Post

Replies

Boosts

Views

Activity

Does the MDM payload "SystemExtensions" eliminate all user approvals
We are deploying a network extension. We want to have as little user interaction during the initial extension loading. It seems like the SystemExtensions MDM payload documented here could be used to this end but I have only been able to bypass the Security & Privacy System Preferences step. I still see the "xxxx would like to Filter Network Content" alert. Is there a way to bypass this final step and have the extension allowed without user approval?
1
0
721
Dec ’21
NEFilterFlow does not contain sourceAppAuditToken
I'm working on a FilterDataProvider network extension that works in conjunction with our global proxy app. Traffic that is bound for the proxy does not pass through the extension but outbound traffic from the proxy does. This outbound traffic needs to be identified so that we don't attempt to filter it. I have code that will convert the sourceAppAuditToken into a bundle ID but the call to SecCodeCopyGuestWithAttributes fails because the sourceAppAuditToken does not contain a value. Here's an excerpt from the logs: 09:27:01.972400 (0): Flow 687496262 is connecting com.apple.networkextension 09:27:01.972655 (687496262): New flow: NEFlow type = stream, app = proxyApp, name = , 192.168.1.170:0 <-> 13.107.136.9:443, filter_id = D89B5B5D-793C-4940-77D4-60DF35207800, interface = en0 com.apple.networkextension 09:27:01.973080 [Extension com.sophos.endpoint.network]: Calling handleNewFlow with TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension 09:27:01.973873 [Extension com.sophos.endpoint.network]: provider rejected new flow TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension 09:27:01.974305 (687496262): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 com.apple.networkextension 09:27:01.978701 UUID cache generation changed from 18791 to 18792 com.apple.networkextension 09:27:01.979738 Failed to find proxyApp in LaunchServices com.apple.networkextension 09:27:01.980046 Failed to find proxyApp using neagent com.apple.networkextension 09:27:01.980610 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension 09:27:01.980664 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension 09:27:01.983949 Setting UUID cache generation to 18793 com.apple.networkextension 09:27:01.986451 Could not find app info, return the original flow without filling in app info com.apple.networkextension 09:27:01.988775 UUID cache generation changed from 18792 to 18793 com.apple.networkextension 09:27:01.989725 Failed to find proxyApp in LaunchServices com.apple.networkextension 09:27:01.989808 Failed to find proxyApp using neagent com.apple.networkextension 09:27:01.990073 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension 09:27:01.990113 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension 09:27:01.991891 Setting UUID cache generation to 18794 com.apple.networkextension 09:27:01.992283 Could not find app info, return the original flow without filling in app info com.apple.networkextension 09:27:01.992567 D89B5B5D-793C-4940-77D4-60DF35207800 identifier = D89B5B5D-793C-4940-77D4-60DF35207800 procPID = 97466 eprocPID = 97466 direction = outbound inBytes = 0 outBytes = 0 signature = 32:{length = 32, bytes = 0xdb48e494 a3048ed1 b5a3d7e7 86425239 ... 2e0bb61f 66820ed3 } socketID = 782035df60d477 localEndpoint = 0.0.0.0:0 remoteEndpoint = 13.107.136.9:443 protocol = 6 family = 2 type = 1 procUUID = 00000000-0000-0000-0000-000000000000 eprocUUID = 00000000-0000-0000-0000-000000000000 (no token) I'm running on Apple Silicon. My extension is built for arm64 and x86_64. My proxy app is a unix executable with no bundle and is also built for both architectures and signed. I realize that I'm probably not going to be able to get a bundle ID from it but I don't even have an audit token to start. Is there another way to identify flows from specific processes?
1
0
698
Dec ’21
Writing files to a shared location from a managed application
I'm writing an MDM managed application that will be used to write files to a location that is accessible by other applications. I've attempted to write to /Library/Application Support and /usr/local/etc. Both locations fail because my application doesn't have permission. I tried using a launchd plist to launch the application as a daemon (where it is running as root) and I converted the application to background-only but neither of those made a difference. I also granted the application Full Disk Access to no avail. Is there a better location I can write a file that other apps will be able to read? Is there a step I am missing in getting a managed application permission to write to any of these locations?
1
0
605
Apr ’21
Debugging system extensions for macOS
This article - https://developer.apple.com/documentation/driverkit/debugging_and_testing_system_extensions?language=objc describes several processes for debugging and testing System Extensions. I'm having difficulty turning on developer mode using systemextensionsctl. When I attempt it I get an error telling me to disable SIP. Disabling SIP requires booting into Recovery Mode and running csrutil disable from Terminal. On my machine running Big Sur, attempting this results in an error telling me that I can't do it with "full security" enabled. Further down in the aforementioned article, it mentions setting security level to medium. What is the process for setting security level?
2
0
1.1k
Oct ’20