Enabling content filter on macOS through MDM

App & System Services Networking
mmosbah OP
Created Nov ’24
Replies 3
Boosts 2
Views 680
Participants 2

Hi, I'm adding a Content Filtering (FilterDataProvider) on macOS to an existing app and using MDM to avoid user interaction. I start by pushing the following payloads to my machine: com.apple.system-extension-policy com.apple.webcontent-filter

And then installing notarized pkg containing my app and the NE.

Inspecting the system logs shows the following error:

neagent Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon

And calling submit(request: .activationRequest(forExtensionWithIdentifier: bundleId, queue: queue))

results in:

Missing entitlement com.apple.developer.system-extension.install

Installing from Xcode on a SIP disabled machine works fine and both NE and CF are working as expected.

I followed the steps mentioned here https://developer.apple.com/forums/thread/737894 however the embedded entitlements already contained -systemextension suffix so I'm not sure if re signing and the subsequent steps are needed.

I also double checked that com.apple.developer.system-extension.install is present, certificates are not expired and that get-task-allow is not present in the embedded profile.

Here is what my release entitlement file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider-systemextension</string>
	</array>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>com.company_name.app_name.network-extension.content-filter</string>
	</array>
</dict>

and my release app entitlement:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.endpoint-security.client</key>
	<true/>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
</dict>
</plist>


