After installing Xcode Command Line Tools, the System Settings App now asks me, to reboot my machine into recoveryOS and change the systems security to allow kernel extensions/ system extensions. It's not prominently mentioned, but just there and I never, ever had this. Must be a new dialog. Well, if you click on it... My Question is: Why? Kernel Extensions have been deprecated long ago (I thought) and the dialog mentions nothing specific.

I created a Endpoint Security the client, the System Extension have been normal load to/Library/SystemExtensions inside, and has been activated, but did not see the Extension to run, do you have who knows？

I'm running into a strange issue that I can't figure out... I'm a bit new to macOS so I'm trying to figure out what I'm doing wrong. I'm using an MDM (Microsoft Intune) to install the GlobalProtect VPN 6.2 client to connect to a corporate network. Here's the situation: macOS 12.6.7 Monterey Managed w/ Intune and supervised through ABM GlobalProtect 6.2 VPN client System Extension installs successfully Team ID + SysEx Type are permitted via MDM and appear to be OK When I go to perform the installation, it appears to succeed, and the GP system extension appears to install successfully. When issuing the "systemextensionsctl list" command, the GP system extension shows [activated enabled]. When I try to connect to the VPN gateway, in the VPN client logs I see: "Error (604): failed to send ipc data: system ext not connected." During the installation of the VPN client, I see the following in the Console log when streaming the console logs from taskgated-helper: com.paloaltonetworks.GlobalProtect.client: Unsatisfied entitlements: com.apple.security.application-groups Disallowing: com.paloaltonetworks.GlobalProtect.client The subsystem for both is "com.apple.ManagedClient" Any ideas? I'm pretty stuck.

Guys I'm the account holder of my company and we are working on a new EPP solution. Approx two months go I requested an Endoint Security entitlement so we can develop our product and then requested it again about a month ago. Is there a way to see what is the status of the request and whether this time frame is indeed the one we should expect? Thanks a lot!

Hello, I am trying to run a sample project from Apple's Developer Documentation that creates and interfaces with a DriverKit Dext. The project can be found here: Creating an Audio Device Driver. I have followed all the steps in the README.md file: downloading the code, enabling automatic signing, building the app, moving it to the Applications folder, and launching it. I then open the app, press "Install Dext", enable it through System Preferences, and receive the message "SoundboardDriver has been activated and is ready to use." However, the audio device does not appear in the MIDI app, there is no mention of it in the IORegistry, and I get the message “Driver extension is not running” when I try to press "Open User Client". Is there another step I need to follow to get the app running? Perhaps it's an entitlement issue? I don't see any error/fault message in the console app relating to the app or driver. I am running MacOS 13.4.1 (22F82) and Xcode 14.3.1 (14E300c). I have tried with and without SIP enabled, but the issue persists. Any help or guidance would be greatly appreciated. Best, Henry

Although I was able to get simplefirewall to work, I still have a problem. When I start it for the first time (start button), every target traffic will be captured normally, but when I pause (stop button) and start again (start button), the same target traffic will not be captured. If I want it to work again, I need to stop it from xcode start the program again. What is the reason? Any suggestions?

I'm working on a System Extension that uses the EndpointSecurity framework to monitor various events. For some events, we're using ES_EVENT_TYPE_AUTH_* events, and actively preventing certain changes. All this works fine, while the extension is running. This is not an anti-virus product, but is similar enough that it might help to think of it that way for purposes of this discussion. Much like any anti-malware tool, we'd like for the System Extension to be resilient to malicious processes, even processes running as root. If any random process that gets root can do the equivalent of kill -9 <my extension>, or systemextensionsctl uninstall <my extension>, then it's easy enough for them to kill the extension, then do something we would otherwise prevent. It's also possible for an end user to drag-uninstall the app, which disables the extension immediately, before we even have a chance to respond to any changes. I know that various anti-virus software for Macs address this, and prevent a user from, for example, using sudo kill -9 <pid> to disable them. How is that typically done? Some possible approaches could be: Have two processes that watch each other, and restart each other if killed. There's a timing issue there that I'm not sure is easy to resolve, and I haven't tried launching a detached process from a system extension - that might not even work. I could have a separate launchdaemon which periodically checks to see if the extension (and app) are installed, and reinstalls them if they're missing. That leaves plenty of time for mischief to occur, but at least I'd have a window to detect it. It sounds like the NSEndpointSecurityRebootRequired Info.plist key might have some effect here, in that it prevents an extension from being replaced until a reboot. I should check and see what effect if any this has on removing the app or killing the extension. Maybe there's a System Profile setting that could be set through an MDM to prevent the application from getting uninstalled? I don't know my way around profiles very well, and I doubt this would address the "kill" issue, in any case. Probably there's some lower-level BSD or Mach API that could prevent attempts to kill the process. I could make a kernel extension for just this one thing, maybe using kauth(), but that seems overkill, and kernel extensions are not the Apple-suggested way to do anything these days. If EndpointSecurity is intended to replace using kexts for anti-malware and detection uses, there must be a way to do this inside a system extension, right? So, yeah - preventing the user from doing something is going against the spirit of "do what you like with your own computer, especially if you have admin powers", but this software is typically going to be installed by corporate IT, not end users, and some end users "need" admin permissions (e.g. software developers)... Any suggestions would be appreciated.

