I am working on developing a Mac app that will be distributed outside of the App Store. I have added the network extension which packaged in System Extension with packet tunnel capability. I have created a build following these steps here: https://developer.apple.com/forums/thread/737894 based on your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251 It works fine in this case when the machine has SIP disabled and systemextensionsctl developer on. As soon as I have made changes on the machine to systemextensionsctl developer off and SIP enabled, System Extension stopped loading. I have copied the app to the "/Applications" directory before opening it. When I check the loading status of the system extension with the "systemextensionsctl list" command, it shows as "[validating by category]" Am I missing something? Thanks in advance.

We have a developer-id application which includes a LaunchAgent, couple of LaunchDaemon and a system extension. We want to store our secure data in keychain that can read by any of our processes or at least by LaunchDaemons. We would also prefer for our data to not be visible to users, not be accessible to other processes and we did not want to use system keychain because of our prior experience where one of our app data on update corrupted the system keychain for one customer. Therefore, we have decided to create our own keychain file and store our data there. However, we noticed that SecKeychainCreate and related file based keychain APIs are deprecated. This led me to below threads: https://developer.apple.com/forums/thread/685546 https://developer.apple.com/forums/thread/712875 https://developer.apple.com/forums/thread/696431 And now I am confused. It is suggested that we should use data protection based keychain because file based keychains are on path to deprecation. However, it is also noted that data protection keychains do not work with LaunchDaemons. So which keychain is the right choice for our requirements? Also, One tricky aspect of this is that the SecItem API supports both keychain implementations I do not see any option to use file based keychain using SecItem API. How can I create a new keychain file at a given path and add data in it using SecItem APIs? Can someone please elaborate on this with example?

I developed a network filter using system extensions and placed the system extension program in a container app. I activated the extension and enabled the network filter in the/Applications directory through the container app. After that, my container app process exited, and only the system extension program process in the/Library/SystemExtensions directory was running. After booting up and upgrading the macOS system, the system extension program will be launched, and I learned from the link below that the system extension will be launched with the system at startup: https://developer.apple.com/forums/thread/701986 . But I haven't learned from the official documentation of System Extensions and NetworkExtension why system extensions start with the system and what their principles are. Because the container app under the activation system extension/Application did not start. Has the network filter developed for system expansion been registered in the system related files or frameworks? Ensure that it will start after each startup

Hi,team: I am testing a product and found that my 12.6.0 and 14.5.0 computers will cause other app processes to exit when starting my network filter, but 10, 11, 13, and 14.6.1 will not. I can see the exit log of the app from launchd.log. Why is this? The log is as follows: 2024-09-12 19:34:36.783374 (gui/501/app_bundleid [546]) : exited due to SIGPIPE | sent by App[546] 2024-09-12 19:34:36.783383 (gui/501/app_bundleid [546]) : service state: exited 2024-09-12 19:34:36.783386 (gui/501/app_bundleid [546]) : internal event: EXITED, code = 0 2024-09-12 19:34:36.783389 (gui/501/app_bundleid [546]) : job state = exited 2024-09-12 19:34:36.783411 (gui/501 [100005]) : service inactive: app_bundleid 2024-09-12 19:34:36.783414 (gui/501/app_bundleid [546]) : service state: not running 2024-09-12 19:34:36.783582 (pid/546 [App]) : shutting down

Hi, I've developed an application which reside under /Applications. Inside the main application bundle (/Applications/mainApp.app) there are sub-app that contain security extension. Here's the relevant path /Applications/mainApp.app/Contents/Helpers/subApp.app/Contents/Library/SystemExtensions/com.myComp.type.systemextension/ So far I could load the extension by running the subApp and make sure it calls the extension activation API. but seems like starting from Sonoma (i'm using version 14.6.1 )it stopped working, and I get crash dump on signature failure which trying to open the subApp.app. in the crash log I get reason of invalid code sign. I also get the following hints Binary Images: 0x1050a0000 - 0x10512bfff dyld_path_missing (*) <f635824e-318b-3f0c-842c-c369737f2b68> /dyld_path_missing 0x104d9c000 - 0x104d9ffff main_executable_path_missing (*) <1df5f408-cb16-304f-8b38-226e29361161> /main_executable_path_missing Is it possible that new OS version have new validation rule that enforce something about the location of the app that can start extensions ?

