I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal? If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature." I have tried with automatic and manual signing but nothing seems to work.

MacOS Version: 14.3 (23D56) In my testing of PacketTunnelProvider on MacOS I have observed that when I do a system shutdown or reboot, PacketTunnelProvider::stopTunnelWithReason() is getting called with reason: NEProviderStopReasonUserInitiated. Note: when I try to disconnect the VPN from system settings PacketTunnelProvider::stopTunnelWithReason() is called with the same reason: NEProviderStopReasonUserInitiated. I am facing an issue here to identify what caused PacketTunnelProvider::stopTunnelWithReason(), system shutdown or any user action?

HI Team, We have recently observed a network issue, followed by device hang-ups when users come out of sleep while using the Transparent app proxy provider in Sonoma 14.4. and users are required to restart the system to resolve the problem. In the client logs, we observed that State:/Network/Global/IPv4 does not have any PrimaryInterface and there is no internet connectivity, although the internet works fine on other devices. this issue start coming in sonoma 14.4 and happen with Transparent app proxy provider. We are currently unable to pinpoint the exact issue. Are there any known issues with Sonoma 14.4?

I am running into an issue with running a PacketTunnelProvider as a system extension, and fast user switching. Since the VPN is running as root, it runs outside any user context, and is accessible to all users on the machine. I can see the following behavior: Login to User A Connect VPN Fast switch to user B Open Safari, observe that traffic is directed and sent out the VPN. (As noted by the ability to browse otherwise un-reachable websites). Is there a way to detect that a fast user switch is happening? And disconnect the VPN when user B takes control of the screen. I know NSWorkspace is not a daemon-safe API. So NSWorkspaceSessionDidResignActiveNotification and like will not be useful here. One alternative would be to use NSWorkspace notifications in the GUI and alert the system extension via XPC. But that wouldn't work in the case where there isn't a GUI, such as with ConnectOnDemand. Is there a daemon-safe API to use or some other alternative? Thanks

We have a main app that handles UI and interaction with the user. And we also have daemon contained inside of it. Daemon has all the business logic and FDA and root permissions. Now we want to add a network extension. First we added the Network Extension to Main app and it was working fine (to test the waters). But then we decided to move it to Daemon since it has all the business logic and NE mostly contains business logic and no UI. It needs to be there. Now NE activationRequest(forExtensionWithIdentifier is working fine. But deactivationRequest(forExtensionWithIdentifier: during uninstall always fails with this error System Extension deactivationRequest fails with error he operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.) OSSystemExtensionError Code 13 says "An error code that indicates the system was unable to obtain the proper authorization." What does this actually mean. Also if there is an error why is it throwing it during uninstall rather than install? To make it more clear this is our app structure is Main.app -> Contents -> Mac OS -> Daemon.app -> Contents -> Library -> SystemExtensions -> System Extension Bundle Apple doc says @discussion This method creates a new request to activate/deactivate a System Extension. Extensions are discovered from the `Contents/Library/SystemExtensions` directory of the main application bundle. Our System Extension is present on the main app bundle and has Contents/Library/SystemExtensions structure but one extra layer deep. Is this supported app structure?. If not is there any way to succesfully uninstall NE from code. Right now systemextensionsctl uninstall won't work without System Integrity Protection disabled. Keeping NE on the main app will break our project structure and require major rewrite of the app. Also whenever I run systemextensionsctl with SIP on I get this message At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection! Apple introduced System Extensions in 2019. It is still not there yet. Does anybody have any idea when will Apple make it work? if at all?

As enterprise endpoint security/data loss prevention application, we need to detect data which is being transferred out of the enterprise context from their MacOS filesystem through applications like Cloud Sync or Email. Depending on the file content, type and size, we require some time for scanning the content being sent. This can range from milli seconds to few minutes for very large contents. But the Endpoint Security message has to be responded within the provided message deadline else application will be killed. This deadline is reducing with every macos release and its now only 15 seconds on macos sonoma which is blocking our use case of completing the scan before responding. We may scan it before but it imposes challenges of the data being modified before actual sent. So, we have to scan it on the fly and cant rely solely on the previous scans. Is there any way an Enterprise can customize this deadline value depending on the ES message and scanning application may be through MDM setting?

