User Profile

For anyone looking, any access to resources that need FDA approval from the app does not seem to pre-populate the list. You can create an embedded helper inside the app and launch it as a launchd service and it will populate the list.

I've opened a TSI case, thanks for your help Quinn!

OK. My next step here would be to check whether launchd knows that the sysex is allowed to publish that service. You can do that with launchctl: Under a section with my bundle ID, I see: $(TEAMID).$(BUNDLEID) = { 				active count = 3         copy count = 0         one shot = 0         path = (submitted by smd.290)         state = running         program = /Library/SystemExtensions/063E252D-C01E-4EBE-96F5-1C5FA0650106/$(BUNDLEID).systemextension/Contents/MacOS/$(BUNDLEID)         arguments = {                 $(BUNDLEID)         }         default environment = {                 PATH => /usr/bin:/bin:/usr/sbin:/sbin         }         environment = {                 XPC_SERVICE_NAME => $(TEAMID).$(BUNDLEID)         }         endpoints = {                  "group.$(APP_BUNDLEID).content-filter-service" = {                          port = 0xb0ba7                         active = 1                          managed = 1                          reset = 0                          hide = 0                  }            } ... } So I see the Mach service for the content filter only. The service I had defined for the plist key NSEndpointSecurityMachServiceName is not available. It also follows a different naming convention though, $(TEAMID).$(BUNDLEID).xpc. Not sure if that matters.

Is this on 10.15.x? Or 11 beta? This was on 10.15.4. Have not tried in 11 beta or later versions of 10.15.

I figured this out early on. It can find the extension it will always fail verification with:System extension request failed: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 9.)Unlike network extensions on iOS, the macOS Network Extension System Extension will create a NEMachServiceName and the Network Extension validation makes it "mandatory" that a matching App Group must be defined for the Mach service or it will fail validation.Solution: Create a matching App Group (if you deleted it like I did) or... delete App Group and NEMachServiceName (didn't try the latter)