We're trying to make our Content Filter solution work on Shared iPads. We leverage the Network Extension framework, more specifically the Content Filter Providers.
On regular, 1:1 iPads, this works perfectly fine. However, on Shared iPads we see some weird behaviour.
Upon logging in with a MAID everything initially seems fine. However, in about 5 to 10 seconds the user is automatically logged out and an error indicating "a connection to iCloud could not be made" is presented to the user.
After investigating the logs it turns out this is caused by the fact that the network is unreachable. For example:
Jan 19 00:33:04 cloudd(CFNetwork)[5867] <Error>: Task <F5DC7C46-422D-4265-A364-B3C859BF6291>.<1> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0xefe89ffc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (Path was denied by NECP policy), interface: en0[802.11], ipv4, dns, uses wifi, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1}
Test device:
iPad Pro (11-inch) running iPadOS 17.2 (21C62)
My assumption:
It looks like the filter providers start "too late". In the meantime the device is trying to reach the network, but since there is a Content Filter configuration in place all traffic is denied until the extension is started (and the completionHandler
has been called with a nil
error).
I can see in the logs that, about 5 seconds after the home screen is visible, the Content Filter Providers are starting:
...
Jan 19 00:52:54 neagent(NetworkExtension)[7086] <Notice>: Extension request with data extension <our filterData bundle ID> started with identifier 63576D2C-A484-4D07-9753-ADC99BFDB7A6
...
Jan 19 00:52:55 neagent(NetworkExtension)[7086] <Notice>: Extension request with control extension <our filterControl bundle ID> started with identifier 51D19516-C860-48B8-AB83-0F43D5F613CB
...
Is my assumption correct? Are the Content Filter provider even officially supported by Apple on Shared iPads? Is there anything we can do to fix this issue?