We have a test scenario where we install our app package on a Mac setup using MDM (Jamf). Below are the test steps and observation: This installation is done on this Mac with no user logged in. Installation is completed successfully. Now when an user log in on this mac machine, the expectation is that the app bundle will be started by the launchd (RunAtLoad). But the app is not started. When I check console logs I could see few logs around the app but from those logs I couldn't figure out why the app didn't start. I rebooted my test machine but that also didnt start my app. My app is not listed in 'launchctl list' command. My App bundle contains container app and a packet tunnel extension. Below is how my plist file looks like in '/Library/LaunchAgents/com.****.***ui.plist': { KeepAlive = 1; Label = "com.*****.client.****ui"; LimitLoadToSessionType = ( Aqua ); ProgramArguments = ( "/Applications/*********.app/Contents/MacOS/****Module" ); RunAtLoad = 1; SuccessfulExit = 1; Version = "110.200.0.100"; } In Console below are the last set of log which I could find related to my app: support_log.txt In above logs below statement mentions the extn which is related to my app bundle: 2024-03-19 15:48:55.256020+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] [Skipping first 85 of 95 entries] 2024-03-19 15:48:55.256051+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] entry: Thu Feb 8 20:48:26 2024 NetworkExtension.com.*****.client.*****-Client.*****ui.*****pkttunnel.104.2.12.191.104.2.12 (bundle) 0 0 0 0 0 0 Can someone please help me in understanding what could be wrong here, why would 'RunAtLoad' key word wont work here to start my app on user login or reboot? Note: Everything work fine when my app is installed with an user logged in to the test machine. Also App starts successfully if I run command 'lauchctl bootstrap gui/ /Library/LaunchAgents/com.****.****ui.plist' in the above mentioned test scenario where app didnt auto start by launchd: 'RunAtLoad'.

Hi Team, I have been working on an application that includes a Network Extension. I wanted to disable it if a captive portal is detected over the network. I have tried different approaches to detect it, including the standard approach outlined in the following document: https://datatracker.ietf.org/doc/html/draft-ietf-capport-api, using the URL https://captive.apple.com/hotspot-detect.html. However, none of these methods seem to be working. Additionally, the kSCNetworkReachabilityFlagsConnectionRequired flag is not being flagged when under a captive network. Could you please assist with this issue? Thank you.

I encountered a problem while implementing DNS Proxy for Network Extension. It consists of MyMyExt, a System Extension that implements DNS Proxy, and MyMyService, a container. The system extension consists of classes that inherit the NEDNSProxyProvider. Class has overrided "override init(), override func startProxy(...), override func stopProxy(...) override func handleNewFlow(...)" Since the manager.loadFromPreferences(...) and manager.saveToPreferences(...) calls, system extensions and DNS Proxy have been added. However, contrary to expectations, init(), startProxy(...), etc. are not being called. (In System Settings → Network → Filter, DNS Proxy has been added, but is displayed as "Activated" and a yellow circle) Here is the information that appears on the console. ... Omitted ... MyMyService.MyMyExt [Info] DNSProxyManager.swift: 51 [-] DNSProxy: saved nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Adding a connection for client mDNSResponder[167] nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: handleNetworkDetectionNotification <MyMyService.MyMyExt> nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Received a restart command from nesessionmanager[1011] nesessionmanager Registering session NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Resetting VPN On Demand nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: update configuration nesessionmanager <NESMServer: 0x13ae0ac90>: <MyMyService.MyMyExt> Register DNS Proxy Session: NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Successfully registered nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: status changed to connecting nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: received start message nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStateIdle nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStatePreparingNetwork nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Failed to create an NEAgent nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds ... Omitted ... Perhaps the key is the "Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement" recorded in the log. But I can't find out what this message is about or how to resolve it. and, here is my code, more info at my previous post. I ask for your help. Thank you, for your attention.

