Hey, our app is host for system extension and since macOS 15.3 there is an error when user tries delete an app pop with missing permission appears
Is it intentional? Is it a bug? if not how in correct way should we handle removing of SE when app is being to removed?
System Extensions
RSS for tagInstall and manage user space code that extends the capabilities of macOS using System Extensions.
Posts under System Extensions tag
128 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
We have an application which is written in Swift, which activates network extension (Transparent Proxy). We want to use MDM deployment for this network system extension.
Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further.
As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy documentation, we noticed that we can use the VPN payload with app-proxy as Provider Type for Transparent Proxy.
We were able to install the profile created via Jamf Pro and also while in stalling our product the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything. We are suspecting the remote server filed is causing this.
So we tried creating the custom profile without remote server address for VPN payload, but we are unable to install the profile. It throws below error:
2025-02-11 16:43:55.193348+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] Failed to save configuration DGWebProxy because it is invalid: Error Domain=NEConfigurationErrorDomain Code=2 "configuration is invalid: Missing server address" UserInfo={NSLocalizedDescription=configuration is invalid: Missing server address}
2025-02-11 16:43:55.193376+0530 0x2f880 Error 0x0 6815 0 mdmclient: (NetworkExtension) [com.apple.networkextension:] NEProfileIngestion Error occurred when saving configuration 'DGWebProxy': configuration is invalid: configuration is invalid: Missing server address
2025-02-11 16:43:55.196159+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] [0:MDMDaemon:CPDomainPlugIn:<0x2f880>] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<
2025-02-11 16:43:55.196826+0530 0x2f880 Error 0x0 6815 7 mdmclient: [com.apple.ManagedClient:MDMDaemon] [ERROR] [0:MDMDaemon:<0x2f880>] [CE] PlugIn_InstallPayload ==> Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.}
Can we create MDM profile for Transparent Proxy without remote server address?
In my application, there is a Network Extension with the bundle ID com.***.agent.yyy.zzz.ne. There is a user upgraded their system to macOS Sequoia 15.3, they faced an issue where enabling this Network Extension failed. Even after uninstalling the application and the Network Extension, restarting the system, and reinstalling multiple times, the enabling process still failed.
it alert: Failed to enable the Network Extension.
When checking the status via "systemextension list", it always shows "activated waiting for user".
This shows the normal enabling process log:
This shows the log when the enabling fails upon clicking. Strangely enough, there is no activation operation log when it fails. What could be the problem?
We have an application which is written in Swift, which activates two network extensions (Content Filter, Transparent Proxy). We want to use MDM deployment for these network system extensions.
For Content Filter, we already have Jamf Profile which has Web Content Filter payload and it works fine.
Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further.
We are unable to find the appropriate payload in any of the Profile Editor applications like Apple Configurator, iMazing Profile Editor and Jamf Pro that correctly describes our setup.
As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy documentation, we noticed that we can use the VPN payload with app-proxy as Provider Type for Transparent Proxy.
Here are the list of issues encountered with different MDM solutions.
**AppleConfigurator: **
We were able to install the profile created via Apple Configurator. However when we install our product (which has the above mentioned system extensions), the Transparent Proxy added by our product fails to map with the installed profile. User has to provide the credentials and follow the steps while installing the extension via the product.
Attached the screenshot of "Network->Filters" screen and the profile for reference.
Profile Created using Apple Configurator
iMazing Profile Editor:
Unable to install the profile created using iMazing Profile Editor.
Attached the screenshot of error and the profile for reference:
Profile Created Using iMazing Profile Editor
Jamf Pro:
We were able to install the profile created via Jamf Pro and also while in stalling our product the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything.
Attached the profile for reference.
Profile Created using Jamf Pro
What should be the correct profile payload to use for our Transparent Proxy?
I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider.
The VPN is configured with on-demand, and a rule to always connect whenever there's traffic:
onDemandRules = [NEOnDemandRuleConnect()]
As for the tunnel's settings (at the Packet Tunnel Provider), I've configured a split tunnel, so some routes are excluded from the tunnel.
