I am developing EndpointSecurity on macOS 11.0 Beta 6. What I want to do is, when EndpointSecurity is installed and running, replace it with a new version of EndpointSecurity. Implemented in my EndpointSecurity bundle app OSSystemExtensionReplacementActionReplace is returned inside Request:actionForReplacingExtension:withExtension: method. I checked through NSLog that the Request:actionForReplacingExtension:withExtension: method is called normally. However, if you check the console.app at this time, sysextd crashes. And I checked with the systemextensionsctl list command. A crash in sysextd did not replace the new version of EndpointSecurity. I need your help. sysextd crash logs - https://developer.apple.com/forums/content/attachment/dc54cc07-7a09-4645-ae02-b042405757c3 Also, I have posted the relevant content to the Feedback Assistant. FB8622798 Of course, I also forwarded the information to the Technical Support Incident. 745704790

Hi, We would like to get to know what are the possible reasons my container app OSSystemExtensionRequestDelegate is generating this error while trying for activation of Endpoint Security extensions and how we can address those cases so that we will solve this. I have verified and found container app along with extensions are code signed and having entitlements. I am using XCode 11.3.1 and macOS Catalina 10.15.3 (SIP disabled). Thanks & Regards, Mohmad Vasim

So I'm having issues communicating with a endpoint security system extension via XPC. Both the application and the extension are signed, notarized, and members of the same group ID. I've confirmed that the extension is running with systemextensionsctl list and launchctl list. I've also confirmed that the xpc end is available with launchctl procinfo <extension_pid>. The mach service name is correct according to this post - https://developer.apple.com/forums/thread/118211?answerId=366391022#366391022 (TEAMID.bundleID.xpc). I also use the NSXPCConnection NSXPCConnection.Options.privileged option when creating the connection. When I use connection.remoteObjectProxyWithErrorHandler , I received an error "Couldn't communicate with a helper application". This error message is very vague and does not help me further troubleshoot. Are there any other logs that I should be looking at in the console app?

This is on an M1 MacBook Pro running 11.1b1. I installed an Extension from Rogue Amoeba to support their App Suite. Boot into recovery to set system policy to allow user permission of extensions Reboot and install extension Allow Extension in Preferences > Security panel Allow rebuild and restart. It comes up with an endless loop of failure due to an Extension from Apple Inc. ! The Rogue Amoeba extension loads fine. Any ideas?

Hi Experts, I knew there is LSEnvironment for defining environment variables to be set before launching. e.g. <key>LSEnvironment</key> <dict> <key>PATH</key> <string>/Users/flori/.rvm/gems/ruby-1.9.3-p362/bin:/Users/flori/.rvm/gems/ruby-1.9.3-p362@global/bin:/Users/flori/.rvm/rubies/ruby-1.9.3-p326/bin:/Users/flori/.rvm/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:</string> </dict> How about system extension? Thanks a lot.

When submitting a request for System extension activation, the delegate receive a OSSystemExtensionRequestResult result code. The enum contains two values: OSSystemExtensionRequestCompleted OSSystemExtensionRequestWillCompleteAfterReboot When I upgrade my system extension, I always receive OSSystemExtensionRequestCompleted. Is there anyway I could specify that I want the new system extension to be activated only after a reboot? Thanks

We have a customer hitting OSSystemExtensionErrorDomain error 10 when attempting to load our system extension. We have tons of successful installations at this point, and this is the first time we've seen this particular error. The error text makes it sound similar to issues with approving the kexts of old: An error code that indicates the system policy prohibits activating the system extension. And the unified log output further backs this up: 2021-01-04 13:23:59.863 Df sysextd[231:b19c7] Extension with teamID teamID("<redacted>"), identifier <redacted> is not in the list of allowed extensions. 2021-01-04 13:23:59.863 Df sysextd[231:b19c7] Activation decision for extension with teamID teamID("<redacted>"), identifier <redacted> is Deny The customer says that they have never seen a prompt for this system extension and nothing is listed in security preferences for it. Is there anything that will help troubleshoot this or any file that might show if system extensions have been blanket-denied somehow on this system?