default	19:15:21.408646+0000	sysextd	retrieved bundle code signing info: SecStaticCodeSigningInfo(entitlements: ["com.apple.developer.team-identifier": redacted_team_id "com.apple.application-identifier": redacted_team_id
content-filter-provider-systemextension
)
, "com.apple.developer.system-extension.install": 1], teamID: sysextd.TeamIDType.teamID("redacted_team_id3), "6f5fe9d921c048d3a006898ea87000b2c9cec9b0": sysextd.ArchInfo(name: "arm64", cputype: 16777228, cpusubtype: 0)], signingIdentifier: "com.company_name.app_name.daemon")
default	19:15:21.978818+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Handling installed apps change
default	19:15:21.978826+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Handling installed apps change
default	19:15:21.978899+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 1)
default	19:15:21.978899+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Check Filter Plugin installation for com.company_name.app_name.daemon (isIP 1)
default	19:15:21.978912+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Configuration is not enabled
default	19:15:21.979728+0000	nesessionmanager	Found 0 registrations for com.company_name.app_name.network-extension.content-filter (com.apple.networkextension.filter-data)
default	19:15:21.980755+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension - Content filter provider is not installed
default	19:15:21.981215+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 1)
default	19:15:21.981884+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Configuration is not enabled
default	19:15:21.982389+0000	nesessionmanager	Filter removing perApp Drop policies
default	19:15:21.983407+0000	nesessionmanager	Filter setting IP Drop-All to 0 (Persistent)
default	19:15:21.983793+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 0)
default	19:15:21.984199+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Configuration is not enabled
default	19:15:21.984616+0000	nesessionmanager	Filter setting Layer-2 Drop-All to 0
default	19:15:21.985070+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Received a restart command from nesessionmanager[388]
default	19:15:21.985472+0000	nesessionmanager	Registering session NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]
default	19:15:21.982249+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Check Filter Plugin installation for com.company_name.app_name.daemon (isIP 1)
default	19:15:21.986886+0000	nesessionmanager	Found 0 registrations for com.company_name.app_name.network-extension.content-filter (com.apple.networkextension.filter-data)
default	19:15:21.987515+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension - Content filter provider is not installed
default	19:15:21.987837+0000	nesessionmanager	Filter removing perApp Drop policies
default	19:15:21.988156+0000	nesessionmanager	Filter setting IP Drop-All to 0 (Persistent)
default	19:15:21.988537+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Check Filter Plugin installation for com.company_name.app_name.daemon (isIP 0)
default	19:15:21.988959+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: filterPackets is not enabled
default	19:15:21.989135+0000	nesessionmanager	Filter setting Layer-2 Drop-All to 0
default	19:15:21.989428+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Received a restart command from nesessionmanager[388]
default	19:15:21.989834+0000	nesessionmanager	Registering session NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]
default	19:15:21.994568+0000	nesessionmanager	Failed to register session: NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830] type: 4 grade: 3 vpn enabled: 0
default	19:15:21.994764+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Rejected start command from nesessionmanager[388]
default	19:15:21.995117+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Removing all clients
default	19:15:21.995343+0000	nesessionmanager	:  Register Filter Session: NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]
default	19:15:21.995861+0000	nesessionmanager	NESMFilterSessionApp App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Successfully registered
default	19:15:21.997457+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Removing a connection for client VPN[1074]
default	19:15:21.998024+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Removing a connection for client Network[1088]
default	19:15:21.998300+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: status changed to connecting
default	19:15:21.998552+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Removing a connection for client VPN[1090]
default	19:15:21.999321+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Starting with control unit 1073741825
default	19:15:22.999691+0000	nesessionmanager	Found 0 registrations for com.company_name.app_name.network-extension.content-filter (com.apple.networkextension.filter-data)
default	19:15:22.999919+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension com.company_name.app_name.network-extension.content-filter is not currently registered
default	19:15:22.000139+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Creating a filter plugin with class 4
default	19:15:22.000785+0000	nesessionmanager	NEFilterPlugin(com.company_name.app_name.daemon[inactive]): Sending start command
error	19:15:22.076805+0000	neagent	Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon
default	19:15:22.077378+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Failed to start with error: Error Domain=NEAgentErrorDomain Code=2 "(null)"
default	19:15:22.077598+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9] in state NESMFilterSessionStateStarting: plugin NEFilterPlugin(com.company_name.app_name.daemon[inactive]) status changed to idle with error: 0
default	19:15:22.077733+0000	nesessionmanager	: Request to uninstall session: NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]
default	19:15:22.077918+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: status changed to disconnecting
default	19:15:22.078088+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
default	19:15:22.269344+0000	mdmclient	[504:MDMAgent] Number of  profiles found: 3 (Filtered: 0)
default	19:15:22.410172+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9] in state NESMFilterSessionStateStopping: plugin NEFilterPlugin(com.company_name.app_name.daemon[inactive]) disposed
default	19:15:22.413100+0000	nesessionmanager	Filter removing perApp Drop policies
default	19:15:22.413388+0000	nesessionmanager	Filter setting IP Drop-All to 0 (Persistent)
default	19:15:22.413731+0000	nesessionmanager	Filter setting Layer-2 Drop-All to 0
default	19:15:22.414108+0000	nesessionmanager	: Deregister Filter Session: NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]
default	19:15:22.416409+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: status changed to disconnected, last stop reason Plugin was disabled
default	19:15:22.482307+0000	mdmclient	[504:MDMAgent:<0x2d7b>] Number of  profiles found: 9 (Filtered: 0)
default	19:15:22.503897+0000	mdmclient	[504:MDMAgent] Number of  profiles found: 9 (Filtered: 0)
default	19:15:22.511609+0000	mdmclient	[0:MDMDaemon] Number of  profiles found: 9 (Filtered: 0)
