I built an app which hosts a CMIOExtension. The app works, and it can activate the extension. The extension loads in e.g. Photo Booth and shows the expected video (a white horizontal line which moves down the picture). I have a couple of questions about this though. The sample Camera Extension is built with a CMIOExtension dictionary with just one entry, CMIOExtensionMachServiceName which is $(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER) This Mach service name won't work though. When attempting to activate the extension, sysextd says that the extensions has an invalid mach service name or is not signed, the value must be prefixed with one of the App Groups in the entitlement. So in order to get the sample extension to activate from my app, I have to change its CMIOExtensionMachServiceName to <my team ID>.com.mycompany.my-app-group.<myextensionname> Is this to be expected? The template CMIOExtension generates its own video using a timer. My app is intended to capture video from a source, filter that video, then feed it to the CMIOExtension, somehow. The template creates an app group called "$(TeamIdentifierPrefix)com.example.app-group", which suggests that it might be possible to use XPC to send frames from the app to the extension. However, I've been unable to do so. I've used NSXPCConnection * connection = [[NSXPCConnection alloc] initWithMachServiceName:, using the CMIOExtensionMachServiceName with no options and with the NSXPCConnectionPrivileged option. I've tried NSXPCConnection * connection = [[NSXPCConnection alloc] initWithServiceName: using the extension's bundle identifier. In all cases when I send the first message I get an error in the remote object proxy's handler: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named <whatever name I try> was invalidated: failed at lookup with error 3 - No such process." According to the "Daemons and Services Programming Guide" an XPC service should have a CFBundlePackageType of XPC!, but a CMIOExtension is of type SYSX. It can't be both. Does the CMIOExtension loading apparatus cook up a synthetic name for the XPC service, and if so, what is it? If none, how is one expected to get pixel buffers into the camera extension?

I have a requirement where I need to monitor writes/reads from arbitrary USB devices. Can I do it with USBDriverKit?

I've implemented a custom VPN system extension for macOS (Packet Tunnel Provider). I created a tunnel, and I have a VPN connection, with the default (IPv4) routes. My question is about sending traffic which was originated at the extension, via the tunnel. Is it possible to create a BSD socket at the extension, and bind it to a specific interface, so the traffic (that was created from the extension) for this socket will be routed via the tunnel?

I have an app which is installing a system extension. On startup I want to know if it's already been installed or not (because if it hasn't I want to show some information to the user). I have not been able to find an ObjC or Swift method that allows me to ask if a given extension has been installed. I know I can run systemextensionctl list and parse the output but I don't want to have to fork a shell command if I don't have to.

We have a macOS app that contains a system extension content filter as part of the app bundle. The main container app is a relatively simple process to perform activation and deactivation of the content filter. From guidance given on this forum, our container app has a GUI component (AppDelegate) which on launch activates the content filter if needed, e.g. on initial install or update. This works as intended, provided the user is logged in. However, we would normally expect the install/update/removal to be performed by remote management, e.g. pushed by JAMF, which often happen when no user was logged in on the device. Note, we have a MDM profile which provides pre-authorization of the system extension and content filter to negate the requirement for the user to respond to prompts during install. Trying to perform a remote install or removal, requires calling the main container app to run without a logged in user which fails because the app terminates as there is no GUI context to run in. Trying a container app without a GUI component appears to be unreliable and often hangs during content filter activation. What is the correct way to perform installation or removal, without a user login, via remote management?

I've implemented a custom system-extension VPN (Packet Tunnel Provider) for macOS. At the extension, I need to use a 3rd party dynamic lib. The steps I did: Build phases: Copy files, with Frameworks destination Link Binary With Libraries Build Settings: I set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the lib folder I set 'Header Search Path' to the headers folder But when running the extension, it's crashing with the error Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @loader_path/somelib.dylib And Reason: tried: '/Library/SystemExtensions/A1111-someID-11111/com.myapp.myappSysExtension.systemextension/Contents/MacOS/libwavmodapi.dylib' (no such file), '/usr/local/lib/libwavmodapi.dylib' (no such file), '/usr/lib/libwavmodapi.dylib' (no such file) (terminated at launch; ignore backtrace) Any idea what I'm doing wrong here? Also, is it even possible to use dynamic libs from a sys-ext?

I manage a system that automatically generates system extensions, and in order to ensure that every release's dext can be activated over top of any other release, I have it increment the dext's CFBundleVersion so that every release has a unique version number. However I just hit an error where, once CFBundleVersion reached 10000, dext activation would fail with this error: Property "CFBundleVersion" must be a valid kext version Apparently the maximum value any one of the three digits can be for CFBundleVersion is 9999, at least for a dext. So if CFBundleVersion only uses one number as opposed to three, it can't go higher than 9999. Note that I found this out from experimentation. No where in Apple's documentation have I found any mention of this restriction, including, most distressingly, in the docs for CFBundleVersion. Since I'm programmatically assigning this value, now I need to know: Are there any other requirements or restrictions for CFBundleVersion? I'm curious if there are any in the context of an app (be it on macOS, iOS, tvOS, and so on) or other types of extensions, as well as with a DriverKit extension.

Hello, Captive portal screen is not appearing when we are connecting to wifi for the first time. This is happening only when System Extension is enabled. We are using NETransparentProxyProvider System Extension. These are the details- OS version- Big sur 11.6.3 System Extension- NETransparentProxyProvider Internet provider- ACT internet Ruleset- NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "80"), remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol:.TCP, direction: .outbound), NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"), remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol:.TCP, direction: .outbound), NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "80"), remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol:.UDP, direction: .outbound), NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"), remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol:.UDP, direction: .outbound)

If I install an app that includes a system extension I've noticed that when I remove this app the system extension getting uninstall. As part of our feature(Tamper protection) while we drag the container app to the trash. we shouldn't allow this app deletion and system extension Should be activate and Enabled. Here we are able to Restrict the app deletion successfully but system extension is getting inactive and terminated. So is there any way to avoid/handle uninstallation of system extension while drag the container app to the trash.

I mean, I could do a readdir on /Library/SystemExtensions/, but that won't really tell me which ones are active. I could parse the output of systemextensionsctl list but that doesn't seem particularly good.