Now I have the following scenario:
The VPN is connected
The Mac enters sleep
The sleep() function is called (at my Packet Tunnel Provider)
The Mac briefly awakes to check emails/push notifications/etc. This traffic is excluded from the tunnel.
What is the expected behavior here? Should the wake function be called because of the on-demand rule? Or should the VPN remain asleep because this traffic is excluded from the tunnel?
Hi,
We are developing software that configures a network extension via a system extension on MacOS.
The host application (run as service) enables network extension and system extension capabilities. It registers the network extension.
The network extension has network extension capabilities and configures an app-group to be bundled into the service.
What we have built is already working, i.e. we build, sign, notarize and ship the code (it's already running on hundreds of SIP enabled customer devices in production).
But, we are currently falling back to manual profile management (i.e. download and import the profile) so that Xcode accepts the entitlements suffixed with -systemextention.
Recently we are testing deployment on iOS devices. For iOS profiles we cannot overcome the issues with setting the profile manually, XCode complains about mismatching networkextension entitlements even when manually importing the profile.
So I thought I get to the bottom of why automated signing is not working and hopefully overcome the issues with iOS.
Upon configuring automatic signing we ran into the following problem:
For a network extension that is installed via a system extension the network extension capabilities are expected to be defined with a -systemextension suffix, i.e.:
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
<string>relay</string>
When using automated signing the profile in our development account reflects these settings, i.e. the profile is correctly generated with the values above.
However, XCode complains that the network extension capabilities don't match.
I went as far as to configuring a new application-ID so that XCode would generate a new profile in the development account. I then downloaded and decoded the generated profile.
The capabilities of the development portal profile were created as expected (as above), but somehow, the locally generated profile that is generated by XCode auto-sign expects:
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
<string>relay</string>
What XCode auto-sign expects is not reflected in the development account profile (!).
I tried to overcome this by changing the entitlements of the project to omit the -systemextension suffix.
XCode auto-sign seemingly works then, but once the application is actually signed by CodeSign the signing fails because the capabilities don't match with the development account profile.
I tried profile re-generation by clearing Library/Developer/Xcode/UserData/Provisioning Profiles, but it always results in the same problem - either XCode is happy and the code signing fails when building, or the other way round.
Bottom Line: I think that somehow XCode evaluates the profile validity differently from CodeSign; somehow when using automatic signing XCode does not take the network extension + system extension into account, but only expects the capabilities of the network extension.
If anybody know how to overcome this problem please help :)
I am working on a MacOS application in which I need System Extension along with some network extension capabilities. In order to distribute the app externally, I have to create a Developer ID application (provisioning profile) using the App ID that already has Network extension capability. I have followed this documentation to create the App ID and provisioning profiles:
https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.networkextension?language=objc
What I have:
2 App IDs (For app with network and system extension capability and for extension with only network extension capability)
*2 Developer ID application (For both App and Extension)
My App's entitlement file contains:
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>packet-tunnel-provider</string>
</array>
My system extension's entitlement file contains:
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>dns-proxy</string>
</array>
Both the targets now have the following error:
Provisioning profile "StandaloneCSAExtension" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.
Note: Instead of Developer ID application if I create a normal development provisioning profile with the same App ID, everything works perfectly fine, the only reason why we need to move to Developer ID application is because we need to distribute the app externally.
Please help me if I have missed anything. Thanks in advance!
I am currently working on ways my application which would monitor the dlopen() and dlsym() calls made on macOS.
In the current list of events endpoint security framework provides, I don't see a relevant event which would give me this information.
Are there any alternate ways we can get these events on macOS?
hi all.
I’m working on a content filter system extension on MacOS.
I try to disable the filtering in system settings, and it will cause smb shared folder connection interrupted.
what I do in stopFilterWithReason:completionHandler: is waiting for the connection that is being filtered be allowed, then invoked the completionHandler.
did I do something wrong here? is there a way to avoid the connection interruption?
