We are deploying a network extension. We want to have as little user interaction during the initial extension loading. It seems like the SystemExtensions MDM payload documented here could be used to this end but I have only been able to bypass the Security & Privacy System Preferences step. I still see the "xxxx would like to Filter Network Content" alert.
Is there a way to bypass this final step and have the extension allowed without user approval?
Post
Replies
Boosts
Views
Activity
I'm working on a FilterDataProvider network extension that works in conjunction with our global proxy app. Traffic that is bound for the proxy does not pass through the extension but outbound traffic from the proxy does.
This outbound traffic needs to be identified so that we don't attempt to filter it. I have code that will convert the sourceAppAuditToken into a bundle ID but the call to SecCodeCopyGuestWithAttributes fails because the sourceAppAuditToken does not contain a value. Here's an excerpt from the logs:
09:27:01.972400 (0): Flow 687496262 is connecting com.apple.networkextension
09:27:01.972655 (687496262): New flow: NEFlow type = stream, app = proxyApp, name = , 192.168.1.170:0 <-> 13.107.136.9:443, filter_id = D89B5B5D-793C-4940-77D4-60DF35207800, interface = en0 com.apple.networkextension
09:27:01.973080 [Extension com.sophos.endpoint.network]: Calling handleNewFlow with TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension
09:27:01.973873 [Extension com.sophos.endpoint.network]: provider rejected new flow TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension
09:27:01.974305 (687496262): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 com.apple.networkextension
09:27:01.978701 UUID cache generation changed from 18791 to 18792 com.apple.networkextension
09:27:01.979738 Failed to find proxyApp in LaunchServices com.apple.networkextension
09:27:01.980046 Failed to find proxyApp using neagent com.apple.networkextension
09:27:01.980610 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension
09:27:01.980664 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension
09:27:01.983949 Setting UUID cache generation to 18793 com.apple.networkextension
09:27:01.986451 Could not find app info, return the original flow without filling in app info com.apple.networkextension
09:27:01.988775 UUID cache generation changed from 18792 to 18793 com.apple.networkextension
09:27:01.989725 Failed to find proxyApp in LaunchServices com.apple.networkextension
09:27:01.989808 Failed to find proxyApp using neagent com.apple.networkextension
09:27:01.990073 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension
09:27:01.990113 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension
09:27:01.991891 Setting UUID cache generation to 18794 com.apple.networkextension
09:27:01.992283 Could not find app info, return the original flow without filling in app info com.apple.networkextension
09:27:01.992567 D89B5B5D-793C-4940-77D4-60DF35207800
identifier = D89B5B5D-793C-4940-77D4-60DF35207800
procPID = 97466
eprocPID = 97466
direction = outbound
inBytes = 0
outBytes = 0
signature = 32:{length = 32, bytes = 0xdb48e494 a3048ed1 b5a3d7e7 86425239 ... 2e0bb61f 66820ed3 }
socketID = 782035df60d477
localEndpoint = 0.0.0.0:0
remoteEndpoint = 13.107.136.9:443
protocol = 6
family = 2
type = 1
procUUID = 00000000-0000-0000-0000-000000000000
eprocUUID = 00000000-0000-0000-0000-000000000000 (no token)
I'm running on Apple Silicon. My extension is built for arm64 and x86_64. My proxy app is a unix executable with no bundle and is also built for both architectures and signed. I realize that I'm probably not going to be able to get a bundle ID from it but I don't even have an audit token to start.
Is there another way to identify flows from specific processes?
I'm writing an MDM managed application that will be used to write files to a location that is accessible by other applications. I've attempted to write to /Library/Application Support and /usr/local/etc. Both locations fail because my application doesn't have permission.
I tried using a launchd plist to launch the application as a daemon (where it is running as root) and I converted the application to background-only but neither of those made a difference.
I also granted the application Full Disk Access to no avail.
Is there a better location I can write a file that other apps will be able to read? Is there a step I am missing in getting a managed application permission to write to any of these locations?
This article - https://developer.apple.com/documentation/driverkit/debugging_and_testing_system_extensions?language=objc describes several processes for debugging and testing System Extensions. I'm having difficulty turning on developer mode using systemextensionsctl. When I attempt it I get an error telling me to disable SIP.
Disabling SIP requires booting into Recovery Mode and running csrutil disable from Terminal. On my machine running Big Sur, attempting this results in an error telling me that I can't do it with "full security" enabled.
Further down in the aforementioned article, it mentions setting security level to medium.
What is the process for setting security level?