Anand thanks a lot !The extension is running now after doing: 1. Change entitlement content-filter-provider to content-filter-provider-systemextension manuallyHowever the gatekeeper and the amfi are less than happy with it. I don't know how does it work after they both explicitely say the extension is incorrect. Maybe Apple can give some input on this.Thanks.195error23:25:16.399045+0300cfprefsdrejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 6233 (taskgated-helper) because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access6233fault23:25:16.399271+0300taskgated-helperCouldn't read values in CFPrefsPlistSource<0x7f926a008250> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access6233default23:25:16.405208+0300taskgated-helperChecking against 1 eligible provisioning profiles6233default23:25:16.405311+0300taskgated-helperChecking profile: SimpleFireApp6233default23:25:16.405338+0300taskgated-helperallowing entitlement(s) for com.jon.SimpleFirewall due to provisioning profile (isUPP: 1)6233default23:25:16.409375+0300taskgated-helperChecking against 1 eligible provisioning profiles6233default23:25:16.409461+0300taskgated-helperChecking profile: SimpleFireApp6233error23:25:16.409482+0300taskgated-helpercom.jon.SimpleFirewall: Unsatisfied entitlements: com.apple.security.application-groups6233error23:25:16.409497+0300taskgated-helperDisallowing: com.jon.SimpleFirewall6233default23:26:08.907228+0300taskgated-helperChecking against 1 eligible provisioning profiles6233default23:26:08.907412+0300taskgated-helperChecking profile: SimpleFireExt6233default23:26:08.907597+0300taskgated-helperallowing entitlement(s) for com.jon.SimpleFirewall.SimpleFirewallExtension due to provisioning profile (isUPP: 1)6233default23:26:08.913929+0300taskgated-helperChecking against 1 eligible provisioning profiles6233default23:26:08.914019+0300taskgated-helperChecking profile: SimpleFireExt6233error23:26:08.914041+0300taskgated-helpercom.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groups6233error23:26:08.914062+0300taskgated-helperDisallowing: com.jon.SimpleFirewall.SimpleFirewallExtension

Thanks Matt ! I see that Chrome is trying to reach port 53 (DNS) 0x232948           20:07:18.106075+0300 com.xxxx (2436633849): New flow: NEFlow type = datagram, app = com.google.Chrome, name = , address = 192.168.68.1, port = 53, filter_id = , interface = en0 0x232948           20:07:18.106439+0300 com.*** (2746240844): New flow: NEFlow type = datagram, app = com.google.Chrome, name = , address = 192.168.68.1, port = 53, filter_id = , interface = en0 0x232948           20:07:18.106847+0300 com.*** (1652494299): New flow: NEFlow type = datagram, app = com.google.Chrome, name = , address = 10.0.0.10, port = 53, filter_id = , interface = en0 I return non flow accepted. I do the same for 443 (in App-proxy, not per-app-proxy) and it falls back to TCP. But it seems it is not doing it for the 53 case (in Per-App). I do have a NENetworkRule that accepts 443 to then reject it to force a TCP fallback. I'm not sure why I get the 53 flow. I don't have any rule for it, and it seems it can be set in any rule. According to .h, include exclude do not accept 53 (bellow) So I can't really enforce anything on 53. In App-Proxy I do get only 443 UDP via a rule(includedNetworkRules). Do you think it is possible in Per-App-Proxy to do the same. Could it be that in Per-App sends everything to the NE and does not really use the NENetworkRules ? /*! @property includedNetworkRules@discussion An array of NENetworkRule objects that collectively specify the traffic that will be routed through the transparent proxy. The following restrictionsapply to each NENetworkRule in this list:Restrictions for rules with an address endpoint:If the port string of the endpoint is "0" or is the empty string, then the address of the endpoint must be a non-wildcard address (i.e. "0.0.0.0" or "::").If the address is a wildcard address (i.e. "0.0.0.0" or "::"), then the port string of the endpoint must be non-empty and must not be "0".A port string of "53" is not allowed. Destination Domain-based rules must be used to match DNS traffic.The matchLocalNetwork property must be nil.The matchDirection property must be NETrafficDirectionOutbound.  */ @property (copy, nullable) NSArrayNENetworkRule * *includedNetworkRules API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos) __WATCHOS_PROHIBITED; /*! @property excludedNetworkRules@discussion An array of NENetworkRule objects that collectively specify the traffic that will not be routed through the transparent proxy. The following restrictionsapply to each NENetworkRule in this list:Restrictions for rules with an address endpoint:If the port string of the endpoint is "0" or is the empty string, then the address of the endpoint must be a non-wildcard address (i.e. "0.0.0.0" or "::").If the address is a wildcard address (i.e. "0.0.0.0" or "::"), then the port string of the endpoint must be non-empty and must not be "0".A port string of "53" is not allowed. Destination Domain-based rules must be used to match DNS traffic.The matchLocalNetwork property must be nil.The matchDirection property must be NETrafficDirectionOutbound.  */ @property (copy, nullable) NSArrayNENetworkRule * *excludedNetworkRules API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos) __WATCHOS_PROHIBITED;

Sorry, I set it as resolved by mistake, don't know how to undo it. What I'm after is that the UDP 53 will not be redirected to the NE, or some way to tell the system to get the 53 requests directly out without sending them to the NE. Getting the 53 traffic and rejecting it causes Chrome to drop the connection, it seems. Is there any way to set network rules at the mobileleconfig level, there were we set the AppLayerVPNMapping ?