I'm working on a VPN App that uses a NEPacketTunnelProvider system extension. On my computer, when sending out the first OSSystemExtensionRequest requesting that the extension is installed / activated, a system alert is shown to the user informing them that the extension installation was blocked. This is fine. Each time the user starts the process again (for whatever reason) we're sending out a new OSSystemExtensionRequest. And this is where it gets strange: On my computers (I've tried on my development and personal one) the previous request is immediately cancelled with a OSSystemExtensionErrorRequestSuperseded error and a new alert is shown. For everyone else trying this out, the previous request is not being cancelled at all and it seems like requests are silently piling up. Newly-sent requests do trigger the delegate's requestNeedsUserApproval(_:). But because they're piling up users are not shown a new system alert, breaking the UX. I guess I could evaluate if there's an existing request to avoid sending out a new one, but this is only supported in macOS 12+ through (propertiesRequest(forExtensionWithIdentifier:queue:)). My questions: Which of the above is the correct behaviour? Why could it be that only I am seeing a different behaviour?

I'm writing an uninstaller, lets call it UNINS, for my developer id signed Mac app, lets call it APP(it contains system extensions) . UNINS is supposed to delete APP and its associated data. But after INS is done, it needs to delete itself. From my experience, when an app is running and we try to delete it, OS does not allow this operation. How to do this correctly? During uninstallation, if we delete an app from /Applications folder, do we also manually need to delete its data from ~/Library/Containers for all users ? Or this is done automatically by OS? if I need to unload launchdaemon that we installed, can this UNINS do that ? (Because I think unloading daemons require root priveleges)

