As I mentioned elsewhere, I am trying to add a packet filter to our app. I can load load the extension, but I am getting permission denied when I try to save the preferences with it.
I am building for release, using a Developer ID Application certificate (macOS, if that wasn't clear).
I am starting to worry that I can't do this except on an MDM-managed system.
As I mentioned elsewhere, I am trying to add a packet filter to our app. I can load load the extension, but I am getting permission denied when I try to save the preferences with it.
Sorry if I am duplicating answers found elsewhere but this can mean a few different things.
Quinn has an excellent post on how to debug this here.
sigh. It ate my reply. Having horrible success with Apple today :(. Trying to rewrite it from memory:
I can load the extension. I have another network extension in the app -- a transparent proxy provider, while this new one is a content filter provider. I can save the preferences for the TPP, but when I try to save it for the packet filter extension, I get permission denied (error 10). The application is in /Applications (thus allowing both extensions to load). Quinn's debug post does not cover that issue.
I had a test program that worked, but after the issues (described elsewhere today) with my Developer ID Application certificate, I can't build it at all anymore. And Xcode keeps revoking my certificate because the private key isn't in a keychain, which does nothing, so it keeps trying to do that, and I can't get it back to building.
sob
but when I try to save it for the packet filter extension, I get permission denied (error 10).
Another reason you could be getting a permission denied error when installing a content filter provider is that your previous configuration for this provider is still lingering around on the system. Make sure that is not happening and that it is cleared out first before doing a new test run. One easy way to check this is to got to System Setting -> Network and make sure your pervious config does not still exist there.
It doesn't appear to be. But! We have two network extensions, and they both show up with the same name, so could that be the problem? If so, how would I ensure that the content filter gets a different configuration name than the transparent proxy provider one?
Weirdly, although it's still giving me that error, it seems to have activated the packet filter. I still have no idea what's going on there!
I tracked this one down too -- and filed a FB for it. After filing a TSI.
The issue seems to be that, for whatever reason, if they are both trying to access the preferences (the VPN manager and the filter manager), it fails. I changed my code to in addition, listen for notifications about changes to the VPN and filter, and when one completed, try the other one if it hadn't been enabled yet.