Strange Entitlement about System Extensions.

I have two System extensions in my application.

  1. App proxy provider ( app-proxy-provider-systemextension)
  2. Endpoint Security (com.apple.developer.endpoint-security.client)

But now, on one of my customer's computer, when it launched app proxy provider, the sysextd process said that /Applications/XXXXXX.app/Contents/Library/SystemExtensions/com.***.AppProxy.systemextension: entitlement com.apple.developer.endpoint-security.client not present or not true. As a network system extension, my app proxy provider was asking for an Endpoint Security entitlement, that is a very strange. I don't know how to debug it. Any ideas and help?

codesign -d --entitlements :- /path/to/appproxy

Warning: Specifying ':' in the path is deprecated and will not work in a future release

``<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>{TEAMID}.com.***.AppProxy</string>
<key>com.apple.developer.networking.networkextension</key>
<array><string>app-proxy-provider-systemextension</string></array>
<key>com.apple.developer.team-identifier</key><string>{TEAMID}</string>
<key>com.apple.security.app-sandbox</key><true/>
<key>com.apple.security.application-groups</key>
<array>
<string>{TEAMID}.group.com.***</string>
</array>
<key>com.apple.security.network.client</key><true/>
<key>com.apple.security.network.server</key><true/>
</dict></plist>``

security cms -D -i /path/to/profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>*** AppProxy</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>{TEAMID}</string>
	</array>
	<key>CreationDate</key>
	<date>2023-08-02T01:55:16Z</date>
	<key>Platform</key>
	<array>
		<string>OSX</string>
	</array>
	<key>IsXcodeManaged</key>
	<false/>
	<key>DeveloperCertificates</key>
	<array>
		<data>***</data>
	</array>
	<key>DER-Encoded-Profile</key>
	<data>***</data>
	<key>PPQCheck</key>
	<false/>
	<key>Entitlements</key>
	<dict>	
	<key>com.apple.developer.system-extension.install</key>
		<true/>
	<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
				<string>relay</string>
		</array>
				<key>com.apple.developer.networking.vpn.api</key>
		<array>
				<string>allow-vpn</string>
		</array>
				
				<key>com.apple.application-identifier</key>
		<string>{TEAMID}com.***.AppProxy</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>{TEAMID}.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>{TEAMID}</string>
		
	</dict>
	<key>ExpirationDate</key>
	<date>2041-07-28T01:55:16Z</date>
	<key>Name</key>
	<string>*** DeveloperID AppProxy</string>
	<key>ProvisionsAllDevices</key>
	<true/>
	<key>TeamIdentifier</key>
	<array>
		<string>{TEAMID}</string>
	</array>
	<key>TeamName</key>
	<string>***</string>
	<key>TimeToLive</key>
	<integer>6570</integer>
	<key>UUID</key>
	<string>xxxx</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist> 

But now, on one of my customer's computer, when it launched app proxy provider, the sysextd process said …

Can you reproduce this? Specifically, if you set up a fresh machine, one that’s never seen your product before [1], running the same OS release as your customer, do you see the same failure?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I usually use a VM for this sort of testing.

On a brand new virtual machine, running 13.5.2(my customer's is 13.5, the same problem still exists when the computer upgraded to 14.0), the problem cannot be reproduced. It runs as normal as on the other computers.

OK. That suggests that something is borked on this specific user’s machine. I don’t have any great suggestions for fixing that. I recommend that you encourage your user to reproduce the problem and then immediately trigger a sysdiagnose log. They can then either file a bug about it or pass the sysdiagnose log on for you to file a bug. After that, things kinda fall on to the customer support path.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Strange Entitlement about System Extensions.
 
 
Q