FilterDataProvider fails installation intermittently and device looses internet

We have a network content-filter consisting of a main target/GUI, a FilterDataProvider extension and a FilterControlprovider extension. The app is installed via MDMs and works without issues the vast majority of times, but during testing of TestFlight builds we've found that intermittently the device fails to install the network extensions and blocks internet access. The GUI is working fine though. From the logs we can see that when this happens the device tries to start the network extensions repeatedly. The issue is solved by restarting the device.

Has anyone experienced similar issues or have some ideas of what might cause this behaviour?

These are some of the logs we see in Console:

neagent [u E6D696F2-62FB-4262-A97C-B2006EC528C5:m (null)] [<private>(<private>)] Hub connection error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named <BundleID>.FilterDataProvider" ugDescription=connection to service named <BundleID>.FilterDataProvider}code-block
	Failed to start the data extension <BundleID>.FilterDataProvider: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named <BundleID>.FilterDataProvider" ugDescription=connection to service named <BundleID>.FilterDataProvider}
nehelper Denying connection from nesessionmanager (264) because it is missing the com.apple.private.network.socket-delegate entitlement
nesessionmanager <BundleID>[inactive]: starting
launchd Service could not initialize: posix_spawn(/private/var/containers/Bundle/Application/F84E2325-05A6-4DC2-8DD6-20C97EF43E8D/<AppName>.app/PlugIns/FilterDataProvider.appex/FilterDataProvider) failed, error 0x2 - No such file or directory

nesessionmanager	NEFilterPlugin(<BundleID>[inactive]): Sending start command
nesessionmanager	<BundleID>[inactive]: starting
neagent				Looking for a data extension with identifier <BundleID>.FilterDataProvider
neagent				[d <private>] <PKHost:0x718915550> Query: {
					    NSExtensionIdentifier = "<BundleID>.FilterDataProvider";
					    NSExtensionPointName = "com.apple.networkextension.filter-data";
					}
neagent				Found 1 data extension(s) with identifier <BundleID>.FilterDataProvider
neagent				Looking for a control extension with identifier <BundleID>.FilterControlProvider
neagent				[d <private>] <PKHost:0x718915550> Query: {
					    NSExtensionIdentifier = "<BundleID>.FilterControlProvider";
					    NSExtensionPointName = "com.apple.networkextension.filter-control";
					}
neagent				Found 1 control extension(s) with identifier <BundleID>.FilterControlProvider
neagent				Beginning data extension request with extension <BundleID>.FilterDataProvider
neagent				[u C743CE7B-9E19-4A41-BF46-91AEFB24169D:m (null)] [<private>(<private>)] Failed to start plugin; pkd returned an error: Error Domain=PlugInKit Code=4 .<AppName>.FilterDataProvider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch ErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to launch 7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0xdb88df3d0 {Error  UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}}

neagent				Extension request with data extension <BundleID>.FilterDataProvider started with identifier (null)
neagent				Failed to start the data extension <BundleID>.FilterDataProvider: Error Domain=PlugInKit Code=4 "RBSLaunchRequest error trying to launch vider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., SIXErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to DataProvider(C743CE7B-9E19-4A41-BF46-91AEFB24169D): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., SIXErrorDomain Code=2 "No such file or directory" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}}
nesessionmanager	NESMFilterSession[FilterDataProvider:0C4C9E40-5005-47A5-8C60-F7C8630F29DF] in state NESMFilterSessionStateStarting: plugin NEFilterPlugin(e with error: 1
nesessionmanager	<BundleID>[266]: disposing

neagent Initializing the delegate
neagent		App <BundleID> is not installed or is not valid
neagent		App <BundleID> is not installed or is not valid
neagent		Failed to find a com.apple.networkextension.filter-data extension inside of app <BundleID>
neagent		NEAgentSession: failed to create the delegate
nesessionmanager	<BundleID>[259]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)"
nesessionmanager	<BundleID>[259]: XPC connection went away
nesessionmanager	NESMFilterSession[FilterDataProvider:0C4C9E40-5005-47A5-8C60-F7C8630F29DF]: Failed to start with error: Error Domain=NEAgentErrorDomain Code=2 "(null)"
Up vote post of gmattl Down vote post of gmattl
271 views
Posted by
gmattl
Reply
Add a Comment

Replies

It’s hard to say what’s going on here but this:

The issue is solved by restarting the device.

seems like a bug to me. By convention, if you’re installing something then you need to maintain one of two outcomes:

  • The stuff you’re installing works without a restart.

  • Or it doesn’t, in which case you need to either force a restart or tell the user to restart.

It sounds like TestFlight isn’t following that convention, which seems eminently bugworthy to me.

Please file a bug about this. Ideally you’d do this:

  1. Install the TestFlight and VPN (Network Extension) debug profiles. Get these from our Bug Reporting > Profiles and Logs page.

  2. Reproduce the problem.

  3. Immediately after that, trigger your sysdiagnose log.

  4. Include that with your bug report.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

nehelper Denying connection from nesessionmanager (264) because it is missing the com.apple.private.network.socket-delegate entitlement

Something is going wrong here when nehelper is receiving a connection from nesessionmanager, and like Quinn mentioned above, that should be captured in a bug report. When you gather the sysdiagnose above it would also be worth checking to see if the pids are changing for either nehelper or nesessionmanager and noting this on your report.

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thank you for your swift replies. I've filed a bug report: FB13704990.

Posted by
gmattl
Up vote reply of gmattl Down vote reply of gmattl
Add a Comment