Please ignore question 2 of my original request. Getting information on failed inbound connections is not necessary.However please note that I've also found that all outbound udp connections have a 0 source address:```0.0.0.0:235 -> 192.168.56.105:9000```Is this expected - seems like a bug

I've been looking into using PacketProvider along with DataProvider with no luck. Is there any way to get pid and exe from `NEFilterPacketContext` in PacketProvider ?

I dont believe this answers the question.The original question says `Specifically, I'd like to know things like which applications generated the packet...`How would you link this to a pid or exe ?

Hi everyone, The app & system extension is now working on a SIP enabled device. correct entitlements AND notarization was required.May I suggest detailing somewhere in the logs whether the issues is with signiture, or entitlements or notarization ? and specifically which entitlement.During the notarization process you get clear instructions on whats missing if it fails. But whilest trying to run the app you just get a generic error on something to do with the many signing requirements.Thank you very much for all your help on this one.BR

This latest details are below:codesign -d -vvv --entitlements :- /path/to/APPExecutable=[PATH_TO_EXE]Identifier=[PREFIX].[APP_NAME]Format=bundle with Mach-O thin (x86_64)CodeDirectory v=20200 size=3213 flags=0x0(none) hashes=92+5 location=embeddedHash type=sha256 size=32CandidateCDHash sha256=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21CandidateCDHashFull sha256=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21a680686653f40781d46fbb10Hash choices=sha256CMSDigest=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21a680686653f40781d46fbb10CMSDigestType=2CDHash=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21Signature size=4663Authority=Developer ID Application: [COMPANY_ID]Authority=Developer ID Certification AuthorityAuthority=Apple Root CASigned Time=[TIME]Info.plist entries=26TeamIdentifier=[TEAM_ID]Sealed Resources version=2 rules=13 files=10Internal requirements count=1 size=240<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[PREFIX].[APP_NAME]</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> <key>com.apple.security.application-groups</key> <array> <string>[TEAM_ID].[PREFIX]</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/></dict></plist>'security cms -D -i path/to/app'<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>AppIDName</key> <string>Applet required to launch network extensions</string> <key>ApplicationIdentifierPrefix</key> <array> <string>[TEAM_ID]</string> </array> <key>CreationDate</key> <date>[DATE]</date> <key>Platform</key> <array> <string>OSX</string> </array> <key>IsXcodeManaged</key> <false/> <key>DeveloperCertificates</key> <array> <data>[DATA]</data> </array> <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[PREFIX].[APP_NAME]</string> <key>keychain-access-groups</key> <array> <string>[TEAM_ID].*</string> </array> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> </dict> <key>ExpirationDate</key> <date>[DATE]</date> <key>Name</key> <string>[APP_NAME] Distribution DevID</string> <key>ProvisionsAllDevices</key> <true/> <key>TeamIdentifier</key> <array> <string>[TEAM_ID]</string> </array> <key>TeamName</key> <string>[COMPANY_NAME]</string> <key>TimeToLive</key> <integer>6570</integer> <key>UUID</key> <string>[UUID]</string> <key>Version</key> <integer>1</integer></dict></plist>codesign -d -vvv --entitlements :- /path/to/APP/path/to/embedded_EXTENSIONIdentifier=.[PREFIX].[EXT_NAME]Format=bundle with Mach-O thin (x86_64)CodeDirectory v=20200 size=3747 flags=0x0(none) hashes=109+5 location=embeddedHash type=sha256 size=32CandidateCDHash sha256=f37637fcbeebf8b56802309170d79a80d41b94a3CandidateCDHashFull sha256=f37637fcbeebf8b56802309170d79a80d41b94a38d2c8cce69dfce9a57ef790dHash choices=sha256CMSDigest=f37637fcbeebf8b56802309170d79a80d41b94a38d2c8cce69dfce9a57ef790dCMSDigestType=2CDHash=f37637fcbeebf8b56802309170d79a80d41b94a3Signature size=4663Authority=Developer ID Application: [COMPANY_ID]Authority=Developer ID Certification AuthorityAuthority=Apple Root CASigned Time=Mar 3, 2020 at 10:18:28 AMInfo.plist entries=22TeamIdentifier=[TEAM_ID]Sealed Resources version=2 rules=13 files=2Internal requirements count=1 size=228<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[PREFIX].[EXT_NAME]</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> <key>com.apple.security.application-groups</key> <array> <string>[TEAM_ID].[PREFIX]</string> </array></dict></plist>'security cms -D -i path/to/app/path/embedded/ext'<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>AppIDName</key> <string>[description]</string> <key>ApplicationIdentifierPrefix</key> <array> <string>[TEAM_ID]</string> </array> <key>CreationDate</key> <date>[DATE]</date> <key>Platform</key> <array> <string>OSX</string> </array> <key>IsXcodeManaged</key> <false/> <key>DeveloperCertificates</key> <array> <data>[DATA]</data> </array> <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[PREFIX].[EXT_NAME]</string> <key>keychain-access-groups</key> <array> <string>[TEAM_ID].*</string> </array> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> </dict> <key>ExpirationDate</key> <date>[DATE]</date> <key>Name</key> <string>[NAME]</string> <key>ProvisionsAllDevices</key> <true/> <key>TeamIdentifier</key> <array> <string>[TEAM_ID]</string> </array> <key>TeamName</key> <string>[COMPANY_NAME]</string> <key>TimeToLive</key> <integer>6570</integer> <key>UUID</key> <string>[UUID]</string> <key>Version</key> <integer>1</integer></dict></plist>

