macOS VPN apps outside of the App Store

why did Apple create this difference in the first place?

I can’t answer why questions. For Quinn’s Top Ten DevForums Tips for more about that.

As mentioned there, my recommended path forward in cases like this is for you to file an enhancement request for the features you need. It seems like you’ve already done that (FB19631390). Thanks!

Is there a chance that they will … allow "app extensions" outside of the Mac App Store?

Keep in mind that appex-based VPN isn’t well aligned with macOS’s execution model. macOS supports multiple users simultaneously, which is a concern because VPN configurations affect the networking stack as a whole. macOS also supports running third-party code running when no user logged in, which also doesn’t gel well with the appex model.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn! So it seems to me that app extensions are unlikely to be supported outside of the Mac App Store. And system extensions are more wide reaching, so they require the user's understanding of that. I suppose the best bet is to hope Apple will consider the feedback and improve the system extension installation UX.

I just had an idea, maybe the system extension installation could be part of the .pkg installer, because it can already install some other system level components. I will add this idea as a comment in that enhancement request. Or should I file a separate one?

Or should I file a separate one?

It’s probably better to do this. Assuming that I’ve understood you properly (-:

It sounds like you want installer packages to be able to install and activate system extensions. If so, that’s a question for the installer team, as opposed to the NE team, and so a separate bug report makes sense.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I already received a response to the original request (FB19631390), they are not planning to make improvements on that side.

So I created a new request: FB19761610 (Package Installer: Ability to install and activate System Extensions)

I couldn't find a category specific to the Installer, so I selected the System Extensions Framework category.

Keep in mind that appex-based VPN isn’t well aligned with macOS’s execution model. macOS supports multiple users simultaneously, which is a concern because VPN configurations affect the networking stack as a whole.

So how does that explain network app extensions in App Store apps? What is there to stop a user logged in on the same system (possibly a standard user) from accessing a VPN tunnel started by another higher privileged user via a Mac App Store app with a network app extension and gaining unauthorized access to resources via that tunnel?

I would think most people assume App Store apps to be running in a far more restricted environment than apps distributed outside the App Store, but in the case of app extensions the opposite appears to be the case. By forcing Developer ID apps to use system extensions it forces admin privileges in order to install the extension and the explicit granting of Privacy and Security permissions, which is not needed with app extensions in App Store apps. This seems to introduce a false sense of security when using App Store apps. Should users be warned not to download App Store apps with extensions because doing so may compromise their system's security?

I know this may sound like a "why" question but it's actually a "what" question. What is the rationale for these policy decisions regarding app and system extensions? Are there documentation, tech notes or WWDC sessions describing these policy rationales or do they only exist in the minds of certain select Apple employees?