Hi,
I'm trying to detect a captive session from NEFilterDataProvider to make sure the portal traffic is allowed accordingly.
Initial idea was to look at audit tokens to allow any traffic from Captive Portal Assistant.
But most of the traffic is managed from WebKit Networking (I assume CPA uses a WebView). Allowing any WebKit traffic is a major issue for my firewall use-case.
An alternative could be possible using NEHotspotHelper but this API is not supported on Mac.
Portal DHCP advertisement could also help but sandboxed NEFilterDataProvider doesn't have access to DCHP context. https://developer.apple.com/news/?id=q78sq5rv
I've seen many threads related to those topics for iOS but none for Macs.
Does anybody know a Mac API that could be of any help ?
Post not yet marked as solved
Hi,
I'm writing an XPC Service hosted in a container app.
This service is expected to trigger IPC when some URL of interest become reachable. I'm using SCNetworkReachability (Reachability class provided as sample code from Apple).
The reachability notification runs fine when running from the container app.
However the XPC Service is never triggered of any network change.
I'm suspecting something related to RunLoop or RunLoopMode (XPCListener is instantiated with serviceListener) but cannot find any fix.
I disabled sandboxing without success (and anyway it runs fine with sandboxed container + network client entitlement).
Any suggestion ?
Hi,
I’m writing a network extension for macOS using the following pattern:
Network extension with ID com.company.app.extension
XPC Service with ID com.company.app.controller
Container app with ID com.company.app.container
First 2 are contained in the 3rd
All of 3 are sandboxed & share the same com.company.app AppGroup.
XPC Service uses network (client) entitlement to fetch settings & control the extension.
The app need to support managed preferences as well.
I read many posts in this forum, but I’m confused about using NSUserDefaults accross those processes.
Pb 1 - standardsUserDefaults vs initWithSuiteName
I noticed that to observe defaults using KVO I need to use initWithSuiteName:@"com.company.app" (or addSuiteName).
Observing standardsUserDefaults alone will never trigger any event. This is the first confusion because my understanding was that KVO observation wasn’t restrincted to suites.
Pb 2 - AppGroup ‘group.’ prefix
If I observe a suite named ‘com.company.app’ from the container app or XPC Service I get error : [User Defaults] Couldn't read values in CFPrefsManagedSource<> (Domain: com.company.app, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
This can be fixed using ‘group.com.company.app’ suite (both in the code and AppGroup entitlement). However if I use the same AppGroup for extension it will fail loading with error code OSSystemExtensionErrorValidationFailed.
Checked the provisioning profiles, they all map to the same ID in Dev portal. Including the TeamID in the suite name will produce the same situation.
The only way to load the extension is to use AppGroup com.company.app. This again is confusing because Dev portal force the ‘group.’ prefix. I can’t figure out how to use the same suite name for all processes.
Pb 3 - Inter-process synchronisation
Based on previous conclusion the situation is both container & controller use AppGroup (TeamID).group.com.company.app and addSuiteNamed:@"group.com.company.app" for observing & updating the defaults.
Each process can observe its own defaults updates but they do not synchronize between container app and XPC Service.
This is the most frustating part. The documentation says:
NSUserDefaultsDidChangeNotification is posted whenever any user defaults changed within the current process, but is not posted when ubiquitous defaults change, or when an outside process changes defaults. Using key-value observing to register observers for the specific keys of interest will inform you of all updates, regardless of where they're from.
Did I missed some steps ?
Hi,I'm writing a CryptoTokenKit extension (simular to sample available in CTK documentation).In this extension I'm trying to use SecKeyCreateSignature or SecKeyCreateDecryptedData using private keys I get using SecItemCopyMatching.However the crypto operations fail with errors -25308 :CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION (errKCInteractionNotAllowed / errSecInteractionNotAllowed / Interaction is not allowed with the Security Server)The same code runs fine from the host App.Are there Sec API limitations in CTK ?I've seen some posts in the forum about application whitelising using provisioning profiles but I don't understand which keys should to be used.Here is one of the post I refer to : https://forums.developer.apple.com/thread/128767Any help is welcome,Regards,Jerome T
Post not yet marked as solved
Hi,
I cannot find potential attributes to enable 'User Presence' when accessing passwords stored with 'add-generic-password'.
The idea is to make sure the user is prompted with session's password (or TouchID) each time a generic password is fetched from Keychain. This can be done using Security.framework but I'm looking for an equivalent in a shell script.
Has anybody done such a thing ?
Regards,
Jerome T
Hi,I have an assistant that launches using a LaunchAgent and a conditional file path.The problem is during Setup Assistant sessions (after a macOS update for example) my app launches before the user logs in.This is due to the Setup Assistant starting a session under Setup User.Is there a smart/clean way to avoid the agent launching in this situation ?Visibly launchd configuration files cannot help here. The only solution I see is checking the current user on app launch and abort if it's _mbsetupuser - and this solutions isn't clean at all. I'm not even sure it is possible under sandboxing.Any Help ?Regards,Jerome
Jtasoftware.