Got it. Thanks!

Hi,doing 1. Change entitlement content-filter-provider to content-filter-provider-systemextension manually:the NE now runs. That is great.But still the gatekeeper and the amfi say the NE is not OK.What should we make of those messages ...195error20:38:20.940263+0300cfprefsdrejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 10864 (taskgated-helper) because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access10864fault20:38:20.940504+0300taskgated-helperCouldn't read values in CFPrefsPlistSource<0x7fdf6552ca90> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access10864default20:38:20.948316+0300taskgated-helperChecking against 1 eligible provisioning profiles10864default20:38:20.948424+0300taskgated-helperChecking profile: SimpleFireExt10864default20:38:20.948455+0300taskgated-helperallowing entitlement(s) for com.jon.SimpleFirewall.SimpleFirewallExtension due to provisioning profile (isUPP: 1)10864default20:38:20.954018+0300taskgated-helperChecking against 1 eligible provisioning profiles10864default20:38:20.954112+0300taskgated-helperChecking profile: SimpleFireExt10864error20:38:20.954148+0300taskgated-helpercom.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groups10864error20:38:20.954164+0300taskgated-helperDisallowing: com.jon.SimpleFirewall.SimpleFirewallExtensionThanks !

I'm afraid i did some copy paste mistakes. The app-group s correct, but I will run it all again and double check averything. Thanks!

Hi,My NE Sysex is notrarized and runs correctly, the group IDs are correct.But the amfi and taskgate print errors. The "Disallowing:" log message doesn't really seem to affect the run of the extension.Are these log warnings misleading ?I have the Group ID capability in the Identifier on the Dev Site disabled. I though that might be a problem. I added the Group ID to the Identifier. Which by the way requires "group." prefix. It did not help. The warning logs continue.Thanks.

I confirm that the sandboxed NE sysex does create the Group Container in /private/var/root/Library/Group Containerstherefore is different that the container-App which is in /Users/me.user/Library/Group\ ContainersI can access files in /private/var/root/Library/Group ContainersI have been able to connect to a UNIX socket in /private/var/root/Library/Group ContainersDoes this mean that for a NE Sysex on Mac:DOES NOT run in a very restrictive sandbox. The sandbox DOESN NOT prevents the Filter Data Provider extension from moving network content outside of its address space by blocking all network access, IPC, and disk write operations. (?)Thanks!

I understood the reason for the complains of the taskgated.helpercom.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groupsOn Mac the groups entitlements are not whitelisted by the privision profile. The gatekeeper logs that fact, but doesnt seem to affect the runnning of the Sysex.

Filed FB7729428Thanks