Hi Mike.ly/Quinn, We are also facing the second issue where authorisation or security dialog is getting prompted while our AppProxyProvider using the configured client certificate with IdentityReference - https://developer.apple.com/documentation/networkextension/nevpnprotocol/1406609-identityreference, please let us know if there is any workaround with config or code changes to solve this issue. Below log messages are seen in console during the issue 19:41:19.378021+0530 securityd no tag given; looking for all ACL entries debug 19:41:19.383491+0530 securityd Bundle: private, key: -2147411889, value: -2147411889, table: SecDebugErrorMessages, localizationName: (null), result: CSSMERR_CL_UNKNOWN_TAG info 19:41:19.383609+0530 securityd displaying keychain prompt for /Applications/Tunnel.app/Contents/PlugIns/AppProxyProvider.appex Thanks

Hi Matt, So the workflow could be to filter on all traffic, decide if the application is coming from an app you want to filter and return true to handle the filter. Return false to let the flow traverse the system as normal. As mentioned in the above, in NETransparentProxyProvider, Returning NO from handleNewFlow: lets the flow traverse the system as normal, but we have a requirement where we want to stop flow traversing the system as normal in this case (achieving something similar to "Connection Refused" in NEAppProxyProvider). Any suggestions or workarounds will be very helpful here. Thanks

For NETransparentProxyProvider discarding the flow would be an enhancement request. You could try doing content filtering with NEFilterDataProvider in front of the proxy as an option. Thanks Matt, opened FB9099075 for it.

Thanks Matt, Use NEAppProxyProvider instead of NETransparentProxyProvider. Couldn't get above completely, NETransparentProxyProvider extends NEAppProxyProvider and NETransparentProxyProvider available in macOS 11.0 (BigSur). We have extended NETransparentProxyManager in our TransparentProxy, and receiving flow at handleNewFlow:

Hi Quinn, Please let us know if anything we can do for above, like using special entitlements. Thanks

No problem. In that case you could try the approach of: Return YES from handleNewFlow: and then immediately call closeReadWithError: and closeWriteWithError: on the flow. Thanks much Matt, it worked on Catalina (macOS 10.15.7). Having inherent issue on BigSur(macOS 11) with NETransparentProxyProvider and so couldn't try it on BigSur, will open DTS for this.

Thanks Matt/Quinn. We have been using AppProxyProvider as appex for some time now and as PerAppVPN mainly, it works fine on iOS and on macOS we get this alert. We will try using System Extension for macOS and see it it fix the issue.

Thanks @eskimo for acknowledging it, any update on the feedback will help as customers constantly asking for updates.

@eskimo: Thanks for the reply, and slightly similar issue seen with macOS 14.4.1 update and many customers are facing this. Need help on this.

It working on iOS 17.5 GA, thanks.