Content Filter Extension on Shared iPads

We're trying to make our Content Filter solution work on Shared iPads. We leverage the Network Extension framework, more specifically the Content Filter Providers.

On regular, 1:1 iPads, this works perfectly fine. However, on Shared iPads we see some weird behaviour.

Upon logging in with a MAID everything initially seems fine. However, in about 5 to 10 seconds the user is automatically logged out and an error indicating "a connection to iCloud could not be made" is presented to the user.

After investigating the logs it turns out this is caused by the fact that the network is unreachable. For example:

Jan 19 00:33:04 cloudd(CFNetwork)[5867] <Error>: Task <F5DC7C46-422D-4265-A364-B3C859BF6291>.<1> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0xefe89ffc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (Path was denied by NECP policy), interface: en0[802.11], ipv4, dns, uses wifi, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1}

Test device:

iPad Pro (11-inch) running iPadOS 17.2 (21C62)

My assumption:

It looks like the filter providers start "too late". In the meantime the device is trying to reach the network, but since there is a Content Filter configuration in place all traffic is denied until the extension is started (and the completionHandler has been called with a nil error).

I can see in the logs that, about 5 seconds after the home screen is visible, the Content Filter Providers are starting:

...
Jan 19 00:52:54 neagent(NetworkExtension)[7086] <Notice>: Extension request with data extension <our filterData bundle ID> started with identifier 63576D2C-A484-4D07-9753-ADC99BFDB7A6

...

Jan 19 00:52:55 neagent(NetworkExtension)[7086] <Notice>: Extension request with control extension <our filterControl bundle ID> started with identifier 51D19516-C860-48B8-AB83-0F43D5F613CB
...

Is my assumption correct? Are the Content Filter provider even officially supported by Apple on Shared iPads? Is there anything we can do to fix this issue?

Are the Content Filter provider even officially supported by Apple on Shared iPads?

I’ve not seen anything to the contrary.

Is there anything we can do to fix this issue?

Not that I can think of.

Honestly, this sounds like a bug, and I encourage you to file it as such [1]. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] We have other similar bugs on file already, but I’m going to recommed that you file your own so that you can describe your specific experience and the impact this problem is having on you.

Thanks for the prompt reply Quinn!

Honestly, this sounds like a bug, and I encourage you to file it as such [1]. Please post your bug number, just for the record.

I've filed a feedback ticket. The number is: FB13551095

Is there an update for this issue? We also filed a feedback ticket but have heard nothing.

I took a quick look at FB13551095 and there’s no news to report there; this continues to look like Just A Bug™.

We also filed a feedback ticket but have heard nothing.

What was your bug number?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Content Filter Extension on Shared iPads
 
 
Q