We have a MacOS app that includes a system extension with A content filter using both socket and packet providers. Our normal method for deployment will be by an MDM solution, for which we have created a profile intended to pre-approve the system extension and content filter. This works correctly for the system extension but we are unable to get the content filter pre-approval to work. We have scoured this and other forums and docs but there is no clear reason why our web content filter profile doesn't work. Our payload for the web content filter looks like this: dict keyFilterDataProviderBundleIdentifier/key stringcom.example.ourapp.net/string keyFilterDataProviderDesignatedRequirement/key stringidentifier "com.example.ourapp.net" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX/string keyFilterPacketProviderBundleIdentifier/key stringcom.example.ourapp.net/string keyFilterPacketProviderDesignatedRequirement/key stringidentifier "com.example.ourapp.net" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX/string keyFilterPackets/key true/ keyFilterSockets/key true/ keyFilterType/key stringPlugin/string keyFilterGrade/key stringfirewall/string keyPayloadDescription/key stringWeb Content Filter Payload/string keyPayloadDisplayName/key stringWeb Content Filters/string keyPayloadEnabled/key true/ keyPayloadIdentifier/key stringcom.apple.webcontent-filter.8237701A-4ED8-473A-AC86-4BEFF6662A62/string keyPayloadType/key stringcom.apple.webcontent-filter/string keyPayloadUUID/key string8237701A-4ED8-473A-AC86-4BEFF6662A62/string keyPayloadVersion/key integer1/integer keyPluginBundleID/key stringcom.example.ourapp/string keyUserDefinedName/key stringExample OurApp/string /dict For the filter Filter[Data|Packet]ProviderBundleIdentifier and the Filter[Data|PacketProvider]DesignatedRequirement fields, the values are derived from using codesign -dr- path to system extension bundle. For the PluginBundleID the value is the identifier of the enclosing app. This requirement is mention in this post - https://developer.apple.com/forums/thread/667016. The rest of the fields are derived from the various examples online. Beyond this, I can't see any reason this should not work. There are reports from some users saying they have got their profiles to work but can't confirm that. Is there something wrong in the payload above? Are we missing some fields? Are there any specific requirements for some of these fields I have missed? I can't find detailed documentation for this payload for content filters. We're testing on mainly on Catalina, is pre-approval of content filter actually working for Catalina? Big Sur? Any pointers would be appreciated. Thanks.

I'm working on custom solution that uses USB device/interface drivers. For correct setup I need ability to communicate between my own Services, declared in IOKit Personalities of my DEXT. At the moment I'm seeing the one way to do it via some shared state. But DriverKit by default launches each USB service in separate process when device is connected. Documentation says that there is "IOUserServerOneProcess" key could be declared in Info.plist. But seems it does not work: all my USB services run in different processes. Could anybody suggest a way how to interact between own DriverKit services or run them in context of the single process?

I did try to run a sample endpoint security app from official documentation. https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security I did turn off SIP and use a profile with access to system extensions. Moved the built app to the application folder. But on the console I always get output like this: Jul 5 15:27:29 com.apple.xpc.launchd[1] (XY28F7M994.com.test.ESTest.ESTest.ESTestExt[54059]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/51DB56F4-508F-4771-ADA1-61033CA939FF/com.test.ESTest.ESTest.ESTestExt.systemextension/Contents/MacOS/com.test.ESTest.ESTest.ESTestExt: Jul 5 15:27:29 com.apple.xpc.launchd[1] (XY28F7M994.com.test.ESTest.ESTest.ESTestExt[54059]): Binary is improperly signed. Jul 5 15:27:29 com.apple.xpc.launchd[1] (XY28F7M994.com.test.ESTest.ESTest.ESTestExt): Service only ran for 0 seconds. Pushing respawn out by 10 seconds. Please help

Hello, On Mac OS monterey, OSSystemExtensionRequest.deactivationRequest is failing with deactivation request for com.xxxxxx.networkextensionapp.netextension failed authorization check, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" Even after providing the correct credentials for authorisation when prompted for.

