Hi all, I'm working on a small PoC to get Content Filtering (FilterDataProvider) working on macOS without any user interaction. So far, I've pushed two payloads to my machine using user-approved MDM enrollment: com.apple.system-extension-policy com.apple.webcontent-filter The application containing the network extension is present in /Applications. The installation of the profiles both succeed and I can see a Content Filter is created in the Network section of System Settings. Even the status says "Enabled", but the dot remains orange. Inspecing the system logs (specifically: filtering on process:neagent) shows me the following error: 1. Failed to find a com.apple.networkextension.filter-data extension inside of app com.my.app.containing.the.ext Only when I submit an activation request using OSSystemExtensionRequest.activationRequest, the network extension starts (without prompts, as expected) and everything works. Is this expected behaviour? Do I need to submit an activation request through code regardless of the fact that MDM pre-approved the System Extension prompts and created the Content Filter in the System Settings?

We're trying to make our Content Filter solution work on Shared iPads. We leverage the Network Extension framework, more specifically the Content Filter Providers. On regular, 1:1 iPads, this works perfectly fine. However, on Shared iPads we see some weird behaviour. Upon logging in with a MAID everything initially seems fine. However, in about 5 to 10 seconds the user is automatically logged out and an error indicating "a connection to iCloud could not be made" is presented to the user. After investigating the logs it turns out this is caused by the fact that the network is unreachable. For example: Jan 19 00:33:04 cloudd(CFNetwork)[5867] <Error>: Task <F5DC7C46-422D-4265-A364-B3C859BF6291>.<1> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0xefe89ffc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (Path was denied by NECP policy), interface: en0[802.11], ipv4, dns, uses wifi, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1} Test device: iPad Pro (11-inch) running iPadOS 17.2 (21C62) My assumption: It looks like the filter providers start "too late". In the meantime the device is trying to reach the network, but since there is a Content Filter configuration in place all traffic is denied until the extension is started (and the completionHandler has been called with a nil error). I can see in the logs that, about 5 seconds after the home screen is visible, the Content Filter Providers are starting: ... Jan 19 00:52:54 neagent(NetworkExtension)[7086] <Notice>: Extension request with data extension <our filterData bundle ID> started with identifier 63576D2C-A484-4D07-9753-ADC99BFDB7A6 ... Jan 19 00:52:55 neagent(NetworkExtension)[7086] <Notice>: Extension request with control extension <our filterControl bundle ID> started with identifier 51D19516-C860-48B8-AB83-0F43D5F613CB ... Is my assumption correct? Are the Content Filter provider even officially supported by Apple on Shared iPads? Is there anything we can do to fix this issue?

Hi all, I'm creating a DNS extension that'll forward specific queries over HTTPS, all other queries should be routed through the system DNS server over UDP. In iOS 14.5 and lower this worked perfectly. Using a NWConnection I forwarded UDP traffic to the configured system DNS server(s), this UDP traffic generated by NWConnection was not routed through the DNS extension. However, since iOS 14.6 we experience a loop where traffic generated by the DNS extension gets routed through itself. Is this expected behaviour or a regression in 14.6? And if this is expected behaviour, what would be the recommended way to prevent this? Thanks!

Hi all, I'm trying to use Core ML inside the FilterDataProvider in order to determine the sentiment of a given search query. The ML model is about 400 KB in size. However, as soon as I try to initialise the model in code by doing this: swift let model = try? Sentiment(contentsOf: Sentiment.urlOfModelInThisBundle) The extension gets killed by jetsam: 20:58:32.877130+0200 osanalyticshelper 201 0x2c548 Process FilterData [1030] killed by jetsam reason per-process-limit Is this because Core ML is not supported within network extensions? Of is the process so constrained that even a relatively small model can't be loaded? And if it should be supported, how can I best debug this? Thanks!