Hello Quinn, Is there a way to automatically give my tool access to the private key in the keychain using Configuration profiles or something else on a managed device? Regards,

Hello Quinn, Thanks for following up on this. I tried two options in the Keychain Access App GUI for the private key of the certificate: Allow all applications to access this item Specifically added my tool to the list of "Always allow access by these applications" I also tried using the -A option of security import command but that didn't hep as well. Please let me know if the above is what you meant by adding the tool to the item's ACL in keychain access.

Hello Quinn, Thanks for your response. My command line tool was signed with my development certificate for testing, basically I built using Xcode and ran locally. But ultimately this code will be part of a launch daemon that is sent to apple for notarisation as part of the package. I imported a p12 file into the keychain manually using the keychain access app and added it to the login keychain. Regards, Dhananjay

Hello MobileTen, Thanks for your response. Is there a way to set this up such that the keychain access is not prompted and allowed automatically on a managed/supervised machine?

Hi Matt, I don't want to make any flow verdict, I just want to monitor the traffic for the entire duration of the connection. I return NEFilterDataVerdict(passBytes: readBytes.count, peekBytes: Int.max) from my inbound and outbound data handlers. This is resulting in a huge drop of more than 10 times in network bandwidth. Please let me know if I didn't understand your answer correctly.

Hi Matt,  Sure, I will check the transmission size for TLS connections.  Regarding FilterDataProviders, your comment suggests to me that FilterDataProviders may not be a good solution for monitoring data from the start of the connection to the termination of connection. If this is true, what should be used to monitor traffic for the entire duration of the connection?  Regards

Hi Matt, We are not using TLS connections. This is what I do: connection = provider.createTCPConnection(to: appProxyFlow.remoteEndpoint, enableTLS: false, tlsParameters: nil, delegate: nil) I didn't understand your point on using TLS here. I am just forwarding whatever I get from application flow to the TCP connection created above. Please note that I don't have any tunnel server. I am passing to the remote endpoint just using the connection created above. I just want to see all traffic and note some metadata about connection like: when the connection was established, do some web activity monitoring etc. I don't intend to decrypt TLS in any way. Although I am digressing here now from the original topic: but I tried using NEFilterDataProvider as well to monitor the traffic and I see similar network speed slowdown. I am not doing anything in the handleInbound and handleOutbound callbacks except for the below line: return NEFilterDataVerdict(passBytes: readBytes.count, peekBytes: Int.max) I also trying playing a bit with what I pass to peekBytes but didn't see much change and couldn't find any guideline on how to set peekBytes. I can open a separate thread for this though if you would like. I will check in Instruments if I can do something about the CPU usage, but the network speed slowdown is a blocker for me. Regards

Hi Matt, Thanks very much for responding to the thread. Would you be able to advice me on how to fix this problem? I assume the completion handler for NWTCPConnection.write is called as soon as the data is written into the local socket buffer and does not wait for ACKs from the remote side. The issue is happening consistently and is fairly easy to reproduce. I also see CPU usage for my system extension fluctuate around 50% when running the iperf test. I can check anything you would like to investigate at my end. If you want I can also share the code or the Wireshark captures that I collected. Regards