I'm following up on a couple of forum threads from 2020 to get more clarity on the current guidance for supporting multiple XPC services in system extensions. For context, I'm trying to create a system extension that contains both an Endpoint Security client and a Network Extension filter, and I'm seeing indications that the system may not expect this and doesn't handle it smoothly.
First: Previous guidance indicated that the system would automatically provide a Mach service named <TeamID>.<BundleID>.xpc to use for communicating with the system extension. However, the SystemExtension man page currently documents an Info.plist key called NSEndpointSecurityMachServiceName and suggests that the default service name is deprecated; and in fact if this key is not set, I find a message in the Console:
The extension from <app-name> (<bundle-id>) is using the deprecated default mach service name. Please update the extension to set the NSEndpointSecurityMachServiceName key in the Info.plist file.
I have accordingly set this key, but I wanted to confirm that this is the current best practice.
Second, and more interesting: Another user was trying to do something similar and observed that the Mach service for the endpoint security client wasn't available but the NE filter was. Quinn did some research and replied that this was intended behavior, quoting the EndpointSecurity man page:
"If ES extension is combined with a Network Extension, set the
NEMachServiceNamekey in theInfo.plist"
(which I have also done), and concluding from this:
... if you have a combined ES and NE system extension then the Mach service provided by the NE side takes precedence.
However, the current man page does not include this quoted text and says nothing about a combined ES and NE system extension.
So I'm wondering about current best practice. If I do combine the ES and NE clients in a single system extension, should they each declare the Mach service name under their respective Info.plist keys? And could there be a single XPC listener for both, using the same service name under each key, or would it be better to have separate XPC listeners?
Alternatively, would it be preferable to have each component in a separate system extension? (This would entail some rearchitecting of the current design.)