Hi there. I've been working for quite a while prototyping a Content Filter app. I started with the SimpleFirewall code as a base, slowly making changes to it, as my use case is fairly different from the sample code - an internet safety app for kids, not a firewall. I've spent a long time figuring out some of the intricacies of filtering NEFilterFlow objects, and working out the (fairly difficult) IPC communication between the system extension and the containing app. I have the app in a state now where it is not ready for distribution in the app store, but is ready for validation on a select number of internal test machines. And here I must confess my almost total ignorance of many of the complexities in this realm. I've never built a macOS app before, and I only have one iOS app in the app store, and that was a much simpler use case (built with React Native, no tricky system extension stuff, and I leveraged TestFlight for testing with that app). So, I fully believe I might be making some total noob mistake here. I can say I've poured over these forums for hours trying lots of things, and I'm really stumped, and would greatly appreciate some detailed help here. 🙏 The problem Anyway, the problem I'm having is that when I try to get the app to run on another Mac, I can't successfully get the system extension to install. I'll describe the error (as best I can understand it) directly below, and then further down give more information as to how I'm preparing the test application, since the problem might lie there. When I try to activate the system extension from the containing app on a test machine, the activation requests succeeds far enough to prompt me to grant permission to install the extension, and when granted, it pops up the purple "(Redacted) would like to filter internet content". When I click "allow", however, the system extension shows up orange in the Network pref pane, labeled "not running." Pouring over the console logs, these two seem to be the most likely to shed light: (neagent) Failed to find a com.apple.networkextension.filter-data extension inside of app com.acmecorp.product and: (nesessionmanager) com.acmecorp.product[3656]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" I've inspected the contents of the app, and the system extension is properly packaged with the app. I built the SimpleFirewall app and compared the packaged app directory, and the file structure seems basically identical -- the system extension executable definitely is there. I put in a bunch of os_logs during the filter activation lifecycle process, logging out the bundle main url of the system extension, and it all seems correct, and seems to be pointing to files on the filesystem that exist. Also, I do get this encouraging log during the failing activation process: (sysext) Realizing target path: file:///Applications/MyApp.app/Contents/Library/SystemExtensions/com.acmecorp.product.systemextension/ Which has the correct file url, and seems to be indicating that the path to the extension was indeed found. But the extension just stays stuck orange, dead, no IPC communication succeeds, and I have to manually remove it from the Network prefs pane. I've never had the problem building and running locally on the development machine from the derived data dir from Xcode. How I'm testing Since the problem might lie here, I'll describe how I'm getting the app over to the target test machine (which is a physical device, not a VM). Nothing super fancy -- I basically am just going to "Product" "Archive" from within Xcode and creating an .xcarchive file. I then "show package contents", zip up the app file, and send it to the target machine, where I install it in the /Applications dir. I did spend a long time figuring out how to add the UUID of the target machine to the provisioning profile before I could even get the container app to load. But I got that figured out and (as described above) the container app loads perfectly, it's only the system extension activation request that fails. So... Can anyone lend me a hand? Am I going about trying to test correctly? Should I be creating the test app package some other way? Or is my (admittedly crude) method OK, and is it likely the problem lies in how I'm archiving or how the build is setup? Can anyone shed any light on the error? Am I wrong in thinking that if it builds and runs correctly from Xcode on the dev machine, and I drag the app bundle over to another machine, it should run there too, assuming the test machine is in the provisioning profile, which it is? (Both machines are running Catalina, btw). Thanks in advance!

Hi there! There was a presentation of the SCSI support in DriverKit on 2020 WWDC: https://developer.apple.com/videos/play/wwdc2020/10210/ Currently, the Xcode 12.4 (latest) has nothing regarding SCSI in DriverKit folders. Documentation says it is still in beta: https://developer.apple.com/documentation/scsicontrollerdriverkit So I've downloaded xcode 12.5 beta, where the driverkit 20.4 beta resides (according to https://developer.apple.com/support/xcode/) And what we have there? Just Kernel.framework/Versions/A/Headers/DriverKit/IOReturn.h 65:#define sub_iokit_scsi err_sub(16) And nothing more! So, the question is: do we have any way to use SCSI devices now on BigSur? Could I develop something for it with DriverKit, or should I use kext-approach for now, and wait for SCSI DriverKit support to be released indeed?