Hello, I'm developing a Mac application that uses a network extension. I'm trying to implement XPC to pass data between my main app and system extension and I'm using the SimpleFirewall demo app as a guide to do this. One thing I can't understand is how the ViewController in the SimpleFirewall main app has access to the class IPCConnection in the SimpleFirewallExtension without it being public and without SimpleFirewallExtension being imported in ViewController.
We have an application, which activates two network extensions (Content Filter, Transparent Proxy) during app launch which is written in Swift.
When we are activating multiple network extensions under the same app bundle, in Ventura and Sonoma, under Privacy and Security it shows "Details" button. On click of it we see below issues:
- It shows the app bundle name instead of respective network extension bundle name.
- On click of OK button, it adds only one extension under "Network -> Filters -> Filters & VPN" and only after machine restart, we can see both the extensions under this screen.
These issues are not seen in Sequoia. In Sequoia, it shows the extension names under the app name. There are separate controls to enable/add each of the extension.
Attached the screenshots of Sonoma and Sequoia for reference
Already submitted the feedback ticket. (FB16331169)
I've implemented a custom system extension VPN for macOS, using Packet Tunnel Provider.
I have a XPC connection, from the containing app to the (system) extension.
What is the expected behavior after the Mac's sleep/wake?
Will the same XPC remain valid? Should I start a new connection?
I developed a Content Filter using the Network Extension, and when deployed to a batch of hosts (50 +), the installation worked for most of them, but there were six exceptions: five of them were macOS 10.15 and one of them was macOS 12.5.
The phenomenon of these 6 hosts is: in the System Settings->Network, two content filters with the same name appear. When one of the content filters with the same name is clicked, shows "Please use 'X Agent Extension' to control this content filter configuration" ('X Agent Extension' is the program I developed, this content filter can be deleted by clicking the minus sign in the lower left corner). Click on another content filter with the same name, shows 'Please use 'null' to control this content filter configuration', (but this content filter can't be removed by clicking the minus sign in the bottom left corner).
These systems are clean, use CLI 'systemextensionsctl list', and have only one systemextension in the output (this systemextension is my content filter). Online reference "https://forums.macrumors.com/threads/how-to-delete-custom-dns-profile-from-network-preference.2293322/" this paper, by closing the SIP, and delete file '/Library/Preferences/com.apple.networkextension.plist', then restart the system can remove the abnormal content filters with the same name. After restarting the system and reinstalling my content filter, the two content filters with the same name disappear (only the Content Filter I reinstalled) and the exception scenario cannot be repeated.
I would like to know, why do I have two content filters with the same name, how can I avoid this phenomenon, is there a way to remove the wrong content filter without closing SIP.
I'm attempting to install a NetworkExtension as a system extension, using the OSSystemExtensionManager.shared.submitRequest(request) API call. I can see from console logs and systemextensionsctl that my system extension is getting installed, but the OSSystemExtensionRequestDelegate I attach to the request never gets a callback.
In the console logs I see:
com.apple.sx default 14:13:25.811827+0400 sysextd activateDecision found entry to replace: com.coder.Coder-Desktop.VPN, BundleVersion(CFBundleShortVersionString: "1.0", CFBundleVersion: "1")
default 14:13:25.811888+0400 sysextd initial activation decision: requestAppReplaceAction(<sysextd.Extension: 0xa94030100>)
com.apple.sx default 14:13:25.811928+0400 sysextd notifying client of activation conflict
com.apple.xpc default 14:13:25.812156+0400 Coder Desktop [0x154f2d5b0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
com.apple.xpc default 14:13:25.813924+0400 sysextd [0xa941d4280] invalidated because the client process (pid 2599) either cancelled the connection or exited
com.apple.sx default 14:13:25.814027+0400 sysextd client connection (pid 2599) invalidated
It appears that something within my app process is cancelling the XPC connection to sysextd, but I'm certainly not calling it from within my code. Presumably something within the OSSystemExtension* APIs are cancelling the connection but I don't know why. It seems to be happening very quickly (within a few hundred ms) after sending the request, and before sysextd can reply.