Hello, I'm keeping on getting a failure when trying to install an App from Samsung Dex. The report says to "disconnect your phone to install" but NO phone is connected. I tried various command line and numerous troubleshooting to reset and refresh some KEXT but still issue exists. Here is the install.log below. What could be the work around this bug? How to reset and proceed with installation? Thank you p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 16.0px 'Helvetica Neue'; color: #262626; -webkit-text-stroke: #262626; background-color: #ffffff} span.s1 {font-kerning: none} 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: @(#)PROGRAM:Install  PROJECT:Install-1000 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: @(#)PROGRAM:Installer  PROJECT:Installer-1020 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Hardware: iMac18,2 @ 3.00 GHz (x 4), 32768 MB RAM 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Running OS Build: macOS 11.4 (20F71) 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: USER=KP 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: __CFBundleIdentifier=com.apple.installer 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: COMMAND_MODE=unix2003 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: LOGNAME=KP 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: PATH=/usr/bin:/bin:/usr/sbin:/sbin 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.LsIZhGSQv0/Listeners 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: SHELL=/bin/zsh 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: HOME=/Users/KP 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: __CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: TMPDIR=/var/folders/d_/hqzchb455m9ct55v66n3n2_w0000gn/T/ 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: XPC_SERVICE_NAME=application.com.apple.installer.1152921500312163432.1152921500312163437 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: XPC_FLAGS=0x0 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Samsung DeX  Installation Log 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Opened from: /Volumes/Samsung DeX/Install Samsung DeX.pkg 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: <background_scaling> has an unsupported MIME type: X-NSObject/NSNumber 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: <background_alignment> has an unsupported MIME type: X-NSObject/NSNumber 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: has an unsupported MIME type: X-NSObject/NSNumber 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Failed to load specified background image 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Product archive /Volumes/Samsung DeX/Install Samsung DeX.pkg trustLevel=350 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: External component packages (2) trustLevel=350 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Could not load resource readme: (null) 2021-07-08 19:33:16-04 KPs-iMac Installer[9137]: Installation checks failed. 2021-07-08 19:33:16-04 KPs-iMac Installer[9137]: Installation check failure.  . Disconnect your phone to install..

What happens when I try to run my app with the DNS proxy provider in network extension while another app with the same extension is already running? Will it throw an error?

Xcode Version 15.2 (15C500b) After upgrading Xcode from 14 to 15.2 I am not able to attach system extension (packettunnel) process to Instruments tools for memory debugging. Same is working fine with Xcode 14. Error displayed: "Process No Longer Exists". But the service is running and is listed in process list. % ps -ax | grep -i pkttunnel | grep -v grep 61910 ?? 0:01.04 /Library/SystemExtensions/5F4AF6EF-****-****-****-F11****9CE78/com.******.client.*****-Client.***ui.***pkttunnel.systemextension/Contents/MacOS/com.******.client.*****-Client.***ui.***pkttunnel.systemextension Note: I am able to attach a normal program to Instruments tool for memory debugging, I have noticed this issue with system extension processes only.

We added a packet filter to our app, then found a way to not need it, so we want to be able to remove it on upgrades. But we don't want to install it if it's not already installed. Simple, right? The basic flow of the code is, on start-up, it does a propertiesRequestForExtensiion request. The method for the delegate goes through the various versions, ignoring any that are property.isEnabled == NO. When it comes to one that is enabled, it checks the version -- if it's the same version as the running app, it goes to deactivate it. If it's a different version, it goes to enable the current version (creating a activationRequestForExtensiion request). This should all be very simple. Except. At some point during this, the properties request gets a failure -- Domain=OSSystemExtensionErrorDomain Code=1. Ok, it seems there are lots of them laying around (I haven't rebooted in a while), and that method doesn't return once it finds one that is enabled. So maybe it doesn't like that. And then the activation request that was submitted also fails, also with the same error that doesn't explain anything. I thought, ok, maybe they don't like to stop on each other's toes, so let's create a serial dispatch queue, and have all of the system extension requests use that queue. That way, the activation request won't begin until the properties request has finished! Only I did that. And it did get a bit further -- the request method was invoked! Only then I still got messages about the properties and activation requests failing with the same unknown error. So then I looked at console. And sysextd is crashing, every time this happens. And then I dump all of the logs around that time, and look through them, and see... nothing. I had hoped to end this with a description of how I achieved victory, but instead... I'm going to have to reboot and see if that solves the mysterious crashing of sysextd.

Hi Team, We are using NETransparentProxyProvider, and we have observed that whenever we set setNetworkInterface with NENetworkRule, it always generates the DNS query even if the TTL time has not passed. However, when I stop the NETransparentProxyManager using stopVPNTunnel and set setNetworkInterface as nil, it will not re-issue the DNS query until the DNS TTL time has passed.

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.

Platform: MacOS 12.0 I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store. I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges. So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension? One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.