System Extension deactivationRequest fails with error "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.)"

We have a main app that handles UI and interaction with the user. And we also have daemon contained inside of it. Daemon has all the business logic and FDA and root permissions. Now we want to add a network extension. First we added the Network Extension to Main app and it was working fine (to test the waters). But then we decided to move it to Daemon since it has all the business logic and NE mostly contains business logic and no UI. It needs to be there. Now NE activationRequest(forExtensionWithIdentifier is working fine. But deactivationRequest(forExtensionWithIdentifier: during uninstall always fails with this error

System Extension deactivationRequest fails with error he operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.)

OSSystemExtensionError Code 13 says "An error code that indicates the system was unable to obtain the proper authorization."

What does this actually mean. Also if there is an error why is it throwing it during uninstall rather than install?

To make it more clear this is our app structure is

Main.app -> Contents -> Mac OS -> Daemon.app -> Contents -> Library -> SystemExtensions -> System Extension Bundle

Apple doc says

 @discussion This method creates a new request to activate/deactivate a System Extension.
 Extensions are discovered from the `Contents/Library/SystemExtensions`
 directory of the main application bundle.

Our System Extension is present on the main app bundle and has Contents/Library/SystemExtensions structure but one extra layer deep. Is this supported app structure?. If not is there any way to succesfully uninstall NE from code. Right now systemextensionsctl uninstall won't work without System Integrity Protection disabled. Keeping NE on the main app will break our project structure and require major rewrite of the app.

Also whenever I run systemextensionsctl with SIP on I get this message

At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection!

Apple introduced System Extensions in 2019. It is still not there yet. Does anybody have any idea when will Apple make it work? if at all?

Up vote post of sbhat6 Down vote post of sbhat6
316 views
Posted by
sbhat6
Reply
Add a Comment

Replies

To make it more clear this is our app structure is

This is not a structure we support, and I very much doubt you’ll be able to make this work. Your sysex needs to be directly embedded in its container app.

Is your daemon an ES client?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

@eskimo Yes. My daemon is an ES Client.

Is there any other ways to make the deactivationRequest work, if we place anywhere else than the container app?

Posted by
sbhat6
Up vote reply of sbhat6 Down vote reply of sbhat6
Add a Comment