App ([BUNDLEID) is using NEHotspotHelper API and it's unresponsive to API's evaluate command. The API gives 45 seconds to 3rd party apps to respond, and then it launches WebSheet to allow user to interact with the portal. // Captive state machine started 2024-09-20 19:39:35.722906-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] en0: SSID 'Costco Member Wifi' setting interface rank Never (no cache entry) // Captive evaluation started 2024-09-20 19:39:35.729462-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] CNPluginHandler en0: Evaluating 2024-09-20 19:39:35.803915-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] en0: Probing 'Costco Member Wifi' // Builtin completed its evaluation 2024-09-20 19:39:36.666749-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] en0: Redirect detected on 'Costco Member Wifi' // app acknowledged the evaluate command delivery 2024-09-20 19:39:36.669560-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] [com.xfinity.digitalhome] acknowledged the command delivery // evaluation timed out after 45 seconds 2024-09-20 19:40:20.807153-0700 0xb2a Default 0x0 50 0 configd: (CaptiveNetworkSupport) [com.apple.captive:Controller] CNPluginHandler en0: Authenticating (BUILTIN)

Yes, inside of the PacketTunnel Provider we use sockets to bind to an interface. This is used for faster failover, avoiding bad networks and aggregating for speed. With include all networks set to on, we can successfully bind to pdp_ip0 when en0 is active however , attempting to use that socket it gets routed through the default en0 interface. You can test it out when binding to pdp_ip0 with include all networks on, sending a ping to ifconfig and it will return with the default interfaces IP.

One of the biggest issues is that if you set includeAllNetworks , then attempt to bind to a cellular adapter via sockets OR use NWConnection and prohibit WiFi and require Cellular but you are on a WiFi network, NECP will deny the cellular use. When binding, it will succeed, but then route traffic over the default route anyway. Ideally, with includeAllNetworks, we would like to bind to each adapter and decide when each should be used. Is this expected with includeAllNetworks?

I'm encountering issues with using includeAllNetworks where NECP is denying adapter usage, among other problems. Are you aware of any specific reasons why setting default routes wouldn't direct traffic through the tunnel? Additionally, it seems that with includeAllNetworks, enforcing routes may not function as expected. Any insights or guidance you could provide on these matters would be greatly appreciated.

Thanks for your reply Here is the ticket number - FB9002170

Matt, Im not sure why this is solved? I think a user should receive launch keys stating the helper wakes up the app. We get zero indication regardless if its a backgrounded process or a cold launch.

No I receive null keys either way when hotspot helper gets activated in the background.

Hey Matt thanks for your reply. We constantly are sending messages back and forth from container to the provider and back. We have a running daemon that updates the UI with statistics, setting updates and network changes relevant to the user. We currently use SendMessageToExtension but its not ideal. I would much rather use XPC (NEMachServices), is this available on iOS? Our current macOS uses the Network Extension ( we will send to the App Store ) and would like to use XPC there also, is it possible with a sandboxed app?

Hey Quinn, I managed to get the system extension launching correctly. My main problem now is the extension is not able to reach the internet. I see errors like this when attempting an outgoing connection. default 14:15:26.116883-0400 CSSM Exception: 3 unknown error 3=3 com.Sample.SampleExtension default 14:15:26.120630-0400 CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR com.Sample.SampleExtension default 14:15:26.124533-0400 CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR com.Sample.SampleExtension Last com.apple.managed.vpn.shared keychain access group That is not needed if I dont need to read creds from the profile, correct? BTW I created a second sample app just to be sure and it's hitting that as well. I can send you the sample app. I sent an email over to you today. I have SIP disabled and also have systemextensionsctl developer on

Hey Quinn, thanks for the reply! You already know how to dump a profile. To dump the entitlements of an app or extension, use: codesign -d --entitlements :- /path/to/your/bundle Here is the output. <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>com.appid</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>TEAMID</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.appid</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>keychain-access-groups</key> <array> <string>TEAMID.com.apple.managed.vpn.shared</string> </array> </dict> </plist> default 12:25:15.618196-0400 Provider is signed with a Developer ID certificate neagent error 12:25:15.618223-0400 Rejecting app extension provider com.appid.PacketTunnel because it is signed with a Developer ID certificate neagent Everything seems right. Am I missing anything?

Running $ spctl -a -t exec -v MyApp.app MyApp.app: accepted source=Notarized Developer ID Also tried running with SIP disabled and it wouldn't launch at all. "No suitable image found" which is very weird. It opens with SIP enabled just not the extension

I am seeing this fail after notarizing my Packet Tunnel Provider. I see error 16:49:08.750262-0400 NEVPNTunnelPlugin([476]): Validation of the extension failed nesessionmanager default 16:49:08.750966-0400 NESMVPNSession[Primary Tunnel::7BB4FF26-2EAD-47AF-85F7-880749561AD0:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin([476]) started with PID 0 error (null) nesessionmanager error 16:49:08.750013-0400 Rejecting app extension provider PacketTunnel because it is signed with a Developer ID certificate neagent I've checked my embedded profile security cms -D -i  /Applications/MYAPP.app/Contents/embedded.provisionprofile <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> </array> <key>com.apple.application-identifier</key> <string>BUNDLEID</string> <key>keychain-access-groups</key> <array> <string>TEAM.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>TEAM</string> <key>com.apple.developer.associated-domains</key> <string>*</string> </dict> Notarization was approved with it's .dmg. Any idea's?

Xcode 12/11.5 Debug -> Simulate MetricKit Payloads crashes Xcode hard. Anyone else having these issues?

I'm wondering the same Does this memory limit also apply on mac OS?

I dont see any actual file warnings except for the build error. So it's hard to say which line it occurred on. Does anyone else see actual line numbers this occurs on?