Hi Apple Engineers, We are making an iOS app which uses NSURLSession for network communication. To provide enterprise customer the ability to monitor network traffic, we want to support proxy settings inside our app. So, we take advantage of the connectionProxyDictionary property of NSURLSessionConfiguration. We set the kCFNetworkProxiesProxyAutoConfigURLString key, and expect requests that are scripted to be proxied to either go through the proxy or fail when proxy is not reachable. This is necessary because we don't want requests to go out without being monitored. But during development we noticed that when proxy server is not reachable, requests don't always fail with kCFErrorHTTPProxyConnectionFailure or kCFErrorHTTPSProxyConnectionFailure (CFNetworkError 306 and 310). More specifically, the behavior we observed are as follows: PAC URL resolution timeout: Task failed with 306/310 PAC URL resolution error: Task bypassed proxy and succeeded PAC file download timeout: Task failed with 306/310 PAC file download error: Task bypassed proxy and succeeded PAC file parse error: Task bypassed proxy and succeeded Proxy server connection timeout: Task failed with 306/310 Proxy server connection error: Task bypassed proxy and succeeded The inconsistency of error handling behavior is confusing, is this a bug? If not, is there a way to configure NSURLSession to always yield error without bypassing the proxy when any of the above happens?

Hi Apple engineers! We are making an iOS browser and are planing to deliver a feature that allows enterprise customers to use a MAM key to set a PAC file for proxy. It's designed to support unmanaged device so the MDM based solutions like 'Global HTTP Proxy MDM payload' or 'Per-App VPN' simply don't work. After doing some research we found that with WKWebView, the only framework allowed on iOS for web browsing, there's no API for programmatically setting proxy. The closes API is the WKURLSchemeHandler, but it's for data management not network request interception, in other word it can not be used to handle HTTP/HTTPS request well. When we go from the web-view level to the app level, it seems there's no API to let an app set proxy for itself at an app-level, the closest API is Per-App VPN but as mentioned above, Per-App VPN is only available for managed device so we can't use that as well. Eventually we go to the system level, and try to use Network Extension, but there's still obstacles. It seems Network Extension doesn't directly provide a way to write system proxy. In order to archive that, we may have to use Packet Tunnel Provider in destination IP mode and create a local VPN server to loop back the network traffic and do the proxy stuff in that server. In other word, the custom VPN protocol is 'forward directly without encryption'. This approach looks viable as we see some of the network analysis tools use this approach, but still I'd like to ask is this against App Store Review Guidelines? If the above approach with Network Extension is not against App Store Review Guidelines, I have a further question that, what is the NEProxySettings of NETunnelNetworkSettings for? Is it the proxy which proxies the VPN traffic (in order to hide source IP from VPN provider) or it is the proxy to use after network traffic goes into the virtual private network? If none of the above is considered recommended, what is the recommended way to programmatically set proxy on WKWebView on an unmanaged device (regardless of where the proxy runs, web-view/app/system)?

Hello! Is it possible to read Per App VPN config from a managed app and manually send request to the proxy app on iOS? I'm working on a cross-platform app which uses socket to do the networking. It handles proxy itself by reading CFNetworkCopySystemSettings() However, since Per-App VPN is not applied system wide, the available keys for iOS in 'Global Proxy Settings Constants' aren't present in the return value. As a result the app ignores the Per App VPN and sent requests directly. By printing out the return value, I saw a hidden __SCOPED__ key, it seems when a proxy is running, other than eth0, there will be another interface like utun2 listed there. Can I use that to read Per App VPN config?