SystemExtensions

RSS for tag

Install and manage user space code that extends the capabilities of macOS using SystemExtensions.

SystemExtensions Documentation

Posts under SystemExtensions tag

166 results found
Sort by:
Post marked as solved
97 Views

Embedded app not running

As I mentioned in this thread https://developer.apple.com/forums/thread/695207 I want my containing app to be active after Mac restarts. I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app. However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console: Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} I see that there's really no plugin folder, but why? Is it a certificate/signing issue?
Asked
by roee84.
Last updated
.
Post not yet marked as solved
37 Views

ps -A cannot see system extension process with M1

Hi there, Something interesting and not understand when trying to fetch my appproxy (and dnsproxy) system extension process with commands like below. With Intel macbook pro, all good to fetch back that pid. But with M1 macbook pro, it returns nothing although installed with the same Big Sur 11.6.1. ps -A | grep $MY_SYS_EXTENSION_PROCESS_NAME pgrep $MY_SYS_EXTENSION_PROCESS_NAME Do you have any suggestion to make it the same on M1? Thanks in advance for any suggestion. Regards Richard
Asked Last updated
.
Post marked as solved
77 Views

Notarizing System Extension

Hello We are developing an application which using System Extension and all works as excepted, exclude one important thing - during the application launch we receive a system notification that System Extension is Blocked and we need to Allow it via System Preferences -> Security & Privacy (it require an admin password). So the question: Does it possible to avoid this behaviour? It's really very annoying customers to perform this actions by themselves. Our distribution flow is typical: We distribute application as a PKG Before distribution we notirize PKG installer and App (zip it and send to Apple Notarization Service via terminal) - notirize is passed and archives approved by Apple We are using Developer ID and manual signature in XCode for all components of application (main app, extension, cli daemon app) I tried zip system.extension and send it to notirize service and staple it after that. I saw that it notirized successfully but on first launch when app trigger System Extension installation macOS show popup that "System Extension Blocked" When user allow this System Extension macOS will ask him that application would like to add proxy configuration - it's okay, but Blocked System Extension is a real problem. We want to provide a better user experience and if it's possible it will be good to solve this issue. If somebody can assist or give us an accurate explanation that it's not possible and System Extension will be blocked in all cases I will be really glad. I can provide any additional information, if it required. Our screenshot: P.S. As I know there are many applications have got the same problem, for example I am as a user have got this behaviour for Cisco AnyConnect - I need to allow it in System Preferences on first launch 😢
Asked
by ilis544.
Last updated
.
Post not yet marked as solved
38 Views