default	19:15:24.778171+0000	sysextd	getPropertiesWithIdentifier: com.company_name.app_name.network-extension.content-filter
default	19:15:24.778419+0000	sysextd	getProperties: com.company_name.app_name.network-extension.content-filter
default	19:15:24.807943+0000	sysextd	retrieving properties for com.company_name.app_name.network-extension.content-filter on behalf of an activation client (like a containing application) with a Team ID of redacted_team_id
default	19:15:24.902693+0000	usernoted	[com.apple.usernotifications.pipeline:7CE526F9-D6C4-426C-9BD7-13D1FAFAB637] Resolving behavior for event, details=
default	19:15:24.909154+0000	donotdisturbd	Intelligent Resolver behavior: unused for clientEventDetails: 
default	19:15:24.909878+0000	usernoted	[com.apple.usernotifications.pipeline:7CE526F9-D6C4-426C-9BD7-13D1FAFAB637] Resolved event, details= behavior=; interruptionSuppression: delay delivery; intelligentBehavior: unused; resolutionReason: mode configuration type; activeModeUUID: 5C19
default	19:15:24.909360+0000	donotdisturbd	Breakthrough is NOT allowed for global settings with event details: .
default	19:15:24.909502+0000	donotdisturbd	Event was resolved: resolution=; interruptionSuppression: delay delivery; intelligentBehavior: unused; resolutionReason: mode configuration type; activeModeUUID: 5C197250-97A0-4EDE-A02A-92489D054DD3>; clientIdentifier: 'com.apple.usernotifications.pipeline'; outcome: suppressed; reason: mode configuration type>
default	19:15:25.000581+0000	sysextd	retrieving properties for com.company_name.app_name.network-extension.content-filter on behalf of an activation client (like a containing application) with a Team ID of redacted_team_id
default	19:15:25.135544+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Handling installed apps change
default	19:15:25.135557+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Handling installed apps change
default	19:15:25.135587+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Check Filter Plugin installation for com.company_name.app_name.daemon (isIP 1)
default	19:15:25.135606+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 1)
default	19:15:25.135634+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Configuration is not enabled
default	19:15:25.135685+0000	nesessionmanager	Found 0 registrations for com.company_name.app_name.network-extension.content-filter (com.apple.networkextension.filter-data)
default	19:15:25.135816+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension - Content filter provider is not installed
default	19:15:25.135749+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 1)
default	19:15:25.136131+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Check Filter Plugin installation for com.company_name.app_name.daemon (isIP 1)
default	19:15:25.142445+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension com.company_name.app_name.network-extension.content-filter is not currently registered
default	19:15:25.142457+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Creating a filter plugin with class 4
default	19:15:25.142565+0000	nesessionmanager	NEFilterPlugin(com.company_name.app_name.daemon[inactive]): Sending start command
error	19:15:25.155904+0000	neagent	Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon
default	19:15:25.683706+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Handling installed apps change
default	19:15:25.683737+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Check Filter Plugin installation for com.company_name.app_name.daemon (isIP 1)
default	19:15:25.683789+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Handling installed apps change
default	19:15:25.683820+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 1)
default	19:15:25.683933+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Configuration is not enabled
default	19:15:25.683828+0000	nesessionmanager	Found 0 registrations for com.company_name.app_name.network-extension.content-filter (com.apple.networkextension.filter-data)
default	19:15:25.684525+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension - Content filter provider is not installed
default	19:15:25.684644+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Check Filter Plugin installation for com.apple.ALF.ApplicationFirewall (isIP 1)
default	19:15:25.687315+0000	nesessionmanager	Registering session NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]
default	19:15:25.707319+0000	nesessionmanager	:  Register Filter Session: NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]
default	19:15:25.707443+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Successfully registered
default	19:15:25.707509+0000	nesessionmanager	Failed to register session: NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830] type: 4 grade: 3 vpn enabled: 0
default	19:15:25.707894+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Rejected start command from nesessionmanager[388]
default	19:15:25.707962+0000	nesessionmanager	NESMFilterSession[com.apple.preferences.application-firewall:164721AE-9A89-4AFB-97B0-CACE0849E830]: Removing all clients
default	19:15:25.710702+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: System Extension com.company_name.app_name.network-extension.content-filter is not currently registered
default	19:15:25.710758+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Creating a filter plugin with class 4
default	19:15:25.711123+0000	nesessionmanager	NEFilterPlugin(com.company_name.app_name.daemon[inactive]): Sending start command
error	19:15:25.720036+0000	neagent	Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon
default	19:15:25.720431+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9]: Failed to start with error: Error Domain=NEAgentErrorDomain Code=2 "(null)"
default	19:15:25.720819+0000	nesessionmanager	NESMFilterSession[App Name:7FFB3558-C3F7-4AE2-9D11-384459849CB9] in state NESMFilterSessionStateStarting: plugin NEFilterPlugin(com.company_name.app_name.daemon[inactive]) status changed to idle with error: 0

@eskimo may I ask for your help here!

Replies  3
Boosts  2
Views  680
Participants  2
DTS Engineer OP
Apple
Dec ’24

You’re some distance away from anything that I have direct experience with. Lemme ask about this first:

Written by mmosbah in 769199021
and my release app entitlement … com.apple.developer.endpoint-security.client

So you’re trying to put an ES client and NE content filter in the same sysex? That should work, but it certainly complicates things.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
mmosbah OP
Dec ’24

No, our main app is an ES sysex and we are trying to install a second sysex from within the same bundle containing the NE content filter if the customer have the feature needing the CF enabled.

We have a workaround in place where we install the NE on the pkg postinstall and only activate the CF if the customer config needs it, drawback here is the added complexity and that the NE is installed for everyone.

Any recommendations?

0
DTS Engineer OP
Apple
Jan ’25

OK. So which bundle has the ID com.company_name.app_name.daemon that’s mentioned in the error message?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Enabling content filter on macOS through MDM
First post date Last post date
 
 
Q