Platform: MacOS 12.0 I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store. I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges. So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension? One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.

Hi Team, We are using NETransparentProxyProvider and have observed that AirDrop is not functioning. I attempted to utilize protocolConfiguration in NETransparentProxyManager as mentioned below. manager.protocolConfiguration?.excludeLocalNetworks = true; but it did not work. Could you please provide guidance on how to exclude local network traffic in NETransparentProxyProvider?

I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart. The only thing that I see is different is when I call systemextensionsctl list I get something like: 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] <TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category] * * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled] Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build. The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign. The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates. Is there another step required to make it work with a developer ID certificate?

If I do these tasks on random order, CMIO CameraExtension go into unstable condition. Copy MyApp.app under /Applications or /Applications/MyAppGroup/ Install by MyApp sending OSSystemExtensionRequest.activationRequest Check install condition by command : "systemextensionsctl list" uninstall by MyApp sending OSSystemExtensionRequest.deactivationRequest Remove /Applications/MyAppGroup/ by command line and Finder Remove /Applications/MyApp.app by command line and Finder Kill MyApp.app during activationRequest. Once my CMIO CameraExtension go into unstable condition, it is impossible to remove on normal way. "systemextensionsctl list" shows my extension is activated. Remove by API failed with code=4. Removing file of MyApp.app does not remove CameraExtension Only way to remove CameraExtension is "Boot macOS as recovery mode", disable SIP, "systemextensionsctl uninstall" Audio HAL extension is file based and ATOMIC. I can check file existence by "ls" command and remove by "rm -rf" command. I never met unstable condition.

When my macOS app try to deactivate CameraExtension, my app's didFailWithError is called with this error. Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)" I cannot search for error code=4 with that domain. MyApp calls OSSystemExtensionManager.shared.submitRequest with OSSystemExtensionRequest.deactivationRequest I did implement these tasks. BundleID, MyApp: com.myapp, BundleID, CameraExtension: com.myapp.camera Added entitlement and App Groups for app and extension MyApp has SystemExtension capability on Xcode and provision MyApp is installed on /Applications/MyAppGroup/MyApp.app MyApp is executed by Finder macOS is Sonoma 14.2.1 (23C71) on M1 MacBook

Hi! There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle." https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num However, as we all know, system will kill ES client, if the message is not answered in (deadline) time. I've a lot questions about this thing: What the "drop" actually is? The event is not provided to es client from the kernel? What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline) Are the dropped events responded by the system immediately, or they do wait something? Are only auth events could be dropped, or notify too? What is the system resolution for dropped auth events? (allow I guess) What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?

Hi Team, We are registering Network Extension on application launch. The application shows this dialog [Dialog attached]. The failing case User press OK and hence, dismissing the user approval User click on Apps UI -&gt; Register Register call the same API again i.e. let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main) 4. This time, the dialog is not launched for the user. Whereas, we have observed, it does launch the dialog again on some of the machines. 5. User reboot the machine 6. Click App -&gt; Register. Stil the same case, the dialog is not launched for user. When I check the status using systemextensionsctl list  *  [TeamId]  com.company.extensionname (1.0.100/1.0.100)  ExtensioName  [activated waiting for user] How can I force the launch of this dialog in API, so that, user can be guided to act upon it.

We've recently noticed frequent crashes on the macOS system after an OS update when using the system extension with NETransparentProxyProvider. Below are the crash logs that appear in a pop-up after the machine starts. I'm having difficulty understanding the exact point at which it crashes, and it shows my process below. Panicked task 0xfffffe2d0a36abf8: 8190 pages, 143 threads: pid 9134: com.xxxx.na Panicked thread: 0xfffffe236ea13010, backtrace: 0xfffffe67858d2b80, tid: 337348 Detailed logs attached. system_cash_log.txt

Hi Team, I have a Network Extension application and UI frontend for it. The UI frontend talks to the Network Extension using XPC, as provided by NEMachServiceName. On M2 machine, The application and XPC connection works fine on clean installation. But, when the application is upgraded, the XPC connection keeps failing. Upgrade steps: PreInstall script kills the running processes, both UI and Network Extension Let installation continue PostInstall script to launch the application after installation complete. Following code is successful to the point of resume from UI application NSXPCInterface *exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCUIObject)]; newConnection.exportedInterface = exportedInterface; newConnection.exportedObject = delegate; NSXPCInterface *remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCExtObject)]; newConnection.remoteObjectInterface = remoteObjectInterface; self.currentConnection = newConnection; [newConnection resume]; But it fails to get the object id<IPCExtObject> providerProxy = [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *registerError) { }]; Please note, this only fails for M2. For M1, this exact code is running fine. Additionally, if I uninstall the application by dropping it in Trash and then installing the newer version, then too, the application works fine.