Hi, can't activate system-extension. in any case getting Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" (sometimes get code = 9) P.S. In debug running all is working. (The system is asking to activate sysex) Has to read huge amount of forum, samples, and docs. But no luck What and how i've tried steps which i've doing #- signing sysextension binaries with Developer ID Application #- signing system extension with Developer ID Application #- signing application with Developer ID Application #- checking all signatures with Developer ID Application #- building pkg installer #- signing installer with Developer ID Installer #- checking signing #- sending installer for notarization #- waiting for installer verification #- after success I call stapler staple #- When calling sysex activation I get (But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get sign command sample codesign --force --timestamp --options runtime --sign "Developer ID ***" Also has to tried with ** --deep,** but no luck. Result of steps descrribed here: App has System Extension compatibility, Sysex haven't System Extension. App is used the same bundle id as in AppStore (also has to tried separate one, but no luck) In console just two informative message regarding it, but nothing specific default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Could you please assits with solve issue?

Is it known how to open in macOS Sequoia the Endpoint Security Extensions Pane. is there any anchor available for open "x-apple.systempreferences:com.apple.ExtensionsPreferences"?

So I wanted to get my hands dirty with objective-c so I decided to create a project to list all outbound traffic, after digging a little I found that I could use the Network Extension API. I created a simple command line project with xcode and tried to load this extension but for some reason I can't get it to work. I don't have a developer license yet and I'm not sure if it has anything to do with the problem I'm facing. This is just some test code so there are 2 free functions, one for loading the system extension and another for checking its status: // activates the extension? BOOL toggleNetworkExtension(NSUInteger action) { BOOL toggled = NO; __block BOOL wasError = NO; __block NEFilterProviderConfiguration* config = nil; dispatch_semaphore_t semaphore = 0; semaphore = dispatch_semaphore_create(0); NSLog(@"toggling the network extension"); [NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(nil != error) { wasError = YES; NSLog(@"loadFromPreferencesWithCompletionHandler error"); } dispatch_semaphore_signal(semaphore); }]; NSLog(@"waiting for the network extension configuration..."); if(YES == wasError) goto fail; NSLog(@"loaded current filter configuration for the network extension"); if(1 == action) { NSLog(@"activating network extension...") ; if(nil == NEFilterManager.sharedManager.providerConfiguration) { config = [[NEFilterProviderConfiguration alloc] init]; config.filterPackets = NO; config.filterSockets = YES; NEFilterManager.sharedManager.providerConfiguration = config; } NEFilterManager.sharedManager.enabled = YES; } else { NSLog(@"deactivating the network extension..."); NEFilterManager.sharedManager.enabled = NO; } { [NEFilterManager.sharedManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(nil != error) { wasError = YES; NSLog(@"saveToPreferencesWithCompletionHandler error!"); } dispatch_semaphore_signal(semaphore); }]; } NSLog(@"waiting for network extension configuration to save..."); if(YES == wasError) goto fail; NSLog(@"saved current filter configuration for the network extension"); toggled = YES; fail: return toggled; } Then there's this function to check if the extension is enabled which for some reason always returns false. BOOL isNetworkExtensionEnabled(void) { __block BOOL isEnabled = NO; dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); [NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if (error != nil) { NSLog(@"Error with loadFromPreferencesWithCompletionHandler"); } else { isEnabled = NEFilterManager.sharedManager.enabled; } dispatch_semaphore_signal(semaphore); }]; return isEnabled; } Is something wrong is this code or is this related to entitlements or the developer license? As a side note I have already disabled SIP not sure if it matters in this case. Thanks in advance.

Hi, Team: Is there any difference in the underlying logic between starting the network filter by configuring the MDM description file through the first connection below and starting the network filter through the second connection in the code? First connection：https://developer.apple.com/documentation/devicemanagement/webcontentfilter?language=objc Second connection： https://developer.apple.com/documentation/networkextension/nefiltermanager?language=objc

I sent the description file through MDM in advance and configured the system extension and web content filter. When my code uses activationRequestForExtension:queue: to activate the system extension, other security app processes will be killed. I received the following message. May I ask why this may be? 2024-09-02 11:42:19.737229 (gui/501/killed_bundleid [679]) : exited due to SIGPIPE | sent by killed_app[679], ran for 301372ms 2024-09-02 11:42:19.737239 (gui/501/killed_bundleid [679]) : service state: exited 2024-09-02 11:42:19.737245 (gui/501/killed_bundleid [679]) : internal event: EXITED, code = 0 2024-09-02 11:42:19.737247 (gui/501/killed_bundleid [679] ]) : job state = exited 2024-09-02 11:42:19.737274 (gui/501 [100003]) : service inactive: killed_bundleid 2024-09-02 11:42:19.737277 (gui/501/killed_bundleid [679]) : service state: not running 2024-09-02 11:42:19.737282 (pid/679 [killed_app]) : shutting down 2024-09-02 11:42:19.737310 (pid/679 [killed_app]) : cleaning up

NETransparentProxyProvider have below method: override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool This method is blocking. Until we returns value from this method, next flow will be blocked, macOS doesn’t calls it on new thread. for example: if we take 10 second to check what to do with this flow, whether to handle it(true) or return to kernel(false), another flow will be block for 10 sec. how to not block future flow while it is taking longer to process current flow?