I noticed that I had mixed responces with another question here (https://forums.developer.apple.com/thread/129794) which has now been answered. Continuing information relevant to this thread here.I indeed got alot more useful information from sysextd. Below is a redated list of events:- staging extension with identifier [APP_ID]- Making activation decision for extension with teamID teamID("[TEAM_ID]"), identifier [APP_ID]- Extension with teamID teamID([TEAM_ID]), identifier [APP_ID] is not in the list of allowed extensions.- Activation decision for extension with teamID teamID("[TEAM_ID]"), identifier [APP_ID] is UserOption- validating extension with identifier [APP_ID]- MacOS error: 3- Error checking with notarization daemon: 3- bundle code signature is not valid - does not satisfy requirement: -67050 code failed to satisfy specified code requirement(s)- extension failed to validate! uninstalling...I dont see the extension appearing in Security & Privacy settings for me to allow it. Is there some other way of explicitly allowing this ?

Adding --timestamp=none to the "other code signing flags" options in the build settings causes it to successfully build through xcodebuild thank you.Still experiencing the unallowed extension error as described in my other comment.BR

thank you for this! I indeed got alot more useful information. Below is a redated list of events:- staging extension with identifier [APP_ID]- Making activation decision for extension with teamID teamID("[TEAM_ID]"), identifier [APP_ID]- Extension with teamID teamID([TEAM_ID]), identifier [APP_ID] is not in the list of allowed extensions.- Activation decision for extension with teamID teamID("[TEAM_ID]"), identifier [APP_ID] is UserOption- validating extension with identifier [APP_ID]- MacOS error: 3- Error checking with notarization daemon: 3- bundle code signature is not valid - does not satisfy requirement: -67050 code failed to satisfy specified code requirement(s)- extension failed to validate! uninstalling...I dont see the extension appearing in Security & Privacy settings for me to allow it. Is there some other way of explicitly allowing this ?

This is useful to know, thank you. Unfortunately I'm still experiencing the same codesigning issue "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)" Note I've checked that indeed the get-task-allowed entitlement had disappeared. com.apple.security.app-sandbox was true.Any other ideas ?Best Regards.

