I am running into an issue with running a PacketTunnelProvider as a system extension, and fast user switching. Since the VPN is running as root, it runs outside any user context, and is accessible to all users on the machine. I can see the following behavior: Login to User A Connect VPN Fast switch to user B Open Safari, observe that traffic is directed and sent out the VPN. (As noted by the ability to browse otherwise un-reachable websites). Is there a way to detect that a fast user switch is happening? And disconnect the VPN when user B takes control of the screen. I know NSWorkspace is not a daemon-safe API. So NSWorkspaceSessionDidResignActiveNotification and like will not be useful here. One alternative would be to use NSWorkspace notifications in the GUI and alert the system extension via XPC. But that wouldn't work in the case where there isn't a GUI, such as with ConnectOnDemand. Is there a daemon-safe API to use or some other alternative? Thanks

In iOS, how to use code to turn on the system's hotspot?

We are trying to configure split tunnel with tunnel routes with the below Tunnel Provider configuration tunnelProvider.protocolConfiguration.includeAllNetworks = NO; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = YES; We are adding some IPs in the excludeRoutes[10.168.10.182 and 192.168.10.65]. Please refer the below network settings for VPN IPv4Settings = { configMethod = manual addresses = ( 10.168.10.68, ) subnetMasks = ( 255.255.255.255, ) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 }, ) excludedRoutes = ( { destinationAddress = 192.168.10.65 destinationSubnetMask = 255.255.255.255 }, { destinationAddress = 10.168.10.182 destinationSubnetMask = 255.255.255.255 }, ) overridePrimary = NO } Issue: when we are trying to access excludedRoute's IP [10.168.10.182 and 192.168.10.65] , it's getting tunneled. Expected Results : excludedRoutes IPs should go via physical interface.

I would like to know, do we have any support from iOS in order to turn on wifi and bluetooth using internal apis on tap of a button in my IOS App, I am struggling to find information over this, more precisely , I want to turn on wifi from my custom widget in I phone, is it possible then please share info.

Issue Description: I have an iOS VPN application. When VPN tunnel is in connected state and network goes off, it’s designed to stay in reasserting state until network is back. But with iOS 17 and later tunnel is moved to disconnected state after 5 mins in reasserting state when no network. Logs on iOS 16 and Below: Upto iOS 16 and below, When tunnel is in connected state and network goes off, VPN state is moved to reasserting state and it stays in this state until network is back. We can see below device console logs: Entering state NESMVPNSessionStateReasserting status changed to reasserting Logs on iOS 17 and Later: But from iOS 17 and later, When tunnel is in connected state and network goes off, VPN state is moved to reasserting state and it stays in this state for 5 mins and later moved to disconnected state when no network. We can see below device console logs: Entering state NESMVPNSessionStateReasserting, timeout 300 seconds status changed to reasserting We can see a timeout of 300 secs added from iOS 17 and later. Because of this new change in iOS 17 and later, end users using my application have to connect back to VPN when network is back(Since tunnel is in disconnected state). Steps to reproduce: Connect to VPN when network is reachable Turn off network (WiFi, Mobile data) Application is moved to reasserting state. It will be in reasserting state for 5 mins Later application is moved to disconnected state. Queries: From the above observation my queries are, Is there a way to keep VPN tunnel in reasserting state even after 5 mins when no network from iOS 17 and later ? (To get the same behaviour as iOS 16 and below) Why is the timeout of 300 secs added from iOS 17 and later ? What benefit this is giving ? Is there any document related to this timeout change added from iOS 17 and later ?

[iOS 17] We are trying to configure below Tunnel Provider configuration and we are saving it in NETunnelProviderManager preferences before calling startTunnelWithOptions tunnelProvider.protocolConfiguration.includeAllNetworks = YES; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = NO; We are adding an IP in the excludeRoutes which belongs to server address[10.97.6.244]. Please refer the below network settings for VPN IPv4Settings = { configMethod = manual addresses = ( 10.97.4.188, ) subnetMasks = ( 255.255.255.255, ) includedRoutes = ( { destinationAddress = 0.0.0.0 destinationSubnetMask = 0.0.0.0 }, ) excludedRoutes = ( { destinationAddress = 10.97.6.244 destinationSubnetMask = 255.255.255.255 }, ) overridePrimary = NO } Issue: when we are trying to access server address, it's getting tunneled because of that few of our APIs are sending failure and we are unable to connect to VPN. Expected Results : excludedRoutes IPs should go via physical interface. STEPS TO REPRODUCE Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler” Try to connect to VPN excludeRoutes are tunneled via VA