The following call to getaddrinfo makes ‘PacketTunnelProvider’ system extension SIGSEGV: if (hostname != NULL) { int ret = getaddrinfo(hostname, port, &hints, results); if (ret != 0) { printf(“Failed to resolve host : %s by getaddrinfo, err : %d", hostname, ret); return false; } } Most of the time getaddrinfo() is working fine. Can someone please help in understanding what could be causing this crash. Can this caused due to stack corruption due to C++/C code switched to objective C? Below is the crash details: ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: com.mycompany.client.product-Client.ui.pkttunnel [29951] Path: /Library/SystemExtensions/*/com.mycompany.client.product-Client.ui.pkttunnel Identifier: com.mycompany.client.product-Client.ui.pkttunnel Version: 1.0 (1) Code Type: X86-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2023-08-18 20:04:43.6346 +0530 OS Version: macOS 13.5 (22G74) Report Version: 12 Bridge OS Version: 7.6 (20P6072) Anonymous UUID: F235BB2F-C030-0A58-E5C1-C3FE9796F29C Sleep/Wake UUID: C73181BF-B3A9-4DED-9556-897ED8C2E0A1 Time Awake Since Boot: 65000 seconds Time Since Wake: 37781 seconds System Integrity Protection: enabled Crashed Thread: 2 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000001e13dfa50 Exception Codes: 0x0000000000000001, 0x00000001e13dfa50 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [29951] VM Region Info: 0x1e13dfa50 is not in any region. Bytes after previous region: 3477011025 Bytes before following region: 105545042363824 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL shared memory 111fef000-111ff0000 [ 4K] rw-/rw- SM=SHM ---> GAP OF 0x5ffeee010000 BYTES MALLOC_NANO 600000000000-600008000000 [128.0M] rw-/rwx SM=PRV Thread 0: 0 libsystem_kernel.dylib 0x7ff80ee222b2 __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x7ff80eccbd2f _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x7ff80eccbd0b _dispatch_sig_thread + 49 Thread 1: ******************** ******************** ******************** ******************** Thread 2 Crashed: 0 libobjc.A.dylib 0x7ff80eac64a9 objc_msgSend + 41 1 libobjc.A.dylib 0x7ff80eae6582 objc_object::sidetable_release(bool, bool) + 270 2 Network 0x7ff81553fa04 -[NWConcrete_nw_endpoint .cxx_destruct] + 52 3 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83 4 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99 5 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62 6 Network 0x7ff81553e05a -[NWConcrete_nw_endpoint dealloc] + 778 7 Network 0x7ff815c30f1a -[NWOSAddressEndpoint dealloc] + 74 8 Network 0x7ff815a175bf nw_array_dispose + 383 9 Network 0x7ff815718ab1 -[OS_nw_array dealloc] + 17 10 Network 0x7ff815bd2b3d -[NWConcrete_nw_path .cxx_destruct] + 93 11 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83 12 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99 13 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62 14 Network 0x7ff815bd29af -[NWConcrete_nw_path dealloc] + 127 15 Network 0x7ff815bd045a -[NWConcrete_nw_path_evaluator .cxx_destruct] + 58 16 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83 17 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99 18 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62 19 Network 0x7ff815bd0377 -[NWConcrete_nw_path_evaluator dealloc] + 967 20 Network 0x7ff815a606ca nw_nat64_get_interface_state_internal + 2634 21 Network 0x7ff815a5f905 nw_nat64_copy_prefixes_internal + 101 22 Network 0x7ff815a5f482 nw_nat64_copy_prefixes + 210 23 Network 0x7ff815a62537 nw_nat64_synthesize + 215 24 libsystem_info.dylib 0x7ff80ee9447e _gai_nat64_synthesis + 309 25 libsystem_info.dylib 0x7ff80ee940c2 si_addrinfo + 886 26 libsystem_info.dylib 0x7ff80ee93caf getaddrinfo + 176 27 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c2bb4 ******::resolvehostname(char const*, char const*, addrinfo, addrinfo**) + 32 28 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c4e57 ******::udp_connect() + 323 29 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c48c7 ******::ssl_create() + 129 30 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c9014 ******::ssl_initiate_connect(fd_set&, fd_set&, int&) + 288 31 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c3b3c ******::ssl_connect_thread(int) + 228 32 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3cc691 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void (*)(int), int>>(void*) + 39 33 libsystem_pthread.dylib 0x7ff80ee5b1d3 _pthread_start + 125 34 libsystem_pthread.dylib 0x7ff80ee56bd3 thread_start + 15

Hi! I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift): func installDriver() { guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else { return } let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main) activationReq.delegate = self OSSystemExtensionManager.shared.submitRequest(activationReq) } I'm getting an error: OSSystemExtensionErrorDomain error 8: Code Signature Invalid which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out? I'm posting here entitlements and codesign output for my extension and containing application for further information. Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com.. [Key] com.apple.security.device.camera [Value] [Bool] true Executable=**********/Contents/MacOS/***** [Dict] [Key] com.apple.application-identifier [Value] [String] 893K7MTL2H.com..RoomDevice [Key] com.apple.developer.system-extension.install [Value] [Bool] true [Key] com.apple.developer.team-identifier [Value] [String] 893K7MTL2H [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com..******** Executable=***/Contents/MacOS/**** Identifier=com..RoomDevice Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 Hash choices=sha256 CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 CMSDigestType=2 Launch Constraints: None CDHash=3584714367d59119b462d0f830247d27ff1fbace Signature size=4688 Authority=Developer ID Application: ****************(893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:09 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=6 Internal requirements count=1 size=216 Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension Identifier=com.******.RoomDevice.Extension Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1 CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f Hash choices=sha256 CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f CMSDigestType=2 Launch Constraints: None CDHash=70580825016b7e262fb15c280ba380ad4e871bc1 Signature size=4688 Authority=Developer ID Application: ************ Ltd. (893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:05 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=0 Internal requirements count=1 size=224 Please anyone help. Thanks in advance!