Recently, while developing a network extension on macOS, I encountered a very interesting issue. When the App Sandbox entitlement is included, the NE (Network Extension) can be called and run normally. However, when the App Sandbox is removed, with everything else remaining unchanged, an error occurs. The logs are as follows:
Failed to find an app extension with identifier app.acmeVpnM.extension and extension point com.apple.networkextension.packet-tunnel: (null)
Found 0 registrations for app.acmeVpnM.extension (com.apple.networkextension.packet-tunnel)
If you add app sandbox, it will run normally.
this is my container app entitlement
this is my NE extension (without App SandBox)
I want to know the reason for this. App sandbox shouldn't be mandatory. How can I make my NE run in an environment without app sandbox?
I already solved this issue
Care to share your solution?
How can I make my NE run in an environment without app sandbox?
On macOS, App Sandbox is mandatory:
-
For all Network Extension app extensions
-
For virtually all [1] Network Extension system extensions
In many cases this isn’t a serious limitation because, if you’re distributing outside the Mac App Store, you can use temporary exception entitlements to disable most sandbox protections. I talk about this more in The Case for Sandboxing a Directly Distributed App.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] There’s one exception to this rule: If you have a system extension that includes both an NE provider and an Endpoint Security client, you don’t need to enable App Sandbox. That’s because ES is incompatible with sandboxing.