyDNSMacProxy.xcodeproj: error: Provisioning profile "main MyDNSMacProxy5" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. (in target 'MyDNSMacProxy' from project 'MyDNSMacProxy') Xcode UI also says: Entitlements: 6 Included, 1 Missing Includes com.apple.developer.team-identifier, com.apple.application-identifier, keychain-access-groups, com.apple.developer.system-extension.install, and com.apple.security.application-groups. Doesn’t match entitlements file value for com.apple.developer.networking.networkextension. Because of this, the app bundle isn’t produced and I can’t inspect the final signed entitlements. Questions: For com.apple.developer.networking.networkextension, should Xcode accept a subset of values in the entitlements (here just dns-proxy) as long as that value is allowed by the Developer ID profile, or does it currently require a stricter match? Is the following configuration valid for Developer ID + MDM with a DNS Proxy system extension: Host entitlements: ["dns-proxy"] System extension entitlements: ["dns-proxy-systemextension"] Host profile’s NE array includes the DNS Proxy system extension types. If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID, is there a recommended workaround? Thanks for any guidance.