Thanks for the useful article, eskimo. My extension works with Safari, but not with other applications. I have configured my extension to intercept traffic to example.com:443: let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "127.0.0.1") let rule = NENetworkRule(destinationHost: NWHostEndpoint(hostname:"example.com", port:"443"), protocol: .TCP) settings.includedNetworkRules = [rule] self.setTunnelNetworkSettings(settings) { error in completionHandler(error) } If I make the request with Safari then the handleNewFlow method is called. But if I test with curl, the request hangs and the handleNewFlow method is not called (requests to other domains work with curl, so I suppose the interception rule is correct): curl --http2 https://example.com -v * Trying 93.184.216.34:443... * Connected to example.com (93.184.216.34) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/ssl/cert.pem * CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): Do I need some special settings in Info.plist or some other place to enable capturing from all apps? Do I need .mobileconfig for Mac OS (currently I do not have any)? Is the NENetworkRule that I configured sufficient to intercept network requests? I should also mention that the tunnelRemoteAddress that I specified (127.0.0.1) is fictional for the moment - once I get the handleNewFlow method triggered, I will implement the actual proxying part.

I managed to make it work by tweaking the NENetworkRule passed to the settings and using a destination network. Still wondering why NEAppProxyProvider with NETunnelNetworkSettings is throwing NEAgentErrorDomain error though. If I want to target Mac OS 10.5, I cannot use NETransparentProxyProvider: class AppProxyProvider: NEAppProxyProvider { override func startProxy(options: [String : Any]?, completionHandler: @escaping (Error?) -> Void) { let settings = NETunnelNetworkSettings(tunnelRemoteAddress: "127.0.0.1") self.setTunnelNetworkSettings(settings) { error in completionHandler(error) } } ... }

@meaton, the reason I need the disable-library-validation entitlement is because my app is hosting a .NET Core utility (bundled in the Resources folder and called as sub-process). This utility depends on some dynamic libraries (libcoreclr.dylib, libclrgc.dylib, libclrjit.dylib, ...) shipped by Microsoft and which are ad-hoc signed. If I resign them with codesign (with timestamp and hardened runtime), my .NET Core app no longer starts as its dependencies are not having the expected signatures.

Just out of curiosity, what type of AppProxyProvider are you using? Is it a AppProxyProvider System Extension or is it an App Extension? @meaton, it is a system extension. It is also worth mentioning that the IPC works while debugging in XCode (using XCode managed Profile and Apple Development signing certificate for both the app and the sysext). So I guess there might be some issue with my Developer ID signing profile and/or entitlements

My current workaround is to stop and start the extension again from the container app since the start method allows me to pass some options. This is quite ugly and would really like to find out why sendProviderMessage is failing to communicate with my sysext. Is this a supported scenario (container app sendProviderMessage -> Mac OS system extension handleAppMessage) or I should use XPC instead?

I think I have found the problem. When I was building my application in Release mode I was using manual signing with codesign and the following entitlements were not added to my app: <key>com.apple.application-identifier</key> <string>CXXXXXXXX.com.myorg.myapp</string> <key>com.apple.developer.team-identifier</key> <string>CXXXXXXXX</string> After manually adding them to the entitlements file, the IPC started working as expected.

@eskimo, Here's what I tried in order to intercept this particular address: NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "2a03:2880:f128:181:face:b00c:0:25de", port: "443"), remotePrefix: 128, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound) I also tried a catch-all rule: NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "::0", port: "0"), remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .TCP, direction: .outbound) What would be the proper way to add a rule that can intercept ipv6 traffic?