I had SIP disabled, because I was developing system extensions and signing the app with development prov.profile. I also tried to enable SIP in hope kernel might pinpoint potentially offending kernel extension.My machine is unable to boot up with SIP disabled and enabled, it makes no difference.I also deleted app in Debug folder and another copy in /Applications to remove system extension. I actually did that while the machine was still in normal mode only with broken network, before reboot (before hitting "Critical update required" popup).It looks like System Extensions can render mac totally unusable just like kernel extensions.Yes, we do have virtual machines on VPN, these can be restored quicker than our machines, but that's not optimal either as you can easily cut off the network when filtering traffic, especially in early stages of development. Believe me, I wouldn't develop system extensions as an indie developer, trying to sell security apps on my own.Sometimes you just want to test something small on your machine. In my case I was trying to figure out minimal set of entitlements (for example if system extension and app need App Group entitlement in order to communicate) and I also tried to create framework, which would be used by the app and system extension (to use common classes in both targets, like IPC commiunication, filter rules, etc).System Extensions are supposed to run in user space and should be safe without the ability to break kernel (definitely not to the point of total recovery required).It's also not clear to me if that framework needs to be integrate with "Do not embed", "Embed without signing" or "Embed and sign". At the time of the failure I was using "Do not embed" in both app and system extension. I'm thinking that perhaps extension trying to use the common framework was prevented by OS security and that's what may have caused total network block. No network connection could then pass through. I thought that simply deleting app with extension should automatically disable system extension and any configuration setup by extension using NEFilterConfiguration.At least I have learned how to write a virus that can disable mac :-)Anyway, I'm restoring the machine now, there does not appear to be a fix for this.