User profile for user: chris catalano
chris catalano Author
User level: Level 2
288 points

Rapportd constantly asking for incoming connection on my iMac running macOS 13.7.3

I'm running MacOS 13.7.3. For the last few days I've been getting constant alerts from Little Snitch regarding rapportd wanting to accept an incoming connection. The addresses are always similar. I've pasted one such request below. I did a reverse IPv6 lookup and the address traces to a Verizon location in Virginia. I'm in Long Island. Any idea why these requests would start suddenly and should I deny them?


-------

rapportd wants to accept an incoming connection from 2600:4040:995d:9a00:9998:c42c:79ae:37a9


[Re-Titled by Moderator]

Original Title: rapportd constantly asking for incoming connection

iMac 27″, macOS 13.7

Posted on Aug 20, 2025 9:31 AM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,063 points

Posted on Aug 26, 2025 3:23 AM

For anything reported by, related to, detected by, blocked by, claimed to happen by, or otherwise involving or associated with this app, please contact the app vendor. They are your point of contact for this app, and for anything this app reports, alters, claims, or causes, including any undocumented or unsupported activities.


Or you can remove this Little Snitch app, and return to a configuration that operates as Apple expects.


If you want to persist wirh the app, allow all connections.


rapportd is a daemon associated with a macOS private framework, and is part of normal operations. The rapport framework is associated with Apple continuity and iCloud-related features, as well as with Siri and Bonjour activity based in the private framework headers.


A second and likely-unrelated-to-this-case rapportd is part of an IBM Trusteer package.


Beyond the country level, IP geolocation is inaccurate at best, assuming the add-on tool is reporting correct info.


I would, however, be cautious about posting public IPv6 addresses.


And I’d wonder if this IPv6 address is associated with your own host or your own local network, whether that network is run by Verizon or otherwise, or as is reported to be located in Virgina, New York, Maryland, or elsewhere.

View in context
19 replies
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,063 points

Aug 26, 2025 3:23 AM in response to chris catalano

For anything reported by, related to, detected by, blocked by, claimed to happen by, or otherwise involving or associated with this app, please contact the app vendor. They are your point of contact for this app, and for anything this app reports, alters, claims, or causes, including any undocumented or unsupported activities.


Or you can remove this Little Snitch app, and return to a configuration that operates as Apple expects.


If you want to persist wirh the app, allow all connections.


rapportd is a daemon associated with a macOS private framework, and is part of normal operations. The rapport framework is associated with Apple continuity and iCloud-related features, as well as with Siri and Bonjour activity based in the private framework headers.


A second and likely-unrelated-to-this-case rapportd is part of an IBM Trusteer package.


Beyond the country level, IP geolocation is inaccurate at best, assuming the add-on tool is reporting correct info.


I would, however, be cautious about posting public IPv6 addresses.


And I’d wonder if this IPv6 address is associated with your own host or your own local network, whether that network is run by Verizon or otherwise, or as is reported to be located in Virgina, New York, Maryland, or elsewhere.

Reply
User profile for user: chris catalano
chris catalano Author
User level: Level 2
288 points

Aug 26, 2025 8:34 AM in response to MrHoffman

MrHoffman wrote:

For anything reported by, related to, detected by, blocked by, claimed to happen by, or otherwise involving or associated with this app, please contact the app vendor. They are your point of contact for this app, and for anything this app reports, alters, claims, or causes, including any undocumented or unsupported activities.

Or you can remove this Little Snitch app, and return to a configuration that operates as Apple expects.

If you want to persist wirh the app, allow all connections.

rapportd is a daemon associated with a macOS private framework, and is part of normal operations. The rapport framework is associated with Apple continuity and iCloud-related features, as well as with Siri and Bonjour activity based in the private framework headers.

A second and likely-unrelated-to-this-case rapportd is part of an IBM Trusteer package.

Beyond the country level, IP geolocation is inaccurate at best, assuming the add-on tool is reporting correct info.

I would, however, be cautious about posting public IPv6 addresses.

And I’d wonder if this IPv6 address is associated with your own host or your own local network, whether that network is run by Verizon or otherwise, or as is reported to be located in Virgina, New York, Maryland, or elsewhere.

I'l reach out to Little Snitch to see if they have any insight as to this particular incoming request. I'm familiar with what rapportd is and what it does. As I mentioned previously, it just seemed strange that all of a sudden 'something' would start trying to connect to it. As this thread moved along and I dug a little deeper it does seem that the IPv6 address is associated with my router as it is provided by Verizon.


LS appears to be a very polarizing app. Some people hate it, but others find it valuable. It's served me well over the years.

Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
101,935 points

Aug 21, 2025 3:00 AM in response to chris catalano

If Security of the computer is of paramount importance ?


1 - The current version of Ventura is 13.7.8 >> About the security content of macOS Ventura 13.7.8


2 - If, as you have discovered, Little Snitch has intercepted a request for a Inbound connection


Any reasonably current Access Point / Router IP Address would the object of a possible connection and not the IP address of the computer itself


Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
101,935 points

Aug 21, 2025 5:31 AM in response to chris catalano

From what I can see from Activity Monitor >> View ALL process


The " rapportd " process seems dominated by AddressBook


/usr/libexec/rapportd


/Library/Preferences/Logging/.plist-cache.8SpfjcQC


/System/Library/CoreServices/SystemVersion.bundle/English.lproj/SystemVersion.strings


/private/var/db/timezone/tz/2025b.1.0/icutz/icutz44l.dat


/usr/lib/libobjc-trampolines.dylib


/System/Library/Address Book Plug-Ins/LDAP.sourcebundle/Contents/Resources/InfoPlist.loctable


