A 'Hello World' for iOS Network Extension content filters?

I've just started looking at Network Extensions for iOS. Specifically, content filters. Is there any current example code for how to constuct a *very* basic Network Extension content filter? Something very simple, like a content filter which denies all network connections when it's active.
The previous reference code at ( SimpleTunnel: Customized Networking Using the NetworkExtension Framework ) is in Swift 3 and no longer builds in Xcode 11.1. The documention at ( NetworkExtension | Apple Developer Documentation ) describes what is in the related classes, but doesn't have much about how to use the framework.


Some example or reference code around Network Extension content filters would be very helpful. It looks like there are many moving parts and settings around Network Extensions. Some working examples would go a long way to helping developers new to the framework understand how to use it.


Thanks!

Replies

Something very simple, like a content filter which denies all network connections when it’s active.

Back in the day, building a NetworkExtension (NE) provider was tricky because the OS was so far in front of the tools. That’s no longer the case, and Xcode makes this process reasonably straightforward [1]. To get started:

  1. Create a new app from the template of your choice.

  2. In that app, create two new targets from the Network Extension template. In the first, choose Filter Control from the Provider Type. In the second, choose Filter Data.

  3. In all three targets, make sure there is a Network Extensions slice in the Signing & Capabilities tab of the target editor, and make sure the Content Filter checkbox is set.

    Note The default NE templates configure an app group. This isn’t always necessary, so it’s a good idea to delete it when you start off and then add it back in if and when you need it.

  4. In the data provider, change the

    return
    statement in the
    handleNewFlow(_:)
    method to return
    .drop()
    .

The project should now build and run. Some things to note:

  • Make sure you test on a device. NE providers are not supported in the simulator.

  • You can configure your content filter using a configuration profile. See the (somewhat misnamed) WebContentFilter payload.

  • For debugging purposes only, you can configure your content filter programmatically using

    NEFilterManager
    .

    IMPORTANT This only works for Development builds of your app, that is, if it has the

    get-task-allow
    entitlement. In production a content filter is only supported on supervised devices and must be configure using a profile.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Nowadays it’s the folks who are building SystemExtension-based providers for macOS 10.15 that have to live on the bleeding edge (-:

  • Thanks for the helpful walkthrough. My goal is to filter in-app browsers, say in Maps, while making an exception for Safari. Therefore on the config profile, under "Content Filter", I checked "Filter Webkit Traffic" but did not check "Filter Socket Traffic". Below that I entered "com.apple.mobilesafari" and "allow".

    On my config profile, I added my distribution certificate, and specified that .p12 file in the Content Filter.

    In all this, filtering is still not happening. Any suggestions?

Add a Comment

Excellent! Thank you so much. 😀

Would it be possible to implement the above, but also add an exception for Safari itself? In other words, have in-app browsers filtered, but not full Safari?

Would it be possible to … have in-app browsers filtered, but not full Safari?

No.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"