Our app has a network system extension that it uses and during the install process we prompt the user to go to "Security & Privacy" in Settings to Allow it to run. A lot of the time users just kit "Ok" without actually going to the Settings and when they go to use the App we have no way, that we know of, to tell if the startup has failed because they just haven't Allow the extension to run. Is there an API call that we can use to determine if our extension has been Allowed so that if it hasn't we can prompt them to go to Settings again?

Our companies security policies require that SIP be enabled all the time which makes it difficult to develop my System Extension since I need to uninstall anytime I need to test any changes to a newly compiled extension. Is there anyway to uninstall the extension with SIP enabled? I already have developer mode on. Is there anything in XCode that can do this? Thx

In my iOS VPN app the user can change between full tunnel or split tunnel. With full tunnel the PacketTunnelProvider includedRoutes are set to defaultRoute and in split tunnel the includedRoutes are set to what the user has configured. When going from full tunnel to split everything works as expected and I see the routing table change and packets flow as expected. However, when going from split tunnel to full, even though I see the routing table updated with the default route setting, I am seeing no packets coming in on my readPacketsWithCompletionHandler for my TUN interface. I know the interface is active because I can bind to it and send data just fine (as a test) but nothing in the system appears to be working. I do the same exact thing in macOS and it works flawlessly. Thoughts?

Our company has 2 developer accounts, an old one and a new one that we are transitioning to. Until today when logged into the Developer website I could select which account I wanted to look at but now I only see the new one. The same is for Xcode, when I add my account it used to give me both the old and new and now it only gives me the new. If I log into Appstore Connect I can see both accounts as expected. The unfortunate part is I need to compile the App using the old account and cannot. Any help is appreciated.

On the macOS I find the port range by using the sysctlbyname() with the param of net.inet.ip.portrange.first and net.inet.ip.portrange.last which works. But on iOS/iPadOS I am getting "Operation Not permitted". Is there another way of doing this on iOS/iPadOS?

I am seeing a random crash in the NEPacketTunnelFlow dispatch queue after several minutes to several hours of running traffic thru the PTP and I was hoping someone could point me in the right direction as to what is happening. Attached is the full crash report but here is a snippet: [crash.txt](https://developer.apple.com/forums/content/attachment/735f7f48-7129-4521-befa-87ac88322e98) Process: com.cradlepoint.netcloud.agent.extension [63907] Path: /Library/SystemExtensions/*/com.cradlepoint.netcloud.agent.extension Identifier: com.cradlepoint.netcloud.agent.extension Version: 1.100 (1) Code Type: X86-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2023-05-13 17:20:16.4626 -0600 OS Version: macOS 13.3.1 (22E772610a) Report Version: 12 Bridge OS Version: 7.4 (20P4252) Anonymous UUID: 27D22D69-B050-5484-7F51-A2ABFD60C2E2 Sleep/Wake UUID: B3C27F8E-10DB-4AF9-B02B-A506571814F6 Time Awake Since Boot: 240000 seconds Time Since Wake: 131510 seconds System Integrity Protection: disabled Crashed Thread: 13 Dispatch queue: NEPacketTunnelFlow queue Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Application Specific Information: abort() called Thread 13 Crashed:: Dispatch queue: NEPacketTunnelFlow queue 0 libsystem_kernel.dylib 0x7ff80ddf71f2 __pthread_kill + 10 1 libsystem_pthread.dylib 0x7ff80de2eee6 pthread_kill + 263 2 libsystem_c.dylib 0x7ff80dd55b45 abort + 123 3 libc++abi.dylib 0x7ff80dde9282 abort_message + 241 4 libc++abi.dylib 0x7ff80dddb3e1 demangling_terminate_handler() + 241 5 libobjc.A.dylib 0x7ff80daaf7d6 _objc_terminate() + 104 6 libc++abi.dylib 0x7ff80dde86db std::__terminate(void (*)()) + 6 7 libc++abi.dylib 0x7ff80dde8696 std::terminate() + 54 8 libdispatch.dylib 0x7ff80dc8e047 _dispatch_client_callout + 28 9 libdispatch.dylib 0x7ff80dc90b65 _dispatch_continuation_pop + 463 10 libdispatch.dylib 0x7ff80dca27af _dispatch_source_invoke + 2184 11 libdispatch.dylib 0x7ff80dc94088 _dispatch_lane_serial_drain + 393 12 libdispatch.dylib 0x7ff80dc94d39 _dispatch_lane_invoke + 366 13 libdispatch.dylib 0x7ff80dc9f3fc _dispatch_workloop_worker_thread + 765 14 libsystem_pthread.dylib 0x7ff80de2bc55 _pthread_wqthread + 327 15 libsystem_pthread.dylib 0x7ff80de2abbf start_wqthread + 15

Is there anything in the current Network API that allows a program to operate at the IP layer, i.e. Layer 3? I would like to be able to do some sort of IPinIP tunneling but everything I have currently seen does not allow this to occur. Am I correct?

I have been told that the life cycle of a NetExt is short/transient, that it is loaded into memory with 'startTunnel' and unloaded, i.e. exited, on 'stopTunnel'. So my question is whether or not this is true. Is this an actual requirement or can the NetExt, once loaded, stay in memory, running even when the Tunnel is disconnected? TIA

Is there anyway to completely remove or disable so a user cannot enable the "Connect On Demand" feature on a NETunnelProviderManager VPN Profile? My solution requires that the user must manually connect or disconnect and even though I don't provide any onDemandRules the option still show up. TIA

My app, which uses the network extension, compiles and runs just fine in 12.x but upon moving to 13 I am now getting the following error: com.cradlepoint.netcloud.agent.extension: Unsatisfied entitlements: com.apple.security.application-groups Any suggestions or pointers would be appreciated. Thank you

I have both of these working but when the NETunnelProviderManager is created it installs a VPN Profile into the Systems Network Interfaces which gives the user the ability to override behaviors of my app that I do not want them to do. This is an Enterprise solution and the authentication and configuration occurs outside of the Network Extension. So my question is a) can I just utilize the NEPacketTunnelProvider which I need to instantiate a utun device (our previous version was using a KExt to do this) by itself? b) if not is there anyway I can make the VPN profile read only so a user cannot modify the contents/settings? TIA