Hi All, I am trying to do a small POC using network extension's content filter capability. It is just a simple application for listening to all inbound connections on a particular port. I am able to build the application using Xcode. Through the main application i am able to install the network extension as system extension and I am able to view the installed extension in systemextensionctl list. The problem is the I am not able to do anything after that , I don't think the extension is actually running. I am not able to see any logs in system.log. Few logs were present from devices log which indicate that the extension is running. The last log was Request to activate com.sample.xyz.NetworkExtension succeeded (0). Adding event subscription 930 for provider com.sample.xyz.NetworkExtension with extension point com.apple.networkextension.filter-data I gave some debug logs and none of them were printed. I have all entitlements in my provisional profile and if there was any code signing issue I guess it would have been present in system.log (atleast I assume) Thanks in advance.

My application contains a Content Filter Network System extension. My VPN creates a null/loopback encapsulated tunnel in order to route the traffic to the vpn. I've noticed that I get FilterSocketFlows through the FilterDataProvider but I never see any tunnel traffic appearing in the FilterPacketProvider. How can the Packet provider be configured to filter tunnel traffic ? Note : I have tried only registering a PacketProvider and still dont see any traffic. Is there any documentation of proper configuration ?

We have a MacOS app that includes a system extension with A content filter using both socket and packet providers. Our normal method for deployment will be by an MDM solution, for which we have created a profile intended to pre-approve the system extension and content filter. This works correctly for the system extension but we are unable to get the content filter pre-approval to work. We have scoured this and other forums and docs but there is no clear reason why our web content filter profile doesn't work. Our payload for the web content filter looks like this: dict keyFilterDataProviderBundleIdentifier/key stringcom.example.ourapp.net/string keyFilterDataProviderDesignatedRequirement/key stringidentifier &amp;amp;quot;com.example.ourapp.net&amp;amp;quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX/string keyFilterPacketProviderBundleIdentifier/key stringcom.example.ourapp.net/string keyFilterPacketProviderDesignatedRequirement/key stringidentifier &amp;amp;quot;com.example.ourapp.net&amp;amp;quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX/string keyFilterPackets/key true/ keyFilterSockets/key true/ keyFilterType/key stringPlugin/string keyFilterGrade/key stringfirewall/string keyPayloadDescription/key stringWeb Content Filter Payload/string keyPayloadDisplayName/key stringWeb Content Filters/string keyPayloadEnabled/key true/ keyPayloadIdentifier/key stringcom.apple.webcontent-filter.8237701A-4ED8-473A-AC86-4BEFF6662A62/string keyPayloadType/key stringcom.apple.webcontent-filter/string keyPayloadUUID/key string8237701A-4ED8-473A-AC86-4BEFF6662A62/string keyPayloadVersion/key integer1/integer keyPluginBundleID/key stringcom.example.ourapp/string keyUserDefinedName/key stringExample OurApp/string /dict For the filter Filter[Data|Packet]ProviderBundleIdentifier and the Filter[Data|PacketProvider]DesignatedRequirement fields, the values are derived from using codesign -dr- path to system extension bundle. For the PluginBundleID the value is the identifier of the enclosing app. This requirement is mention in this post - https://developer.apple.com/forums/thread/667016. The rest of the fields are derived from the various examples online. Beyond this, I can't see any reason this should not work. There are reports from some users saying they have got their profiles to work but can't confirm that. Is there something wrong in the payload above? Are we missing some fields? Are there any specific requirements for some of these fields I have missed? I can't find detailed documentation for this payload for content filters. We're testing on mainly on Catalina, is pre-approval of content filter actually working for Catalina? Big Sur? Any pointers would be appreciated. Thanks.

