Hello everybody, Since macOS 15, the systemextension allow in changed as switch style and put in the "Login items & Extensions". I know the URL navigating to here, which is: x-apple.systempreferences:com.apple.LoginItems-Settings.extension But the extension options we need to scroll deep down and we need to click the "!" to open it. I want to open the finally window for user can easily see it and enable it. Please tell me how. Appreciate!!

NETransparentProxyProvider having these two methods: override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool override func handleNewUDPFlow( _ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint ) -> Bool During initial days when NETransparentProxyProvider was introduced, We used handleNewFlow to handle NEAppProxyTCPFlow and handleNewUDPFlow to handle NEAppProxyUDPFlow . Since handleNewUDPFlow is now deprecated, is it just okay to use handleNewFlow to handle both NEAppProxyTCPFlow & NEAppProxyUDPFlow? will this works always or there are some scenario where keeping handleNewUDPFlow will be usefull?

I'm trying to create a network extension packaged as a system extension on macOS, let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.example.Desktop.PacketTunnelDesktop", queue: DispatchQueue.main) request.delegate = delegate // Submit the request to the system. let extensionManager = OSSystemExtensionManager.shared extensionManager.submitRequest(request) The application is installed in /Applications, I have also turned off SIP and systemextensionsctl developer on I'm not getting any breakpoint hits on my request delegate, but I am getting some logs in the console app: making activation decision for extension with teamID teamID("XXXXXX"), identifier com.example.Desktop.PacketTunnelDesktop no related kext found for sysex `com.example.Desktop.PacketTunnelDesktop` extension XXXXXXX com.example.Desktop.PacketTunnelDesktop (1.0/1) advancing state from validating to validating_by_category validate: category: com.apple.system_extension.network_extension, extension: com.example.Desktop.PacketTunnelDesktop waiting for external validation of extension with identifier com.example.Desktop.PacketTunnelDesktop It seems to stop here, and running systemsextensionsctl list shows: [validating by category] as the status. I'm trying to find some barebones example code for a network extension packaged as system extension but couldn't find any. Any ideas where to go from here?

Hello Team, I want to know if there's a way to uninstall System Extension without prompting the user for authorisation. These are ways I found to uninstall System Extension The deactivationRequest api prompts the user for uninstalling System extension. If I use Apple script to drag and drop the application[which is embedded with System Extension] to trash also prompts the user. The only workaround that doesn't prompt is by disabling SIP and using the systemextensionsctl uninstall command. I want to know if there's any other solution that can uninstall System Extension without prompting the user for authorisation. Thanks!

Hi, We are currently working on porting our PacketTunnelProvider app extension to run as a system extension. Things are mostly working great, but we're now testing upgrades from the existing app extension to a system extension. We have an existing configuration that gets created and runs perfectly fine with the app extension. Then, when we go and upgrade to the system extension, and attempt to connect using the same existing configuration. We see this error in the nesessionmanager logs: 10:00:57.717694-0700 nesessionmanager Signature check failed: code failed to satisfy specified code requirement(s) error 10:00:57.717914-0700 nesessionmanager Rejecting agent com.agentBundleID.bundleID because it does not satisfy the code signature requirements error 10:00:57.717937-0700 nesessionmanager Failed to launch com.agentBundleID.bundleID If we create a new configuration profile in our upgraded app w/system extension it works fine. The problem only occurs with existing profiles. Our app doesn't even get any notification about this error, startVPNTunnelWithOptions:andReturnError: doesn't return any error that we can work with. My gut tells me this has to do with the ProviderDesignatedRequirement not being correct, but I really have no way to confirm this at all. The NETunnelProviderProtocol has no way to specify that in its API. Our providerBundleIdentifier was unchanged between the two extensions. Is there anything that we can do here? Or are we stuck re-creating the configuration profile after an upgrade?

In macOS 15 Sequoia (tested on 15.0 and 15.0.1), the icon of our network extension (and of other third party apps) is missing. See the attached screenshot, instead of the generic app icon there should be the icon of our app. Is this a bug, or is there something we developers can/should do? I tried adding an asset catalog with the app icon, and specifying that using ASSETCATALOG_COMPILER_APPICON_NAME like we do in the main app. Even though the icon is added to the Resources folder of our .systemextension, and is referenced in the Info.plist using CFBundleIconFile and CFBundleIconName, the icon is still not showing in the System Settings.

I am working on developing a Mac app that will be distributed outside of the App Store. I have added the network extension which packaged in System Extension with packet tunnel capability. I have created a build following these steps here: https://developer.apple.com/forums/thread/737894 based on your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251 It works fine in this case when the machine has SIP disabled and systemextensionsctl developer on. As soon as I have made changes on the machine to systemextensionsctl developer off and SIP enabled, System Extension stopped loading. I have copied the app to the "/Applications" directory before opening it. When I check the loading status of the system extension with the "systemextensionsctl list" command, it shows as "[validating by category]" Am I missing something? Thanks in advance.

