Unexpected networkserviceproxy Activity on macOS M1
Hi everyone,
I’m hoping to get some clarity on some unusual network activity I’ve observed on a freshly erased and reinstalled MacBook M1 running macOS 15,6 (Sequoia).
Important environment details: This device has never been signed into any Apple ID since the reinstall, and all user-facing privacy and connectivity features such as AirPlay, Bluetooth, Handoff, and Private Relay are explicitly turned off.
None of the proxy or relay activity is a)visible or b)configurable through my UI, including Network or Privacy settings.
No external apps or browsers besides Safari are installed, and there are no management profiles or MDM enrollments present.
Despite this, system logs and network traces reveal persistent “oblivious proxy” configurations associated with networkserviceproxy and NSPPrivacyProxyObliviousTargetInfo structure.
These proxies target a complex mesh of domains including Apple internal endpoints:
ropes.apple.com
transparency.apple.com
transparency-api.apple.com
shield-ohttp-stage.apple.com
usw2-asbs-aws-stage.apple.com
websitereview.corp.apple.com
gateway-oblivious.apple.com
shield-ohttp-stage.apple.com
shield-ohttp-prod.apple.com
Alongside third party domains, notably telecom and caller ID enrichment services:
truecaller.com (multiple regional endpoints)
files.aurora.chat
cdn.getcontact.com
api.getcontact.com
callapp.com
viber.com
sorac.vn
cid.yandex.net
fonapi.fi
icallme.vn
whoscall.com
mobile.me.app
As well as AI service endpoints linked to OpenAI routed through Cloudflare relays:
api.openai.com
auth.openai.com
api.chatgpt.com
files.oaiusercontent.com
oai-gateway.cloudflare.com
From what I can tell based on publicly available information and Apple’s documentation, this combination of proxying and relay activity is not part of any native user-configurable feature, especially with Private Relay off and no Apple ID signed in.
Some additional observations from recent logs
—Dynamic creation and removal of proxy agents identified by UUIDs, seemingly tied to individual domains or services
—Frequent injection of proxy tokens and routing policies that suggest active traffic redirection at a system level
—Interaction with a range of third-party identity providers and telecom-related services, which is…..unexpected to say the very least on a clean device without explicit user-installed apps or profiles.
—Proxy routing applied across all network interfaces, so, this isn’t limited to specific apps or network conditions.
I have not found any public references or technical documentation that fully explains this network behavior or the apparent multi-party oblivious proxy mesh I’m seeing with zero user configuration, no management/enterprise involvement, no apple id signed in.
My main questions are:
- Is this kind of multiparty, per domain oblivious proxy routing a standard part of macOS system infrastructure—even on clean installs with no Apple ID and Private Relay off?
- Could this indicate some form of internal testing, staging or developer environment, or an undisclosed system-level policy that’s active by default?
- What is going on?
I am really trying to understand what appears to be an opaque network architecture that isn’t surfaced through normal user settings or documented publicly.
Any insights from others who have encountered this would be very helpful.
Thanks in advance!