What could cause this connection to be canceled?
NEFilterManager.shared().loadFromPreferences { loadError in
DispatchQueue.global.async {
...
}
}
the code above is executed in an app-like deamon and completionHandler was never invoked, same code in an application works fine.(they are both packed with content filter network system extension)
is it because of the restriction of app-like deamon?
Hi,
We are developing an app using PacketTunnelProvider from Network Extension framework. It is packaged as a system extension.
We are trying to implement an "always-on" functionality, but cannot manage to start the extension before user login, with or without on-demand enabled.
However we see in other posts (1, 2) that a network extension packaged as sysex should automatically start before user login.
Are we missing something? Is it a limitation of PacketTunnelProvider?
Thanks
Hello,
My team has developed a DNS proxy for macOS. We have this set up with a system extension that interacts with the OS, and an always-running daemon that does all the heavy lifting. Communication between the two is DNS request and response packet traffic.
With this architecture what are best practices for how the system extension communicates with a daemon?
We tried making the daemon a socket server, but the system extension could not connect to it.
We tried using XPC but it did not work and we could not understand the errors that were returned.
So what is the best way to do this sort of thing?
I've implemented a custom system extension VPN for macOS, using a Packet Tunnel Provider.
I saw something suspicious on macOS 15.2.0: When I disconnected my VPN, the UTUN was not being cleared.
This results in a lot of UTUNs when the user connects and disconnects multiple times.
utun77: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
utun78: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
This happens only on macOS 15.2. I tried the same app on older versions (15.0, 15.1.x), and it didn't reproduce.
Can those 'dirty' UTUNs cause a networking problem?
Since it happens only on macOS 15.2, is there a bug in this OS version?
How can I check if something in my code causes this behavior? How can I 'fix' it or force clean the 'dirty' UTUNs?
We are using PacketTunnel as system extension to establish vpn tunnel. The flow is like:
Create a PacketTunnelProvide to establish vpn
When tunnel gets connected add excludedRoutes by calling setTunnelNetworkSettings().
Result: The routing table is not getting updated with new excludeRoutes entries.
As per setTunnelNetworkSettings() documentation:
"This function is called by tunnel provider implementations to set the network settings of the tunnel, including IP routes, DNS servers, and virtual interface addresses depending on the tunnel type. Subclasses should not override this method. This method can be called multiple times during the lifetime of a particular tunnel. It is not necessary to call this function with nil to clear out the existing settings before calling this function with a non-nil configuration."
So we believe setTunnelNetworkSettings() should be able to set new excludeRoutes. We could see we are passing correct entries to setTunnelNetworkSettings():
{
tunnelRemoteAddress = 10.192.229.240
DNSSettings = {
protocol = cleartext
server = (
10.192.230.211,
192.168.180.15,
)
matchDomains = (
,
)
matchDomainsNoSearch = NO
}
IPv4Settings = {
configMethod = manual
addresses = (
100.100.100.17,
)
subnetMasks = (
255.255.255.255,
)
includedRoutes = (
{
destinationAddress = 1.1.1.1
destinationSubnetMask = 255.255.255.255
gatewayAddress = 100.100.100.17
},
{
destinationAddress = 2.2.2.0
destinationSubnetMask = 255.255.255.255
gatewayAddress = 100.100.100.17
},
{
destinationAddress = 11.11.11.0
destinationSubnetMask = 255.255.255.0
gatewayAddress = 100.100.100.17
},
)
excludedRoutes = (
{
destinationAddress = 170.114.52.2
destinationSubnetMask = 255.255.255.255
},
)
overridePrimary = NO
}
MTU = 1298
}
The problem is present on macOS Sequoia 15.2.
Is it a known issue? Did anyone else faced this issue?
Hi,team:
I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12?
The macOS 10.15.7 image is as follows:
macOS15.1.1 cannot delete and cannot close the image as follows:
Hope to receive your reply!