We have a developer-id application which includes a LaunchAgent, couple of LaunchDaemon and a system extension. We want to store our secure data in keychain that can read by any of our processes or at least by LaunchDaemons. We would also prefer for our data to not be visible to users, not be accessible to other processes and we did not want to use system keychain because of our prior experience where one of our app data on update corrupted the system keychain for one customer. Therefore, we have decided to create our own keychain file and store our data there. However, we noticed that SecKeychainCreate and related file based keychain APIs are deprecated. This led me to below threads: https://developer.apple.com/forums/thread/685546 https://developer.apple.com/forums/thread/712875 https://developer.apple.com/forums/thread/696431 And now I am confused. It is suggested that we should use data protection based keychain because file based keychains are on path to deprecation. However, it is also noted that data protection keychains do not work with LaunchDaemons. So which keychain is the right choice for our requirements? Also, One tricky aspect of this is that the SecItem API supports both keychain implementations I do not see any option to use file based keychain using SecItem API. How can I create a new keychain file at a given path and add data in it using SecItem APIs? Can someone please elaborate on this with example?

I developed a network filter using system extensions and placed the system extension program in a container app. I activated the extension and enabled the network filter in the/Applications directory through the container app. After that, my container app process exited, and only the system extension program process in the/Library/SystemExtensions directory was running. After booting up and upgrading the macOS system, the system extension program will be launched, and I learned from the link below that the system extension will be launched with the system at startup: https://developer.apple.com/forums/thread/701986 . But I haven't learned from the official documentation of System Extensions and NetworkExtension why system extensions start with the system and what their principles are. Because the container app under the activation system extension/Application did not start. Has the network filter developed for system expansion been registered in the system related files or frameworks? Ensure that it will start after each startup

Hi,team: I am testing a product and found that my 12.6.0 and 14.5.0 computers will cause other app processes to exit when starting my network filter, but 10, 11, 13, and 14.6.1 will not. I can see the exit log of the app from launchd.log. Why is this? The log is as follows: 2024-09-12 19:34:36.783374 (gui/501/app_bundleid [546]) : exited due to SIGPIPE | sent by App[546] 2024-09-12 19:34:36.783383 (gui/501/app_bundleid [546]) : service state: exited 2024-09-12 19:34:36.783386 (gui/501/app_bundleid [546]) : internal event: EXITED, code = 0 2024-09-12 19:34:36.783389 (gui/501/app_bundleid [546]) : job state = exited 2024-09-12 19:34:36.783411 (gui/501 [100005]) : service inactive: app_bundleid 2024-09-12 19:34:36.783414 (gui/501/app_bundleid [546]) : service state: not running 2024-09-12 19:34:36.783582 (pid/546 [App]) : shutting down

Hi, I've developed an application which reside under /Applications. Inside the main application bundle (/Applications/mainApp.app) there are sub-app that contain security extension. Here's the relevant path /Applications/mainApp.app/Contents/Helpers/subApp.app/Contents/Library/SystemExtensions/com.myComp.type.systemextension/ So far I could load the extension by running the subApp and make sure it calls the extension activation API. but seems like starting from Sonoma (i'm using version 14.6.1 )it stopped working, and I get crash dump on signature failure which trying to open the subApp.app. in the crash log I get reason of invalid code sign. I also get the following hints Binary Images: 0x1050a0000 - 0x10512bfff dyld_path_missing (*) <f635824e-318b-3f0c-842c-c369737f2b68> /dyld_path_missing 0x104d9c000 - 0x104d9ffff main_executable_path_missing (*) <1df5f408-cb16-304f-8b38-226e29361161> /main_executable_path_missing Is it possible that new OS version have new validation rule that enforce something about the location of the app that can start extensions ?

Hi, can't activate system-extension. in any case getting Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" (sometimes get code = 9) P.S. In debug running all is working. (The system is asking to activate sysex) Has to read huge amount of forum, samples, and docs. But no luck What and how i've tried steps which i've doing #- signing sysextension binaries with Developer ID Application #- signing system extension with Developer ID Application #- signing application with Developer ID Application #- checking all signatures with Developer ID Application #- building pkg installer #- signing installer with Developer ID Installer #- checking signing #- sending installer for notarization #- waiting for installer verification #- after success I call stapler staple #- When calling sysex activation I get (But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get sign command sample codesign --force --timestamp --options runtime --sign "Developer ID ***" Also has to tried with ** --deep,** but no luck. Result of steps descrribed here: App has System Extension compatibility, Sysex haven't System Extension. App is used the same bundle id as in AppStore (also has to tried separate one, but no luck) In console just two informative message regarding it, but nothing specific default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Could you please assits with solve issue?

Is it known how to open in macOS Sequoia the Endpoint Security Extensions Pane. is there any anchor available for open "x-apple.systempreferences:com.apple.ExtensionsPreferences"?