Hi there, We are using systemextension for network and now we try to turn on SIP and install/uninstall systemextension. Current status is that: with SIP on, systemextension can be installed correctly, but cannot be uninstalled. The install/uninstall code is like below. Calling installSystemExtension() from the entrance of ProxyManger.swift:loadProxyManager returns success: activation request succeeded And systemextension list common shows the newly installed sysExt. But calling uninstallSystemExtension() from the entrance of ProxyManger.swift:remove() results in error: deactivation request failed authorization: unauthorized And systemextension list common shows no difference. @available(macOS 11.0, *) private func installSystemExtension() { log.info("[LogApp] will submit activation request") let request = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit activation request") } // MARK: - Unload System Extension @available(macOS 11.0, *) public func uninstallSystemExtension() { log.info("[LogApp] will submit deactivation request") let request = OSSystemExtensionRequest.deactivationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit deactivation request") } Thanks in advance for any suggestion.

Hi, I would like to update that we have a kext that has IOStorageFamily in OSBundleLibraries. I would like to know whether we can create DriverKit that support this family and embed in SystemExtension for deployment? and we have another kext that has combination of IOStorageFamily and IOUSBFamily in OSBundleLibraries. Please let me know whether such type of Kext can be converted into DriverKit. I am new to DriverKit development. Please let us know if there is any sample that has these bundles in DriverKit so that I can check. Please let us know if such are supported with DriverKit then what are the capabilities that we need to add in entitlement request so that it can get approved. Thanks & Regards, Mohmad Vasim

Hi there, Would like to see with you any possibility to remove such a prompt when deleting an application with systemexention from /Applications fold with Finder. Thanks in advance for any suggestion. Regards Richard

Hi. I implementing an AppProxyProvider that has to handle all TCP flows. This is the rule (based on https://developer.apple.com/forums/thread/667431):             NENetworkRule * filterRule = [[NENetworkRule new] initWithRemoteNetwork: nil remotePrefix: 0 localNetwork: nil localPrefix: 0 protocol:NENetworkRuleProtocolTCP direction:NETrafficDirectionOutbound]; proxySettings.includedNetworkRules = @[filterRule]; This is shown in the console log: [Extension *****]: provider set tunnel configuration to tunnelRemoteAddress = <14-char-str> includedNetworkRules = ( { matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) isFullyTransparent = YES This is working OK. But when I add an exclude rule (in order to sort out the issue mentioned in https://developer.apple.com/forums/thread/660195) the behaviour of the AppProxyProvider is strange: there is no any incoming flow. This is the rule:             NWHostEndpoint * tunnelHostIpRuleEndpoint = [NWHostEndpoint endpointWithHostname: @"xx.xx.xx.xx" port:@"0"];             NENetworkRule * tunnelHostIpRule = [[NENetworkRule new] initWithDestinationNetwork:tunnelHostIpRuleEndpoint prefix:0 protocol:NENetworkRuleProtocolTCP]; proxySettings.excludedNetworkRules = @[tunnelHostIpRule]; And this is shown in the console log: [Extension ******]: provider set tunnel configuration to tunnelRemoteAddress = <14-char-str> includedNetworkRules = ( { matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) excludedNetworkRules = ( { matchRemoteEndpoint = xx.xx.xx.xx:0 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) isFullyTransparent = YES My expectation is that all flows be handled by the AppProxyProvider except the flows that match with the IP set in the exclude rule for any port. Can you please advice if this is a bug or expected behaviour and recommend some option to accomplish my goal? Thanks