/System/Library/Address Book Plug-Ins/LocalSource.sourcebundle/Contents/Resources/InfoPlist.loctable


/System/Library/Address Book Plug-Ins/Exchange.sourcebundle/Contents/Resources/InfoPlist.loctable


/System/Library/Address Book Plug-Ins/DirectoryServices.sourcebundle/Contents/Resources/InfoPlist.loctable


/System/Library/Address Book Plug-Ins/CardDAVPlugin.sourcebundle/Contents/Resources/InfoPlist.loctable


/System/Library/PrivateFrameworks/AddressBookCore.framework/Versions/A/Resources/AB-NARWHAL.loctable


/System/Library/Address Book Plug-Ins/DirectoryServices.sourcebundle/Contents/MacOS/DirectoryServices


/System/Library/PrivateFrameworks/AddressBookCore.framework/Versions/A/Resources/ABLDAPStrings.loctable


/System/Library/Address Book Plug-Ins/LocalSource.sourcebundle/Contents/MacOS/LocalSource


/System/Library/PrivateFrameworks/AddressBookCore.framework/Versions/A/Resources/ABStrings.loctable


/usr/lib/dyld


/private/var/db/analyticsd/events.allowlist


/System/Library/Frameworks/OpenDirectory.framework/Versions/A/Frameworks/CFOpenDirectory.framework/Versions/A/Resources/Localizable.loctable


/System/Library/Frameworks/Contacts.framework/Versions/A/Resources/Errors.loctable


/System/Library/Address Book Plug-Ins/CardDAVPlugin.sourcebundle/Contents/MacOS/CardDAVPlugin


/usr/share/icu/icudt76l.dat

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,063 points

Aug 26, 2025 11:38 AM in response to chris catalano

It’s only polarizing for the folks that repeatedly get asked to help support the app, and the trouble and effort the app can cause. Too often unnecessarily.


For an advanced user familiar with internals and very familiar with the limitations, risks, issues, and trade-offs the tool inherently involves, and with investigating the reports, it’s a reasonable choice.


If more generally interested in monitoring device or network security, I’d likely go with external network monitoring at the switch, router, or firewall, combined with an installed app using the Apple endpoint security support, though.


Too often unwary or inexperienced users get wrapped up in the tool the same way unwary or inexperienced users get wrapped up in spurious reports from anti-malware apps. We routinely get folks demanding a fix for what csn be a bug in some add-on security app, too. Add-on security apps tend to be noisy, too — variously for what are non-issues.


Got questions about what an add-on app might report? Check what is being reported, such as here using your knowledge of networking and particularly of rapportd to look for connection-related activity. Then after gathering some data, discuss your findings with the app vendor.


Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
101,935 points

Aug 22, 2025 2:43 AM in response to chris catalano

chris catalano wrote:

Ok, that's what I thought you meant. So we get back to the original question of why something external is making a direct request to the rapportd process running on my machine.

The more relevant questions are


1 - To what IP Address is this request for a connection being directed to ? Not the IP address of the computer


2 - Did the Computer, not Router , respond to this request ?


Even without a Two Way Software Firewall like LittleSnitch


The IP address of the Computer is invisible to anything outside of your Network

Reply
User profile for user: chris catalano
chris catalano Author
User level: Level 2
288 points

Aug 22, 2025 8:06 AM in response to Owl-53

Owl-53 wrote:


chris catalano wrote:

Ok, that's what I thought you meant. So we get back to the original question of why something external is making a direct request to the rapportd process running on my machine.
The more relevant questions are

1 - To what IP Address is this request for a connection being directed to ? Not the IP address of the computer

2 - Did the Computer, not Router , respond to this request ?

Even without a Two Way Software Firewall like LittleSnitch

The IP address of the Computer is invisible to anything outside of your Network

To try to answer your questions:

  1. - I would assume the request for the connection is directed to the IP address of my computer. That would be the only way that I would get the LS alert. There's no log entry in the router for those requests, unfortunately.
  2. - The computer only responds if I 'allow' LS to complete the connection.


But your point about the IP address of my specific computer being invisible outside of my network got me thinking. I mentioned originally that when I did the IPv6 lookup of all of the addresses making the requests they all came up as Verizon Business in Virginia (again, I'm on Long Island). I went back and logged into my router and the IPv6 address of my router begins with the same 4 groups of numbers! So it would seem that all of those requests are actually originating on my network? Does that make sense?

Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
101,935 points

Aug 24, 2025 2:43 AM in response to chris catalano

We shall leave with this adage


Don't go looking for trouble as trouble will find you soon enough


There are 4 Categories of Third Party Software / Services that are baffling.


Why some users insist on installing and using the below software. 


In no special order 


Third Party 2 Way Firewalls 


like Lulu and Little Snitch 


Commercial VPNs 


Third Party Security Software


Third Party Disk Cleaners / Optimizer 

Reply
User profile for user: chris catalano
chris catalano Author
User level: Level 2
288 points

Aug 25, 2025 7:04 AM in response to Owl-53

Owl-53 wrote:

We shall leave with this adage

Don't go looking for trouble as trouble will find you soon enough

There are 4 Categories of Third Party Software / Services that are baffling.

Why some users insist on installing and using the below software. 

In no special order 

Third Party 2 Way Firewalls 

like Lulu and Little Snitch 

Commercial VPNs 

Third Party Security Software

Third Party Disk Cleaners / Optimizer 

Well, that's precisely why I use Little Snitch - so I know when trouble is trying to find me! And when all of a sudden I start seeing requests like this when nothing in my network or computer has changed in a very long time I think it's logical to be concerned.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Rapportd constantly asking for incoming connection on my iMac running macOS 13.7.3

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up