We have a main app that handles UI and interaction with the user. And we also have daemon contained inside of it. Daemon has all the business logic and FDA and root permissions. Now we want to add a network extension. First we added the Network Extension to Main app and it was working fine (to test the waters). But then we decided to move it to Daemon since it has all the business logic and NE mostly contains business logic and no UI. It needs to be there. Now NE activationRequest(forExtensionWithIdentifier is working fine. But deactivationRequest(forExtensionWithIdentifier: during uninstall always fails with this error System Extension deactivationRequest fails with error he operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.) OSSystemExtensionError Code 13 says "An error code that indicates the system was unable to obtain the proper authorization." What does this actually mean. Also if there is an error why is it throwing it during uninstall rather than install? To make it more clear this is our app structure is Main.app -> Contents -> Mac OS -> Daemon.app -> Contents -> Library -> SystemExtensions -> System Extension Bundle Apple doc says @discussion This method creates a new request to activate/deactivate a System Extension. Extensions are discovered from the `Contents/Library/SystemExtensions` directory of the main application bundle. Our System Extension is present on the main app bundle and has Contents/Library/SystemExtensions structure but one extra layer deep. Is this supported app structure?. If not is there any way to succesfully uninstall NE from code. Right now systemextensionsctl uninstall won't work without System Integrity Protection disabled. Keeping NE on the main app will break our project structure and require major rewrite of the app. Also whenever I run systemextensionsctl with SIP on I get this message At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection! Apple introduced System Extensions in 2019. It is still not there yet. Does anybody have any idea when will Apple make it work? if at all?

I tried to unit test the method "FilterDataProvider.handleNewFlow" from the sample project https://developer.apple.com/documentation/networkextension/filtering_network_traffic I always get this below issue, Undefined symbols: Linker command failed with exit code 1 (use -v to see invocation) Could someone help with it?

Is it possible to mock the behavior of NWPathMonitor for a specific app? The scenario I want to support I've created an app called RocketSim, a developer tool for Xcode's Simulator. I've already created Airplane mode, which disables networking calls from URLSession from a specific bundle identifier app installed on the Simulator. Now, I want to support blocking NWPathMonitor as well. I believe the Simulator uses macOS's NWPathMonitor and does not use any specific HTTP request or similar to determine the reachability state. Is there a way I can make NWPathMonitor return unsatisfied when my 'airplane mode' is turned on? Potentially using a Network Extension?

Requirement: We need to update below tunnel provider properties once VPN is up. Is it possible? includeAllNetworks excludeLocalNetworks enforceRoutes When is the standard time to configure and save the below properties in system preferences? Is it possible to save these properties in system preference when VPN is up? saveToPreferencesWithCompletionHandler If we can change these properties in VPN connected state, When these tunnel provider properties will come into effect?