I am developing an NE based System Extension on macOS Catalina 10.15.7 using Xcode 12.4. I have everything in place and my extension is running fine. However, I am not able to attach debugger to my extension from Xcode. I can go to terminal and as root user, I am able to attach lldb to the running system extension. But I am not able to attach the debugger from Xcode using Debug - Attach to Process by PID or Name - Debug Process As - root. Xcode just keeps on Waiting to Attach. If the extension is already running, then I am able to attach by PID but never by name. I would like to be able to start debugger using process name and launch the extension and be able to debug from first line of code in extension. Also, I really like Xcode's contextual debugging where I can see most of the variables and information without any extra effort. With terminal the debugging is comparatively hectic. So, is there any way I can attach to System Extensions by name in Xcode? I have tried using target name as well as extension bundle identifier and several other combinations. From terminal I can attach using bundle identifier of the extension itself.

I'm working on custom solution that uses USB device/interface drivers. For correct setup I need ability to communicate between my own Services, declared in IOKit Personalities of my DEXT. At the moment I'm seeing the one way to do it via some shared state. But DriverKit by default launches each USB service in separate process when device is connected. Documentation says that there is "IOUserServerOneProcess" key could be declared in Info.plist. But seems it does not work: all my USB services run in different processes. Could anybody suggest a way how to interact between own DriverKit services or run them in context of the single process?

I am working on OpenVPN application for Mac OS. I use openVPNAdapter to do this. Version for Mac OS store with apex works well. But we need a Developer ID signing version. To do this I created NE system extension (appex was removed from the project), changed packet-tunnel-provider with packet-tunnel-provider-systemextension, reuse the same PacketTunnelProvider code and the same openVPNAdapter (framework was embedded into the extension). Run system extension via OSSystemExtensionRequest (copied logic from SempleFirewall apple example), makes a build, and notarized it. When I run the app, I see that SeystemExtension is running (activity monitor), PacketTunnelProvider successfully connects to the VPN server (logs and “connected” status in the macOS SystemPreferences), but traffic is locked. I can’t open any websites. First I thought that the problem with DNS, but I can't open any sites via IP too. So I think Mac OS locks socket traffic. Maybe somebody has such an issue and knows how to resolve it. MacOS: 11.4

Hi, I am actually working on Endpoint Security system extension. I follow the documentation and I embedded the extension on a macOS App that install it. I wonder if it was possible to install this extension without the macOS application. With a launchd agent/daemon or something else? I don't find any documentation about it, so I don't even know if it is possible. Thanks, Johan

Hi how could I tell in my OSSystemExtensionRequestDelegate if the request I receive is either an activation request or a deactivation one.    func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) {     guard result == .completed else {       return     } // Take different actions depending on activation/deactivation   }

Hi, I want some advice on how to handle the OSSystemExtensionRequest.Result.willCompleteAfterReboot on my app. I have noticed that on some users macs when they update and the new System Extension is loaded the old one is deactivated and the new one is activated but does not start. I will only start after a reboot. Is there a way to avoid this so I don't have to force dozens of users in my organization to reboot after every update to my system extension? When i execute the command to list the extensions this is what I see. The new one is activated but it does not boot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 1231231231 com.organization.app.MyApp (2.0/1) MyApp [terminated waiting to uninstall on reboot] * * 1231231231 com.organization.app.MyApp (2.1/1) MyApp [activated enabled]

Hi there, It is found that I have to place my application.app using appproxy-systemextension directly under /Applications folder, so that it can load the systemextension properly by open /Application/application.app command. If I place it under /Applications/company.app/bin/application.app, and launch it with command open /Applications/company.app/bin/application.app, it always fails with complain ossystemextensionerrordomain / 1 So the question is: Is it mandatory to have this appproxy-systemextension application directly under /Application folder? Thanks in advance for the confirmation. Regards Richard

Hi there, I am using TransparentProxyProvider at the moment. And would like to hide all the configurations from network service like what it looks like from SimpleFireWall. Took a look at the source code of SimpleFirewall, didn't quite get the idea on how to make all the configuration items hidden. Thanks in advance for any suggestion. Regards Richard