So I wanted to get my hands dirty with objective-c so I decided to create a project to list all outbound traffic, after digging a little I found that I could use the Network Extension API. I created a simple command line project with xcode and tried to load this extension but for some reason I can't get it to work. I don't have a developer license yet and I'm not sure if it has anything to do with the problem I'm facing. This is just some test code so there are 2 free functions, one for loading the system extension and another for checking its status: // activates the extension? BOOL toggleNetworkExtension(NSUInteger action) { BOOL toggled = NO; __block BOOL wasError = NO; __block NEFilterProviderConfiguration* config = nil; dispatch_semaphore_t semaphore = 0; semaphore = dispatch_semaphore_create(0); NSLog(@"toggling the network extension"); [NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(nil != error) { wasError = YES; NSLog(@"loadFromPreferencesWithCompletionHandler error"); } dispatch_semaphore_signal(semaphore); }]; NSLog(@"waiting for the network extension configuration..."); if(YES == wasError) goto fail; NSLog(@"loaded current filter configuration for the network extension"); if(1 == action) { NSLog(@"activating network extension...") ; if(nil == NEFilterManager.sharedManager.providerConfiguration) { config = [[NEFilterProviderConfiguration alloc] init]; config.filterPackets = NO; config.filterSockets = YES; NEFilterManager.sharedManager.providerConfiguration = config; } NEFilterManager.sharedManager.enabled = YES; } else { NSLog(@"deactivating the network extension..."); NEFilterManager.sharedManager.enabled = NO; } { [NEFilterManager.sharedManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(nil != error) { wasError = YES; NSLog(@"saveToPreferencesWithCompletionHandler error!"); } dispatch_semaphore_signal(semaphore); }]; } NSLog(@"waiting for network extension configuration to save..."); if(YES == wasError) goto fail; NSLog(@"saved current filter configuration for the network extension"); toggled = YES; fail: return toggled; } Then there's this function to check if the extension is enabled which for some reason always returns false. BOOL isNetworkExtensionEnabled(void) { __block BOOL isEnabled = NO; dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); [NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if (error != nil) { NSLog(@"Error with loadFromPreferencesWithCompletionHandler"); } else { isEnabled = NEFilterManager.sharedManager.enabled; } dispatch_semaphore_signal(semaphore); }]; return isEnabled; } Is something wrong is this code or is this related to entitlements or the developer license? As a side note I have already disabled SIP not sure if it matters in this case. Thanks in advance.

Hi, Team: Is there any difference in the underlying logic between starting the network filter by configuring the MDM description file through the first connection below and starting the network filter through the second connection in the code? First connection：https://developer.apple.com/documentation/devicemanagement/webcontentfilter?language=objc Second connection： https://developer.apple.com/documentation/networkextension/nefiltermanager?language=objc

I sent the description file through MDM in advance and configured the system extension and web content filter. When my code uses activationRequestForExtension:queue: to activate the system extension, other security app processes will be killed. I received the following message. May I ask why this may be? 2024-09-02 11:42:19.737229 (gui/501/killed_bundleid [679]) : exited due to SIGPIPE | sent by killed_app[679], ran for 301372ms 2024-09-02 11:42:19.737239 (gui/501/killed_bundleid [679]) : service state: exited 2024-09-02 11:42:19.737245 (gui/501/killed_bundleid [679]) : internal event: EXITED, code = 0 2024-09-02 11:42:19.737247 (gui/501/killed_bundleid [679] ]) : job state = exited 2024-09-02 11:42:19.737274 (gui/501 [100003]) : service inactive: killed_bundleid 2024-09-02 11:42:19.737277 (gui/501/killed_bundleid [679]) : service state: not running 2024-09-02 11:42:19.737282 (pid/679 [killed_app]) : shutting down 2024-09-02 11:42:19.737310 (pid/679 [killed_app]) : cleaning up

NETransparentProxyProvider have below method: override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool This method is blocking. Until we returns value from this method, next flow will be blocked, macOS doesn’t calls it on new thread. for example: if we take 10 second to check what to do with this flow, whether to handle it(true) or return to kernel(false), another flow will be block for 10 sec. how to not block future flow while it is taking longer to process current flow?

Hi,Team: I successfully installed the system extension through MDM and want to uninstall it through RemovableSystemExtensions, but this command does not support versions below macOS 12. Is there any other way to pause or uninstall the system extension? Can I delete the configuration file that allows system extensions through MDM? Or send and delete the configuration file of AllowedSystemExtensions?

I explored Apple's Filtering Network Traffic sample. I noticed for me, FilterDataProvider's startFilter method is called only when I make filterManager.grade = .inspector before calling filterManager.saveToPreferences. Could someone help why the startFilter is not called when I leave the filterManager's grade property with it's default value. i.e NEFilterManagerGradeFirewall? https://developer.apple.com/documentation/networkextension/filtering_network_traffic

Hi, Team: I developed a network filter and used MDM to issue a description file. By configuring AllowedSystemExtensions, I can avoid the reminder of loading system extensions during installation. However, when savingToPreferencesWithCompletionHandler, I will still be reminded that my network data is monitored. How can I configure MDM to avoid this reminder? And why can I still delete the filter from the network filter conditions even though I configured it in mobileconfig in the following way. NonRemovableFromUISystemExtensions com.mysystemextensionid