Comments aren’t designed for creating long replies; it’s better to just put your reply in the badly named Your Answer box [1]. I guess I should have figured that out from other forum postings. (Still pine for the simpler lists.apple.com days of yore.) Glad to know I'm not the only one misled by the “Your Answer” heading though. :) The docs do explain the philosophy behind this. Consider this quote from the top-level Content Filter Providers page: I had read that overview in the past, but had forgotten the caveats once I'd moved on to the API documentation and appeared to be getting somewhere. That does seem adequately explicit. Note that this only applies to iOS. The filter provider story on macOS is less restrictive. Alas, we haven’t updated the docs to cover that development. In fact we've already deployed such an implementation on MacOS, with the System Extension EndpointSecurity entitlement, to much success. I was hoping a similar approach could be used on iOS. There is no similar entitlement available to elevate the sandbox privileges, I suppose? Would a Packet Tunnel Provider be a reasonable alternative approach?

An NEPacket returned by -[NEFilterPacketProvider delayCurrentPacket:] (called from its packetHandler callback) also yields a nil metadata object. Is this expected? I'd like to acquire the affiliated application's pid, per the technique implied here - https://developer.apple.com/forums/thread/127248.

Tested on both 10.15 and 11.0. Surely I'm overlooking something fundamental. Any hints?