Hello, We have a Network Extension that implements NETransparentProxyProvider that filters TCP trafic on ports 80 and 443. On macOS Monterey (21A5248p) with Private Relay enabled no connection from Safari is seen by our Network Extension (connections from other browsers are seen by our extension, so it's not a problem with the rules). According to this forum post and App Proxy Provider documentation the connections should use the VPN. We also tested this with our Network Extension by inheriting from NEAppProxyProvider instead of NETransparentProxyProvider and the connections are seen by the extension. My question is if this is the intended behaviour for NETransparentProxyProvider or if it is a bug? And if it is intended if there is a way to filter those connections while still using a Transparent Proxy? Thank you!

Hello, We have a network extension that until now was loaded using an app that has the same Team ID and everything loaded and worked fine. We now want to make it possible for an application with a different Team ID to load it. As stated here - https://developer.apple.com/documentation/systemextensions?language=objc we manually added the com.apple.developer.system-extension.redistributable - https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_system-extension_redistributable?language=objc entitlement in the .entitlements file of the network extension (it does not appear in Xcode's Capabilities list). The extension was built, signed and notarised with succes. When we tried to run it with the exactly same test application that we use all the time (that has the same Team ID) after allowing it from Security & Privacy and allowing the Add Proxy Configuration pop-up, it remains in the Connecting... state. In system.log every ~10 seconds this error messages appear: Code has restricted entitlements, but the validation of its code signature failed. and Binary is improperly signed. The only difference between what we already have and works and this version is that we added the redistributable entitlement. Full log: (NetworkExtension.com.my-network-extension): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/{GUID}/com.my-network-extension.systemextension/Contents/MacOS/com.my-network-extension: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: (NetworkExtension.com.my-network-extension): Binary is improperly signed. The output of codesign -d --entitlements :- com.my-network-extension.systemextension is: Executable=/Users/myuser/path/com.my-network-extension.systemextension/Contents/MacOS/com.my-network-extension ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keycom.apple.application-identifier/key stringMyTeamID.com.my-network-extension/string keycom.apple.developer.networking.custom-protocol/key true/ keycom.apple.developer.networking.networkextension/key array stringapp-proxy-provider-systemextension/string /array keycom.apple.developer.system-extension.redistributable/key true/ keycom.apple.developer.team-identifier/key stringMyTeamID/string keycom.apple.security.app-sandbox/key true/ keycom.apple.security.application-groups/key array stringMyTeamID.com.application.group1/string stringMyTeamID.com.application.group2/string /array keycom.apple.security.network.client/key true/ keycom.apple.security.network.server/key true/ keycom.apple.security.temporary-exception.files.absolute-path.read-only/key array string/path1//string string/path2//string /array keycom.apple.security.temporary-exception.files.absolute-path.read-write/key array string/path/path3//string /array /dict /plist The output of security cms -D -i com.my-network-extension.systemextension/Contents/embedded.provisionprofile is: ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyAppIDName/key stringMy Network Extension/string keyApplicationIdentifierPrefix/key array stringMyTeamID/string /array keyCreationDate/key date2020-08-12T09:40:28Z/date keyPlatform/key array stringOSX/string /array keyIsXcodeManaged/key false/ keyDeveloperCertificates/key array data***/data /array keyEntitlements/key dict keycom.apple.developer.system-extension.install/key true/ keycom.apple.developer.networking.networkextension/key array stringpacket-tunnel-provider-systemextension/string stringapp-proxy-provider-systemextension/string stringcontent-filter-provider-systemextension/string stringdns-proxy-systemextension/string stringdns-settings/string /array keycom.apple.application-identifier/key stringMyTeamID.com.my-network-extension/string keykeychain-access-groups/key array stringMyTeamID.*/string /array keycom.apple.developer.team-identifier/key stringMyTeamID/string keycom.apple.developer.networking.vpn.api/key array stringallow-vpn/string /array keycom.apple.developer.networking.custom-protocol/key true/ /dict keyExpirationDate/key date2038-08-08T09:40:28Z/date keyName/key stringMy Network Extension Developer ID Profile/string keyProvisionsAllDevices/key true/ keyTeamIdentifier/key array stringMyTeamID/string /array keyTeamName/key stringMy Company Name/string keyTimeToLive/key integer6570/integer keyUUID/key string***/string keyVersion/key integer1/integer /dict /plist Nothing related with the redistributable entitlement appears here. On the App ID Configuration (on the apple developer site) there is no System Extension Redistributable Capability. Also, the Redistributable Entitlement Documentation - https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_system-extension_redistributable?language=objc does not mention that we need to request this entitlement from Apple as is stated for other entitlements (for example for Endpoint Security - https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_endpoint-security_client?language=objc). We also tried to make a test application with a different Team ID to exclude the unlikely case that with this entitlement is mandatory for the application to have a different Team ID. As expected, it had the exact same behaviour - it does not work. A strange / unexpected behaviour is that we tried to add the entitlement but with FALSE instead of true and it behaves in the exact same way (same error). This made me think that maybe I made a mistake when I added it (a typo or wrong format), but the xml looks fine. keycom.apple.developer.system-extension.redistributable/key false/ We tested this on Big Sur 11.3.1. We tried with the extension Developer ID signature and also with Development signature (it happens in both cases and without the redistributable entitlement it works). Is the System Extension Redistributable Capability suppose to be on the App ID Configuration page or do we have to make a request for it? (this seems unlikely since the documentation does not mention it). Is there something extra we were supposed to do and we missed it? Or is there something we did wrong? Thank you!