I found a big problem. In Monterey, it does not wait for user acceptance requests. In Monterey, the user appears to fail by requesting deactivation before it is approved. Why are you requesting deactivation without waiting for a user approval request? As a result, deactivation fails. Our app is requesting deactivation based on GUI. I already asked through the feedback number below. (Follow-up: 774983090) However, I do not receive the appropriate response and post it to the Developer Forum. I'll compare it with a BigSur. First, it's BigSur. Step 1. The log pops up as shown below, and the user approval request is activated. 19:45:39.665971+0900 sysextd upgrading connection to nsxpc Step 2. If you approve the user, the log as below comes out. 19:45:43.298319+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [1303] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [3986] (0,0) (engine 243) Step 3. Once approved, a log appears requesting deactivation as shown below and success. 19:45:43.288928+0900 sysextd deactivation request received from: /Applications/AhnLab ... 19:45:44.349972+0900 sysextd deactivation succeeded for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp 19:45:44.350649+0900 sysextd client connection (pid 3986) invalidated However, within Monterey, a deactivation request is made prior to user approval. In other words, the user appears to fail by requesting deactivation before it is approved. 20:05:54.735224+0900 sysextd upgrading connection to nsxpc 20:05:54.741167+0900 sysextd deactivation request received from: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp ... 20:05:54.756362+0900 sysextd deactivation request for com.ahnlab.V3FltES failed authorization check, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" 20:05:54.760648+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" ... Even if you subsequently allow a user approval request, the deactivation request has already failed. 20:06:25.244287+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [308] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [2573] (0,0) (engine 39) 20:06:25.250832+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"

I' working on an application using Apple's NetworkExtension framework which should do some basic network traffic filtering. However I've found issues with using Network extension APIs. The application itself is running on custom run loop implementation using kevents, which seems to be the cause of problems. I've tried to create simple application based on Cocoa which uses CFRunLoop internally and everything works there without issues. On the other hand when I've tried to create simple command line application using the APIs won't work either, which is understandable as there is no run loop there. Is there some workaround for this problem without using CFRunLoopSource?

hi I developed an app that has an HID system extension, in debugging mode everything work fine, extension installed and the app connects to it and work but when I signed the app, everything was ruined, the app just can install system extension but can't connect to it system extension entitle ment <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.family.hid.device</key> <true/> <key>com.apple.developer.driverkit.family.hid.eventservice</key> <true/> <key>com.apple.developer.driverkit.family.hid.virtual.device</key> <true/> <key>com.apple.developer.driverkit.transport.hid</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> app entitlement <key>com.apple.developer.driverkit.userclient-access</key> <array> <string>com.[TeamName].[ExtensionName]</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> seems to can connect to SystemExtension com.apple.developer.driverkit.userclient-access is necessary but if I don't remove this from app entitlement the code signature will be invalid part codes to connect to SystemExtension static const char* dextIdentifier = "[driver bundle identifier]"; // this maybe should change to com.[TeamName].[DriverName] when app want to publish(i don't know) softu2f_ctx *softu2f_init(softu2f_init_flags flags) { softu2f_ctx *ctx = NULL; io_service_t service = IO_OBJECT_NULL; io_iterator_t iterator = IO_OBJECT_NULL; kern_return_t ret; int err; // Find driver. ret = IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceNameMatching(dextIdentifier), &iterator); if (ret != kIOReturnSuccess) { syslog(LOG_WARNING, "u2f: cant find services"); goto fail; } while ((service = IOIteratorNext(iterator)) != IO_OBJECT_NULL) { ret = IOServiceOpen(service, mach_task_self(), 0, &ctx->con); if(ret != kIOReturnSuccess) { syslog(LOG_WARNING, "u2f: cant open service"); break; } else{ syslog(LOG_WARNING, "u2f: opened service"); } IOObjectRelease(service); } Note: when the app was signed the iterator was been 0 (and should not be) Note: the entitlement about DriverKit was granted (maybe the problem is userclient-access not granted)