Hi guys,I'm developing a custom VPN client with NEPacketTunnelProvider which tunnels all device traffic. All is going well so far but I've noticed that iOS battery statistics (Settings -> Battery) is claiming that our client has consumed a significant amount of energy (10%~30%). I though it was true for a while, but then I conducted some basic testing which suggested this is more likely a statistical issue.I set up my device (rebooted with clean battery cosumption statistics) with ~80% battery capacity and started to watch "NASA Live" channel in Youtube app with 1080p60 quality, for 3 hours, and taking notes every hour. I cross referenced the data of the same scenario (same device as well) collected with our custom VPN provider enabled and disabled. I made sure when the VPN client is enabled, I can actually see the Youtube traffic tunneled. Actually the video feed can generate ~1GiB traffic per hour pretty stably. I can provide detailed numbers if necessary, but generally, after 3 hours, both scenarios showed an overal of ~50% battery consumption (from the battery indicator on the status bar on top of the phone screen), there was no significant difference in the battery consumption. However when I looked at the statistics in Settings -> Battery, the scenario without our VPN client was showing 100% battery consumption from Youtube app (which is expected), and the scenario with VPN was showing 68% for Youtube, and 32% for our VPN client app!32% battery consumption in statistics is scaring. But what confuses me is that the actual device battery consumption didn't increase. My theory is that without the VPN client, individual apps are sending out their traffic on their own so the battery consumption are calculated on their head. But now with our VPN client, we are actually sending out traffic for every applications so iOS will blame us for that part of energy consumption. I'm not sure if the theory is true but it certainly explains the behavior.I'm wondering if Apple can look at the issue at if proved to be a statistical issue then fix it. Because 10%+ battery consumption on our app would be enough to scare away our customers. We can explain to them there is no actual extra energy consumption but customers will be suspicious. Whenever they feel their phone's having a shortened battery life they'll come to see the list and they will blame us.Thanks in advance!

We have a test scenario where we install our app package on a Mac setup using MDM (Jamf). Below are the test steps and observation: This installation is done on this Mac with no user logged in. Installation is completed successfully. Now when an user log in on this mac machine, the expectation is that the app bundle will be started by the launchd (RunAtLoad). But the app is not started. When I check console logs I could see few logs around the app but from those logs I couldn't figure out why the app didn't start. I rebooted my test machine but that also didnt start my app. My app is not listed in 'launchctl list' command. My App bundle contains container app and a packet tunnel extension. Below is how my plist file looks like in '/Library/LaunchAgents/com.****.***ui.plist': { KeepAlive = 1; Label = "com.*****.client.****ui"; LimitLoadToSessionType = ( Aqua ); ProgramArguments = ( "/Applications/*********.app/Contents/MacOS/****Module" ); RunAtLoad = 1; SuccessfulExit = 1; Version = "110.200.0.100"; } In Console below are the last set of log which I could find related to my app: support_log.txt In above logs below statement mentions the extn which is related to my app bundle: 2024-03-19 15:48:55.256020+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] [Skipping first 85 of 95 entries] 2024-03-19 15:48:55.256051+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] entry: Thu Feb 8 20:48:26 2024 NetworkExtension.com.*****.client.*****-Client.*****ui.*****pkttunnel.104.2.12.191.104.2.12 (bundle) 0 0 0 0 0 0 Can someone please help me in understanding what could be wrong here, why would 'RunAtLoad' key word wont work here to start my app on user login or reboot? Note: Everything work fine when my app is installed with an user logged in to the test machine. Also App starts successfully if I run command 'lauchctl bootstrap gui/ /Library/LaunchAgents/com.****.****ui.plist' in the above mentioned test scenario where app didnt auto start by launchd: 'RunAtLoad'.

Hello! I am part of a research team who need advice on how to track and intercept network requests from a device. More specifically, we are interested in collecting the websites the research participants have tried to access. We want something like what YouGov does with their Pulse App. Also, is it possible to implement this without having to rely on an external server that acts as a intermediary? How do we achieve this? We'd appreciate a detailed response with helpful links to how to implement it. Thank you very much for your time.

Hello, We would like to track the open sockets on the machine. we don't want to use a constantly running thread that polls the open sockets (such as by using sysctlbyname) since it sometimes will miss short-lived sockets. After some research we decided to implement a content filter (NEFilterDataProvider) that pass-through every socket flow. However, as we see and read in the forum, all previously opened sockets are disconnected once the filter is applied, which is an undesired thing for users using a VPN that will disconnect as well. We would like to know if there is a better way to track all sockets, preferably in an event-driven way, or, to prevent the existing sockets from disconnecting if we use the filter or other network extension.

I found my mac automatically connects to the Google server 8.8.8.8 and 8.8.4.4 that I haven't set in my mac. I figured out it seems to be set via /Library/Preferences/com.apple.networkextension.control.plist as follows: { CriticalDomains = ( "cheeserolling.apple.com", "woolyjumper.sd.apple.com", "basejumper.apple.com", "basejumper-vip.sd.apple.com", "basejumper.sd.apple.com", "locksmith.apple.com", "gdmf-staging-int.apple.com", "pallas-uat.rno.apple.com", "pr2-pallas-staging-int-prz.apple.com", "livability-api.swe.apple.com" ); } I cannot find any info about those domains online. I am wondering if it is possible like for apple staffs to set those CriticalDomains to control the connections to servers.