NEFilterFlow does not contain sourceAppAuditToken

I'm working on a FilterDataProvider network extension that works in conjunction with our global proxy app. Traffic that is bound for the proxy does not pass through the extension but outbound traffic from the proxy does. This outbound traffic needs to be identified so that we don't attempt to filter it. I have code that will convert the sourceAppAuditToken into a bundle ID but the call to SecCodeCopyGuestWithAttributes fails because the sourceAppAuditToken does not contain a value. Here's an excerpt from the logs: 09:27:01.972400 (0): Flow 687496262 is connecting com.apple.networkextension 09:27:01.972655 (687496262): New flow: NEFlow type = stream, app = proxyApp, name = , 192.168.1.170:0 <-> 13.107.136.9:443, filter_id = D89B5B5D-793C-4940-77D4-60DF35207800, interface = en0 com.apple.networkextension 09:27:01.973080 [Extension com.sophos.endpoint.network]: Calling handleNewFlow with TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension 09:27:01.973873 [Extension com.sophos.endpoint.network]: provider rejected new flow TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension 09:27:01.974305 (687496262): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 com.apple.networkextension 09:27:01.978701 UUID cache generation changed from 18791 to 18792 com.apple.networkextension 09:27:01.979738 Failed to find proxyApp in LaunchServices com.apple.networkextension 09:27:01.980046 Failed to find proxyApp using neagent com.apple.networkextension 09:27:01.980610 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension 09:27:01.980664 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension 09:27:01.983949 Setting UUID cache generation to 18793 com.apple.networkextension 09:27:01.986451 Could not find app info, return the original flow without filling in app info com.apple.networkextension 09:27:01.988775 UUID cache generation changed from 18792 to 18793 com.apple.networkextension 09:27:01.989725 Failed to find proxyApp in LaunchServices com.apple.networkextension 09:27:01.989808 Failed to find proxyApp using neagent com.apple.networkextension 09:27:01.990073 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension 09:27:01.990113 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension 09:27:01.991891 Setting UUID cache generation to 18794 com.apple.networkextension 09:27:01.992283 Could not find app info, return the original flow without filling in app info com.apple.networkextension 09:27:01.992567 D89B5B5D-793C-4940-77D4-60DF35207800 identifier = D89B5B5D-793C-4940-77D4-60DF35207800 procPID = 97466 eprocPID = 97466 direction = outbound inBytes = 0 outBytes = 0 signature = 32:{length = 32, bytes = 0xdb48e494 a3048ed1 b5a3d7e7 86425239 ... 2e0bb61f 66820ed3 } socketID = 782035df60d477 localEndpoint = 0.0.0.0:0 remoteEndpoint = 13.107.136.9:443 protocol = 6 family = 2 type = 1 procUUID = 00000000-0000-0000-0000-000000000000 eprocUUID = 00000000-0000-0000-0000-000000000000 (no token) I'm running on Apple Silicon. My extension is built for arm64 and x86_64. My proxy app is a unix executable with no bundle and is also built for both architectures and signed. I realize that I'm probably not going to be able to get a bundle ID from it but I don't even have an audit token to start. Is there another way to identify flows from specific processes?
Asked
by Rynosoft.
Last updated
.
Post marked as solved
81 Views

Endpoint Security Extension + SandBox + App Distribution

Hi All, I'm developing a security application that uses an endpoint security extension. The application has two parts main and extension. I have an entitlements for Security Extension Client from Apple. I'd like to distribute apps through the Apple Store. Locally the app runs without problems on enabled machines, but when I try to get it through Testfligt to the appstore I get two errors: ITMS-90285 - Invalid Code Signing Etitlements. Your application bundle’s signature contains code signing etitlements that are not supported on MacOs. Specifically, key ‚com.apple.developer.endpoint-security.client‘ ITMS-90296 - App sandbox not enabled on extension When I turn on sandbox for extension, the extension fails to register endpoint security client let res = es_new_client(&client) { _, event in self.eventDispatcher(msg: event) Without sandbox it runs without any problem. Thank you very much for your help I don't know how to proceed. Martin
Asked Last updated
.
Post not yet marked as solved
92 Views

How to disable disconnect option for App Proxy VPN

AppProxy VPN can be disconnected by using "Disconnect" option in Network settings. How can I disable the 'Disconnect' button for the VPN in network settings? Current this can be disabled even without opening the lock (bottom). Or Can we somehow disable the effect of the disconnect action, ie user cannot stop VPN from this place?
Asked
by freefire.
Last updated
.
Post marked as solved
102 Views

How to avoid user consent while uninstalling system extension

While uninstalling system extension, user gets a pop for user consent and ask to enter administrator credential to allow the uninstallation. We couldnt find a method to avoid this user consent and allow system extension removal silently. This is becoming an issue for one of our customer. On the other had System Extension installation can be handled silently using MDM profiles. Can you please suggest a method to allow silent uninstallation of system extension?
Asked
by freefire.
Last updated
.
Post not yet marked as solved
79 Views

Communicate with containing app after Mac restart

I configured my VPN to be 'on-demand' and I restarted my Mac. After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand). The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called. Is there any way I can 'force start' the containing app? Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..
Asked
by roee84.
Last updated
.
Post not yet marked as solved
453 Views

