Start NetworkExtension automatically at system boot

I am trying to find ways to start my macOS application (a network extension to filter traffic) automatically for all users, and preferably at system start even before a user logs in.
I can find a lot of references to SMLoginItemSetEnabled, which adds the application to the user's LoginItems so that it is started for the specific user after they log in, but nothing that holds system-wide.
As far as I can see, applications that start up automatically for all users place their .plist in either the LaunchAgents or the LaunchDaemon folders in /Library/ or /System/Library/.

What is the correct/recommended way to start a network extension automatically and as early as possible for all users? Is this permissible for an application in the mac App Store (assuming explicit user consent)?

Thank you
Up vote post of Uoptaget Down vote post of Uoptaget
1.2k views
Posted by
Uoptaget
Reply
Add a Comment

Accepted Reply

As far as I understand, once loaded and user approved, your network extension will be started automatically on the next restart (which was not the case with kernel extensions loaded manually).

The issue is actually more with the companion app/process if this is a Mac App Store solution. For the companion app/process to be started at boot time, you would need to use a launchd daemon.

And launchd daemons are persona non grata in the MAS AFAIK.

Posted by
tartempion
Up vote reply of tartempion Down vote reply of tartempion
Post marked as solved
Add a Comment

Replies

As far as I understand, once loaded and user approved, your network extension will be started automatically on the next restart (which was not the case with kernel extensions loaded manually).

The issue is actually more with the companion app/process if this is a Mac App Store solution. For the companion app/process to be started at boot time, you would need to use a launchd daemon.

And launchd daemons are persona non grata in the MAS AFAIK.

Posted by
tartempion
Up vote reply of tartempion Down vote reply of tartempion
Post marked as solved
Add a Comment

What is the correct/recommended way to start a network extension automatically and as early as possible for all users? Is this permissible for an application in the mac App Store (assuming explicit user consent)?

You should look at creating your NEFilterDataProvider as a Network System Extension. This should allow you to run independent of a user session. When you add a new target to your Xcode project in macOS, the Network System Extensions are at the bottom of the list of targets.

Network System Extensions are not a target you can submit for the App Store. They can be distributed through Developer ID.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Thank you both, tartempion and meaton.

I was indeed planning to use a network extension (likely NEDNSProxyProvider to only filter dns traffic), but I didn't realize that once enabled and activated it will already be started automatically as you describe - I will experiment with this.
Consequently I don't need the companion app offering a UI to start before the user has logged in, since it isn't necessary to start the extension or configure it with the NEDNSProxyManager on every restart (as I previously thought).

Just a quick clarification @meaton:

Network System Extensions are not a target you can submit for the App Store.

I assume you are talking about a System Extension target without accompanying app? If the System Extension is packaged together with a UI app, like the example SimpleFirewall app, then it is presumably fit for the App Store? (I remember this being mentioned in the WWDC2019 talk about system extensions)

Posted by
Uoptaget
Up vote reply of Uoptaget Down vote reply of Uoptaget
Add a Comment

I assume you are talking about a System Extension target without accompanying app? If the System Extension is packaged together with a UI app, like the example SimpleFirewall app, then it is presumably fit for the App Store? (I remember this being mentioned in the WWDC2019 talk about system extensions)

This is a good point. I just double checked this internally and submitting a Network System Extension to the App Store is apparently an approved path. So my previous response about "Network System Extensions are not a target you can submit for the App Store," was not correct. Thank you for bringing this up.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment