Does macOS/Sequoia require a new entitlement to send multicast packets?

Hi all,

My co-worker today noticed that on his Mac running a beta of Sequoia, the IPv6 multicast functionality of our application was no longer working. This same executable works fine under Sonoma and earlier versions of MacOS, and has worked fine for a number of years. Under Sequoia, however, calls to sendto() a packet to an IPv6-link-local-multicast address (e.g. ff12::bead:cede:deed:feed, preceeded by a call to setsockopt(fd, IPPROTO_IPV6, IPV6_MULTICAST_IF, ...) to specify the appropriate network interface index) return -1 and set errno to EHOSTUNREACH aka "No route to host".

The interesting thing about it is, this problem only occurs if we launch our app by double-clicking on its icon; if we instead run the app from Terminal (e.g. by entering ./MyApp.app/Contents/MacOS/MyApp), the multicast functionality works as expected. Our app is signed and notarized in all the usual expected ways.

My question is, is this "just" a networking regression in the Sequoia beta, or is there some new requirement in macOS/Sequoia for IPv6-link-local-multicast-using apps to have a multicast entitlement (a la iOS) or something?

Answered by Think Diffident in 796360022

Apple is bringing some networking protections over from iOS to macOS starting with Sequoia. Please see the following links:

Hmm, it seems Sequoia adds a "Local Network" category to its "Privacy & Security" settings, and if a program is not listed there, it no longer is allowed access to the local network. I think this is the problem my co-worker was running into.

I have same problem on sendto with ipv4. The code works well with iOS 18.0 simulator on Sequoia, however, sendto returns -1 on macOS Sequoia. Privacy - Local Network Usage Description is set in Info for both iOS and macOS. This privacy setting doesn't affect to this problem.

Apple is bringing some networking protections over from iOS to macOS starting with Sequoia. Please see the following links:

Think Diffident, Thanks for collecting together those links!

I really need to update the LNP FAQ to cover macOS properly, but I haven’t yet got to that. For the moment I’ve posted a minor FAQ update that just covers the basics.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have an application that uses bonjour server advertising as well as direct local IP URL requests (to Hue bridge).

After updating to Sequoia, the app runs in Xcode 16 and displays the network permission popup and can access the network.

When distributing a compiled build to the same machine with Developer ID (notarized or not), the network permissions popup is not displayed and the advertised services are not available on the network.

In Settings -> Privacy & Security -> Local Network, there are two toggles with the same app label. When one is toggled the other changes as well.

Any suggestions?

Have there been any applicable updates to the FAQ for Local Network Privacy specifically for macOS that I may have missed?

I have an application that uses bonjour server advertising as well as direct local IP URL requests (to Hue bridge).

Neither of these require the multicast entitlement, so we’re talking about the broader issue of local network privacy rather than the specific issue that kicked off this thread.

Given that, I’d appreciate you starting a new thread about this. Use the same subtopic and tags as this thread; that way I’ll see it go by.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We are having trouble that is similar to what jfriesne has described. Our apps worked perfectly well up to and including Sonoma. Now we are having issues with Sequoia's new privacy and security settings for local networks.

We get a dialogue box that asks us whether to allow local network access or not on the first run of an installed program. User permission is sought when a connection is requested. However, the connection request fails even if 'Allow' has been selected in the dialogue box.

Following the question of Floating Wrench with something more general, is there any type of entitlement that may be granted to an app that will allow it to access the local network? Nothing that I've yet found in the documentation seems to explicitly provide this, e.g. com.apple.developer.networking.networkextension.

An entitlement that allows the dialogue box to be skipped, or presented at an earlier point (say, when the app is first launched) would be an improvement.

Does macOS/Sequoia require a new entitlement to send multicast packets?
 
 
Q