One more thing to note is that when I build through xcode gui (not `xcodebuild`) and transfer products to a SIP enabled machine I observe some odd behaviour.The endpoint security extension works fine if its started through `launchd`, as does the app thats used to launch the system extension. But launching the system extension itself fails with a codesigning error `The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)`

Thank you very much for all your help. I've tried explicitly setting get-task-allow > false and adding sandboxing. I get the same error.I think this may be related to a problem I'm having while building. Building the project through xcode finishes successfully (in debug and release) but automatically adds the "get-task-allow" entitlement, which is required for the xcode debugger to hook into it.Building a release configuration through the utility `xcodebuild` fails on the `codesign` task with "invalid or unsupported format for signiture".Note that my dev machine is offline and I have the correct developer application certificate and key in the keychain.

For both the system extension and its companion app ?Why would you want a system extension to be sandboxed ? Seems like you'd only ever want these to be run as root

I wonder if there's some entitlement requirements that are either conflicing or missing. For the sake of completeness, below is a redacted version of the profiles and entitlements I'm using for an app with an embedded content filter system extension.NOTE this is a debug build.App entitlements, output from `codesign -d --entitlements - [APP_PATH].app`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[APP_ID]</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> <key>com.apple.security.application-groups</key> <array> <string>[TEAM_ID].[APP_PREFIX]</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.get-task-allow</key> <true/></dict></plist>App provisioning profile, output from `security cms -D -i embedded.provisioningprofile` <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>AppIDName</key> <string>[NAME]</string> <key>ApplicationIdentifierPrefix</key> <array> <string>[TEAM_ID]</string> </array> <key>CreationDate</key> <date>[DATE]</date> <key>Platform</key> <array> <string>OSX</string> </array> <key>IsXcodeManaged</key> <false/> <key>DeveloperCertificates</key> <array> <data>[DATA]</data> </array> <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[APP_ID]</string> <key>keychain-access-groups</key> <array> <string>[TEAM_ID].*</string> </array> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> </dict> <key>ExpirationDate</key> <date>[EXPIRE_DATE]</date> <key>Name</key> <string>[NAME]</string> <key>ProvisionsAllDevices</key> <true/> <key>TeamIdentifier</key> <array> <string>[TEAM_ID]</string> </array> <key>TeamName</key> <string>[TEAM_NAME]</string> <key>TimeToLive</key> <integer>6570</integer> <key>UUID</key> <string>[UUID]</string> <key>Version</key> <integer>1</integer></dict></plist>Embedded system extension entitlements :<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[APP_ID]</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>[TEAM_ID].[APP_PREFIX]</string> </array> <key>com.apple.security.get-task-allow</key> <true/></dict></plist>Embedded system extension profile: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>AppIDName</key> <string>[NAME]</string> <key>ApplicationIdentifierPrefix</key> <array> <string>[TEAM_ID]</string> </array> <key>CreationDate</key> <date>[DATE]</date> <key>Platform</key> <array> <string>OSX</string> </array> <key>IsXcodeManaged</key> <false/> <key>DeveloperCertificates</key> <array> <data>[DATA]</data> </array> <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> </array> <key>com.apple.application-identifier</key> <string>[TEAM_ID].[APP_ID]</string> <key>keychain-access-groups</key> <array> <string>[TEAM_ID].*</string> </array> <key>com.apple.developer.team-identifier</key> <string>[TEAM_ID]</string> </dict> <key>ExpirationDate</key> <date>[DATE]</date> <key>Name</key> <string>[NAME]</string> <key>ProvisionsAllDevices</key> <true/> <key>TeamIdentifier</key> <array> <string>[TEAM_ID]</string> </array> <key>TeamName</key> <string>[TEAM_NAME]</string> <key>TimeToLive</key> <integer>6570</integer> <key>UUID</key> <string>[UUID]</string> <key>Version</key> <integer>1</integer></dict></plist>I hope this helps to debug this issue.

Adding this entitlement I'm still experiencing issues. When attempting to start the extension, I get "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)" Is there a way of getting more information from this ?

Thanks for the info. I'm using a content filter provider filtering on flows. Are you telling me that I require an additional entitlement of "content-filter-provider-systemextension" ?BR