Hi,Team: I successfully installed the system extension through MDM and want to uninstall it through RemovableSystemExtensions, but this command does not support versions below macOS 12. Is there any other way to pause or uninstall the system extension? Can I delete the configuration file that allows system extensions through MDM? Or send and delete the configuration file of AllowedSystemExtensions?

I explored Apple's Filtering Network Traffic sample. I noticed for me, FilterDataProvider's startFilter method is called only when I make filterManager.grade = .inspector before calling filterManager.saveToPreferences. Could someone help why the startFilter is not called when I leave the filterManager's grade property with it's default value. i.e NEFilterManagerGradeFirewall? https://developer.apple.com/documentation/networkextension/filtering_network_traffic

Hi, Team: I developed a network filter and used MDM to issue a description file. By configuring AllowedSystemExtensions, I can avoid the reminder of loading system extensions during installation. However, when savingToPreferencesWithCompletionHandler, I will still be reminded that my network data is monitored. How can I configure MDM to avoid this reminder? And why can I still delete the filter from the network filter conditions even though I configured it in mobileconfig in the following way. NonRemovableFromUISystemExtensions com.mysystemextensionid

Hi Team: I first created a macOS app and added a target of the network extension of the system extension to the app. The function of my app is to enable the system extension and allow the network extension. The app only enables the network filter and does not perform other operations. After completion, it will execute [NSApp terminate:nil]; to exit. My network filter can run normally after the app exits, and I use rm -rf to delete the app from /Application, and the network filter can still run normally. This result is what I want, but I don’t know if it is reasonable to delete the app from /Application. My understanding is that the network filter I developed is registered with the system, so it is okay to delete it from /Application. Is this correct?

WireGuard Apple VPN Client App for macOS with System Extension to Distribute Outside App Store Checkout the source code of WireGuard Apple. https://github.com/WireGuard/wireguard-apple I have fixed several issues and now I can create and connect to the VPN. This source code uses the App Network Extension (appex) which can only be distributed on the App Store. But I don't want to distribute it via the App Store. I will distribute it outside the App Store. But for this, we need to sign the app with the Developer ID Application certificate and we also need to notarize it. So for this, the App Network Extension (appex) will not help. We need to use the System Extension Network Extension (sysex). So we need to make changes to the WireGuard Apple source code to be able to connect the VPN via the System Extension Network Extension (sysex), this means we need to migrate existing App Network Extension (appex) to System Extension Network Extension (sysex) in this source code. I am facing this challenge, that's why I am looking for a solution here. I have already done changes explained here https://forums.developer.apple.com/forums/thread/695550. Also done with changes for getting system extension permission and network extension permission. Real problem is, VPN client app is not getting connect to VPN and to fix this, we need to fix in WireGuard Apple Kit source code. Please help me to solve this problem.

Hi Team, Is there a way to disable secure DNS in macOS that is set at the OS level, like 8.8.8.8, which supports secure DNS on ports 443 and 853?

hi, all I subscribe AUTH_SIGNAL event with ESF. and test if it can prevent Activity Monitor from killing processes in the list below. I can stop "Force Quit"(sigkill) to all five processes, but "Quit"(sigterm?) to four processes except "Typora". I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora. how Activity Monitor "Quit" the "Typora"? it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).

I'm attempting to create an application that uses a System Extension / Network Extension to implement a PacketTunnelProvider. After creating and configuring the packet device, I want to spawn a child process to do the actual reading and writing of network packets. I want to do this because the child is written in Go (it uses wireguard-go and my company's Go-SDK). When I call posix_spawn from within the System Extension, I get "Operation not permitted" as the error, and sandboxd drops a log with Violation: deny(1) process-exec* /private/var/root/Library/Containers/<my system extension>/Data/Documents/<my-child-binary> Is it possible to execute other processes from within the System Extension sandbox? Do the binaries have to be stored in a particular place, and if so, where? I attempted to build with the App Sandbox removed from the System Extension capabilities, and this seemed to fail before even executing my Network Extension code, so I'm guessing System Extensions are required to be sandboxed, but it would be nice to have that confirmed.

Hi everyone, I am developing a MacOS app where a network extension and a content filter are installed as system extensions when the app is launched. I'd like to test the flow where user get a "System Extension Blocked" prompt like this: But I couldn't find a way to revoke the approval I gave at the first place. I've tried remove the system extensions using "sudo systemextensionsctl uninstall [TEAM ID] [BUNDLE ID]" with SIP disabled but no luck. I've also tried to remove them from the KextPolicy database but they are not even in the database. I am on MacOS Sonoma 14.5. All I want is to revoke the system extension approval and recreate this prompt. Has anyone experienced a similar issue or have any suggestions on how to achieve this?