Hi all, I have been using the endpoint system extension for some months now. Recently when I had checked the crash logs, I found that within an hour there were a lot crashes reported. I am not able to make sense from the log. Here is the crash report Process: com.test.xyz.EndpointSecurityExtension [2851] Path: /Library/SystemExtensions/*/com.test.xyz.EndpointSecurityExtension Identifier: com.test.xyz.EndpointSecurityExtension Version: 1.1.0 (4) Code Type: X86-64 (Native) Parent Process: launchd [1] Responsible: com.test.xyz.EndpointSecurityExtension [2851] User ID: 0 Date/Time: 2021-09-01 11:50:57.698 +0530 OS Version: macOS 11.5.2 (20G95) Report Version: 12 Anonymous UUID: 0F843683-C812-EEE7-668E-2DCAADAE35B6 Sleep/Wake UUID: C67D7ECA-22E6-451F-8766-CB2DCA3FC287 Time Awake Since Boot: 42000 seconds Time Since Wake: 5500 seconds System Integrity Protection: disabled Crashed Thread: 1 Dispatch queue: BBReaderQueue Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [2851] Thread 0: 0 libsystem_kernel.dylib 0x00007fff20381b0a __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x00007fff202184e1 _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x00007fff202184bd _dispatch_sig_thread + 53 Thread 1 Crashed:: Dispatch queue: BBReaderQueue 0 com.test.xyz.EndpointSecurityExtension 0x00000001006b836e closure #1 in + 8270 1 com.test.xyz.EndpointSecurityExtension 0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23 2 libEndpointSecurity.dylib 0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43 3 libEndpointSecurity.dylib 0x00007fff2fe2ff92 BBReader<ESMessageReaderConfig>::handleItems() + 130 4 libEndpointSecurity.dylib 0x00007fff2fe2fe41 BBReader<ESMessageReaderConfig>::woke(void*) + 17 5 libdispatch.dylib 0x00007fff20207806 _dispatch_client_callout + 8 6 libdispatch.dylib 0x00007fff2020a1b0 _dispatch_continuation_pop + 423 7 libdispatch.dylib 0x00007fff2021a564 _dispatch_source_invoke + 2061 8 libdispatch.dylib 0x00007fff2020d493 _dispatch_lane_serial_drain + 263 9 libdispatch.dylib 0x00007fff2020e0e0 _dispatch_lane_invoke + 417 10 libdispatch.dylib 0x00007fff2020f318 _dispatch_workloop_invoke + 1784 11 libdispatch.dylib 0x00007fff20217c0d _dispatch_workloop_worker_thread + 811 12 libsystem_pthread.dylib 0x00007fff203ae45d _pthread_wqthread + 314 13 libsystem_pthread.dylib 0x00007fff203ad42f start_wqthread + 15 Thread 1 crashed with X86 Thread State (64-bit): rax: 0x0000000100743108 rbx: 0x0000000100743028 rcx: 0x0000000000000000 rdx: 0x00007fc6c07091c0 rdi: 0x0000000000000000 rsi: 0x0000000100743370 rbp: 0x000070000cee8690 rsp: 0x000070000cee7ed0 r8: 0x0000000000000515 r9: 0x0000000000000519 r10: 0x00000000fe1fffff r11: 0x00007fc5bffc5e90 r12: 0x000000020236c1a1 r13: 0x00000000000001f6 r14: 0x00000000000041ed r15: 0x0000000000000026 rip: 0x00000001006b836e rfl: 0x0000000000010246 cr2: 0x0000000110b5492e Logical CPU: 0 Error Code: 0x00000000 Trap Number: 6 Thread 1 instruction stream: 8b 70 10 31 ff 31 d2 e8-d6 08 00 00 e9 45 fd ff .p.1.1.......E.. ff 4c 8d 2d ca 71 00 00-48 8b 05 c3 71 00 00 48 .L.-.q..H...q..H 8b 70 10 48 ff c6 31 ff-ba 01 00 00 00 e8 b0 08 .p.H..1......... 00 00 e9 af e7 ff ff 4c-8d 2d a4 71 00 00 bf 01 .......L.-.q.... 00 00 00 4c 89 fe ba 01-00 00 00 e8 92 08 00 00 ...L............ 48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b H...q........... [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f ....f........... <== 40 00 55 48 89 e5 41 57-41 56 41 55 41 54 53 48 @.UH..AWAVAUATSH 83 ec 28 49 bc 13 00 00-00 00 00 00 d0 48 89 7d ..(I.........H.} b0 48 89 75 b8 48 c7 45-c0 2f 25 40 00 48 b8 00 .H.u.H.E./%@.H.. 00 00 00 00 00 00 e3 48-89 45 c8 48 8d 3d 30 70 .......H.E.H.=0p 00 00 e8 1b db ff ff 49-89 c7 be 48 00 00 00 ba .......I...H.... Thread 1 last branch register state not available. It restarts again, sometimes it crashes again and sometimes it starts working normally. Any idea on where I might have made a mistake? Because when i usually get crash reports it has the line, the function name and the file(eg main.swift) where I had made a mistake, but this is a bit confusing. Thanks in advanced