We have a network content-filter consisting of a main target/GUI, a FilterDataProvider extension and a FilterControlprovider extension. The app is installed via MDMs and works without issues the vast majority of times, but during testing of TestFlight builds we've found that intermittently the device fails to install the network extensions and blocks internet access. The GUI is working fine though. From the logs we can see that when this happens the device tries to start the network extensions repeatedly. The issue is solved by restarting the device. Has anyone experienced similar issues or have some ideas of what might cause this behaviour? These are some of the logs we see in Console: neagent [u E6D696F2-62FB-4262-A97C-B2006EC528C5:m (null)] [<private>(<private>)] Hub connection error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named <BundleID>.FilterDataProvider" ugDescription=connection to service named <BundleID>.FilterDataProvider}code-block Failed to start the data extension <BundleID>.FilterDataProvider: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named <BundleID>.FilterDataProvider" ugDescription=connection to service named <BundleID>.FilterDataProvider} nehelper Denying connection from nesessionmanager (264) because it is missing the com.apple.private.network.socket-delegate entitlement nesessionmanager <BundleID>[inactive]: starting launchd Service could not initialize: posix_spawn(/private/var/containers/Bundle/Application/F84E2325-05A6-4DC2-8DD6-20C97EF43E8D/<AppName>.app/PlugIns/FilterDataProvider.appex/FilterDataProvider) failed, error 0x2 - No such file or directory nesessionmanager NEFilterPlugin(<BundleID>[inactive]): Sending start command nesessionmanager <BundleID>[inactive]: starting neagent Looking for a data extension with identifier <BundleID>.FilterDataProvider neagent [d <private>] <PKHost:0x718915550> Query: { NSExtensionIdentifier = "<BundleID>.FilterDataProvider"; NSExtensionPointName = "com.apple.networkextension.filter-data"; } neagent Found 1 data extension(s) with identifier <BundleID>.FilterDataProvider neagent Looking for a control extension with identifier <BundleID>.FilterControlProvider neagent [d <private>] <PKHost:0x718915550> Query: { NSExtensionIdentifier = "<BundleID>.FilterControlProvider"; NSExtensionPointName = "com.apple.networkextension.filter-control"; } neagent Found 1 control extension(s) with identifier <BundleID>.FilterControlProvider neagent Beginning data extension request with extension <BundleID>.FilterDataProvider neagent [u C743CE7B-9E19-4A41-BF46-91AEFB24169D:m (null)] [<private>(<private>)] Failed to start plugin; pkd returned an error: Error Domain=PlugInKit Code=4 .<AppName>.FilterDataProvider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch ErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to launch 7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0xdb88df3d0 {Error UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}} neagent Extension request with data extension <BundleID>.FilterDataProvider started with identifier (null) neagent Failed to start the data extension <BundleID>.FilterDataProvider: Error Domain=PlugInKit Code=4 "RBSLaunchRequest error trying to launch vider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., SIXErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to DataProvider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., SIXErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}} nesessionmanager NESMFilterSession[FilterDataProvider:0C4C9E40-5005-47A5-8C60-F7C8630F29DF] in state NESMFilterSessionStateStarting: plugin NEFilterPlugin(e with error: 1 nesessionmanager <BundleID>[266]: disposing neagent Initializing the delegate neagent App <BundleID> is not installed or is not valid neagent App <BundleID> is not installed or is not valid neagent Failed to find a com.apple.networkextension.filter-data extension inside of app <BundleID> neagent NEAgentSession: failed to create the delegate nesessionmanager <BundleID>[259]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" nesessionmanager <BundleID>[259]: XPC connection went away nesessionmanager NESMFilterSession[FilterDataProvider:0C4C9E40-5005-47A5-8C60-F7C8630F29DF]: Failed to start with error: Error Domain=NEAgentErrorDomain Code=2 "(null)"