How to install and manage Network Extension in case of GUI-less application?

In the Apple world there is no such thing as a “GUI-less application”. Apps are user-visible things that you launch from the Finder, the Home screen on iOS, and so so.

If you’re building an product that relies on a system extension (sysex) then my general advice is:

• Embed the system extension in a container app that has a GUI that allows the user to install and remote the sysex using System Extensions framework.
• And, in the case of a NE provide, configure it using the Network Extension API.
• If you need some other background processing functionality — like a launchd daemon or agent — embed that in your app and manage it via SMAppService.
• If you want to support customers in a managed environment, explore the various MDM options for installing your app, enabling your sysex, and configure its options.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for the help!

Our cross-platform DLP solution is deployed via a standard .pkg installer and must support macOS 11 and later. The installer sets up a LaunchAgent which is responsibe for system monitoring and launching container app (which bundles NE) when necessary. Once activated, the Network Extension communicates with independently deployed LaunchDaemon via XPC (https://developer.apple.com/forums/thread/820631).

To avoid confusing users with unnecessary UI, this container app must run in the background without a Dock icon.

Is it officially supported to configure the Network Extension's containing .app as a background-only application by setting LSUIElement = YES in its Info.plist? Is it supported for our independently deployed LaunchAgent to programmatically launch this background-only .app?

(Note: I understand that without an MDM profile, the user will still be prompted to manually approve the system extension in System Preferences/Settings)

Thanks!

To avoid confusing users with unnecessary UI, this container app must run in the background without a Dock icon.

This is something I specifically recommend against. Your container app should have some sort of UI. Ideally that UI should allow the user to enable and disable your product (subject to appropriate authorisation).

If you want something that does processing in the background without a UI, do that in:

• Your launchd daemon, if the work doesn’t require a user context
• Or your launchd agent, if it if does

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"