Cannot communicate with SystemExtension from Application

So I'm having issues communicating with a endpoint security system extension via XPC. Both the application and the extension are signed, notarized, and members of the same group ID. I've confirmed that the extension is running with systemextensionsctl list and launchctl list. I've also confirmed that the xpc end is available with launchctl procinfo <extension_pid>. The mach service name is correct according to this post - https://developer.apple.com/forums/thread/118211?answerId=366391022#366391022 (TEAMID.bundleID.xpc). I also use the NSXPCConnection NSXPCConnection.Options.privileged option when creating the connection. When I use connection.remoteObjectProxyWithErrorHandler , I received an error "Couldn't communicate with a helper application". This error message is very vague and does not help me further troubleshoot. Are there any other logs that I should be looking at in the console app?
Asked
by xorrior.
Last updated
.
Post not yet marked as solved
56 Views

Multiple "ES_EVENT_TYPE_AUTH_CLONE" are created.

In case we copy file to finder using ctrl+c -&gt; ctrl+v we get "ES_EVENT_TYPE_AUTH_CLONE" event. In case we block that event, we get 2-3 times 'ES_EVENT_TYPE_AUTH_CLONE' event with same destination file name. Any idea how to avoid those extra 2-3 events of 'ES_EVENT_TYPE_AUTH_CLONE'?
Asked Last updated
.
Post not yet marked as solved
70 Views

Accept Kernal extensions problem (no username?)

I’m trying to accept “kernal extensions” but my username does not show up. It says “Mac user” and my password does not work. How can i fix this? Thank you for the suggestions
Asked
by Chaikuni.
Last updated
.
Post not yet marked as solved
73 Views

About the use case of dnsproxy + appproxy filter all udp traffic

Hi there, This is the question when using dnsproxy together with appproxy. In case I need to filter all udp traffic through appproxy. How about dns traffic to port 53? It will go through both appproxy and dnsproxy! Do I need to return false inside appproxy for outbound 53 udp traffic without even open the flow? Any conflict of such usage? Thanks in advance for any suggestion. Regards Richard
Asked Last updated
.
Post not yet marked as solved
134 Views

Cannot access shared keychain from NE System Extension

Sry for the duplicate - I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well: Original post: https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022 My question: Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?
Asked
by roee84.
Last updated
.
Post not yet marked as solved
92 Views

Endpoint Security Extension incorrect behavior after Monterey upgrade

Hi, I have a ES Sysex working properly in BigSur. I run upgrade to Monterey. I check the behavior of the sysex in Monterey and I notice that is receiving events from processes that I have muted with "es_mute_path_prefix". It is as if the system upgrade process has affected the Sysex startup and some configurations, forced on start by calling "es_mute_path_prefix" are not taking into account. Should I take some special steps on SO upgrade scenarios, like reinforcing restart of my sysex ? Stop it before SO upgrade and restart it after upgrade ? Any known best practices on SO upgrades in general ? Thanks.
Asked
by ZenoElea.
Last updated
.
Post marked as solved
674 Views

Cannot access shared keychain from NE System Extension

Hello,We actually managed to get all of the code signing and entitlements with our Developer ID all aligned properly such that our NE system extension is installed, activated, and our packet tunnel provider is started and code is executed in the extension. So far so good!However, the outstanding problem that is tripping us up at the finish line is that we just can’t seem get the NE provider to read from a shared keychain. The main app is able to write a password type key to the keychain no problem (we can see it in the macOS Keychain app), but our extension reports a -25291 or -25300 depending upon what we are trying when trying to read in the value. The exact same keychain read/write implementation works fine in dev builds without using System Extensions, so I’m pretty sure there must be some specific configuration I am missing when it comes to keychain sharing with System Extensions.We've tried with App Sandbox on and off, and there is no difference.According to this doc a shared Keychain Access Group Entitlement configured in the main app and NE System Extension should be all that is required. This is what we are doing and I believe is why everything is working fine in builds without the system extension.We’ve tried all of the combinations of things I can think of, specifically mixing and matching various app group and keychain group identifiers, unfortunately all with the same result.I beleive we are possibly in bug territory, but given how precise Keychain configuration needs to be, I wanted to check with the community to see if anyone had run into this same issue and found a solution before I file a bug. Thanks!
Asked
by mattv1234.
Last updated
.