We are developing a DLP agent that uses a NETransparentProxyProvider to perform traffic inspection and modification. Our architecture currently includes:
- LaunchAgent, which monitors user session activity (login/logout, session activation)
- Container App, which:
- installs and activates a System Extension
- creates and saves the NETransparentProxyManager configuration
- starts the transparent proxy via startVPNTunnel.
We would like to automate the startup of the Transparent Proxy for all users, including newly created users, in a way that is fully supported by macOS. We are looking for official guidance on the correct and supported mechanism for starting a user‑level Network Extension (specifically NETransparentProxyProvider) automatically at user login.
Questions:
- What is the recommended and supported way to automatically start a NETransparentProxyProvider at user login?
- Are there any constraints or best practices we should follow when designing an automatic startup flow for a Network Extension such as NETransparentProxyProvider?
We would appreciate official clarification on the supported deployment patterns for starting a user‑level Transparent Proxy Network Extension automatically in multi‑user enterprise environments.
mechanism for starting a user‑level Network Extension
I want to start by clarifying this “user level” concept.
A transparent proxy is not really a user-level thing. On macOS there’s a single networking stack and all users, and the system, use that stack. Your transparent proxy exists, at least conceptually, within the networking stack, and thus it sees network traffic from all users.
Additionally, if you use sysex packaging then your NE provider is loaded by what is effectively a launchd daemon, which is completely disconnected from any user login state.
Finally, macOS supports zero or more user login sessions, with an arbitrary mix of GUI and non-GUI sessions. You proxy needs to account for that flexibility. Having a launchd agent is a good start, because that will be instantiated in each login session (the exact behaviour depends on how you set LimitLoadToSessionType).
Given all of the above, I don’t think it makes sense to start and stop the proxy as users log in and out. Rather, I’d have the proxy running all the time and then have your launchd agent inform the proxy about login sessions coming and going. The proxy can then take that into account when it decides whether to proxy a flow in its handle-new-flow method.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"