Hi Team, I'm currently using a system extension with NETransparentProxyProvider (with root privileges). I want to support custom DNS (specific to domains) with a search domain to accommodate a single-level domain support. For this, I'm creating a new entry inside /etc/resolver/, using below command. sudo sh -c 'echo "domain corp.test.com\nsearch corp.test.com\nnameserver 9.9.9.9\nnameserver 9.9.2.2" > /etc/resolver/corp.test.com' The above command works fine for me when I execute it via the terminal, creating a new file inside the resolver as described below. So, when I access a single-label domain like https://test, it appends 'corp.test.com,' resulting in hitting the domain as https://test.corp.test.com. Furthermore, it selects either the DNS server 9.9.9.9 or 9.9.2.2. File: /private/etc/resolver/corp.test.com domain corp.test.com search corp.test.com nameserver 9.9.9.9 nameserver 9.9.2.2 File permission total 8 -rw-r--r-- 1 root wheel 80 Dec 5 18:20 corp.test.com scutil --dns resolver #8 domain : corp.test.com search domain[0] : corp.test.com nameserver[0] : 9.9.9.9 nameserver[1] : 9.9.2.2 flags : Request A records, Request AAAA records reach : 0x00000002 (Reachable) However, when I execute the same command within the extension using NSTask, it generates the new file but fails to work as per above. it creates below file File: /private/etc/resolver/corp.test.com domain corp.test.com search corp.test.com nameserver 9.9.9.9 nameserver 9.9.2.2 File permission total 8 -rw-r--r-- 1 root wheel 80 Dec 5 18:25 corp.test.com scutil --dns resolver #8 domain : corp.test.com search domain[0] : corp.test.com nameserver[0] : 9.9.9.9 nameserver[1] : 9.9.2.2 flags : Request A records, Request AAAA records reach : 0x00000002 (Reachable) I don't notice any difference in file permissions and in scutil --dns entry. even we tried running sudo killall -HUP mDNSResponder to refresh its records. Could you please suggest what might be the reason?

Hey team, We have a use case where we need to block all the MacOS network traffic except our app's network traffic. But I don't find any apis from apple with that capability. I see using NEFilterSettings, we can allow the required endpoints and block all the other endpoints we get from handleNewFlow(_ flow:. But this api has a control in endpoint level not the app level. Could you suggest if we have any other apis for this use case? Thanks

Hi, I am writing a transparent proxy (using NETransparentProxyProvider) which could potentially multiplex thousands of flows. When i've done this in the past on other platforms i've used libev or epoll - but NEAppProxyFlow (such as NEAppProxyTcpFlow) don't work with any of those approaches afaict, it doesn't even appear to work with swift-nio - what is the recommended way to multiplex thousands of flows? I still intend to use swift-nio when i manage the real sockets (which proxy the flows), but how do i multiplex the NEAppProxyFlows themselves? Can someone suggest a highly scalable design? I'm new to this, and haven't found a good solution yet. Thanks

I got code of CMIO CameraExtension by Xcode target and it is running with FaceTime. I guess this kind of Extension has lots of security limitation. I like to run command like "netstat" in Extension. Is that possible to call Process.run()? I got keep getting error like "The file zsh doesn’t exist". Same code with Process.run() worked in macOS app. I like to run DistributedNotificationCenter and send text from App to CameraExtension. Is that possible? I do not receive any message on CameraExtension. If there is any other IPC method between macOS app and CameraExtension, please let me know.

Today, I applied the latest security patch to my Mac Studio, and on reboot, I had no networking. It appears to have been a system extension issue. At one point, I needed to "Allow" Apple system software in System Settings. I found that strange. I thought I'd document the issue and my resolution in case someone else runs into this. (1) I did the usual - reboot, shutdown & restart, reboot my Eero mesh; changed from Wi-Fi to wired Ethernet. Nothing worked. (2) I do have my own application that uses a network system extension, so I went through the system extension uninstall process (using the API). Still no joy. I then tried to reinstall the network extensions, but that didn't seem to work. I was never prompted to open the System Settings app. I think the network system extension had not actually been removed. I deleted the app (which should remove the network system extension). Still no joy. Interestingly, launchctl still showed a crashed network system extension (no PID, status -9) (3) I then disabled SIP, rebooted, and used systemextensionsctl to remove the network system extension. While doing this, I discovered an old network system extension from several years ago tied to one of my old organizations and may have been built for Intel CPU. I deleted that too. (If I had to guess, it might have been that old network system extension that caused the problem.) Reenabled SIP Rebooted. (4) At some point I got an interesting alert from Apple about System Extension errors. And when I opened System Settings, I had to allow an extension from Apple?! (5) Networking is now working. I reinstalled my application from TestFlight, installed the network system extension, and everything is still working. (6) Summary I lost networking after applying the security update. Worried that it might be my program, I tried uninstalling the network system extension, but I could not cleanly uninstall and reinstall my network system extension as I've done many times before. I found an old network system extension; deleted both network system extensions with SIP disabled. I had to Allow Apple software. Everything works (including my app with its network system extension installed). I am not sure what the root cause was. My old network system extension? The fact I needed to Allow Apple software? My current app and its network system extension?