I'm developing a macOS security tool using NEFilterDataProvider as a system extension. On macOS 26 beta (25E241), sysextd consistently rejects my extension with:
sysextd: no policy, cannot allow apps outside /Applications
Configuration:
- App installed in
/Applications/ - Signed with Developer ID Application (693DSH8GN5)
- Entitlement:
com.apple.developer.networking.networkextension = content-filter-provider com.apple.developer.system-extension.install = true- Developer Mode enabled on test machine
Comparison with Little Snitch:
Little Snitch runs correctly on the same machine. Key differences I found:
- Little Snitch uses
content-filter-provider-systemextensioninstead ofcontent-filter-provider - Little Snitch has
com.apple.security.app-sandbox = false - Both signed with Developer ID Application
When I switch to content-filter-provider-systemextension, Xcode rejects every provisioning profile because none match that entitlement value, and the Developer Portal doesn't expose fine-grained control over the Network Extensions array values.
Questions
- Is content-filter-provider-systemextension the correct entitlement for system extensions on macOS 26?
- How should the provisioning profile be configured to support it?
- Is there a known sysextd issue on macOS 26 beta causing this regardless of configuration?
- Is there - somewhere! - a guide on how to build such an extension?
Thanks in advance for your help.