We are also facing this issue, this is happening when we are using a Proxy client service which uses SystemExtension: AppProxyProvider for proxying traffic. If there is not proxy client in data path, YouTube streaming is working fine.

My mistake, in new Forum layout I was not able to locate my asked questions. I mean is 'Edit Profile' doesn't seems to place find your asked questions. No need to follow this page for this particular question we can close this discussion here.

Thanks for the response Quinn. Yes you are right this is System Extension app, also we also we build two extension for NE providers (Content Filter and App/Transparent Proxy Provider) and for Endpointsecurity. My App entitlement looks like: $ codesign -d --entitlements :- /Applications/MyorgSystemExtensions.app Executable=/Applications/MyorgSystemExtensions.app/Contents/MacOS/MyorgSystemExtensions <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>REPLACEDID.com.Myorg.containerapp</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>REPLACEDID</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.Myorg.endpoint</string> </array> </dict> </plist> SystemExtension entitlement looks like: $ codesign -d --entitlements :- /Applications/MyorgSystemExtensions.app/Contents/MacOS/MyorgSystemExtensions Executable=/Applications/MyorgSystemExtensions.app/Contents/MacOS/MyorgSystemExtensions <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>REPLACEDID.com.Myorg.containerapp</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>REPLACEDID</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.Myorg.endpoint</string> </array> </dict> </plist> Provisioning file looks like: $ security cms -D -i /Applications/MyorgSystemExtensions.app/Contents/embedded.provisionprofile .... <key>Entitlements</key> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> </array> <key>com.apple.application-identifier</key> <string>REPLACEDID.com.Myorg.containerapp</string> <key>keychain-access-groups</key> <array> <string>REPLACEDID.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>REPLACEDID</string> </dict> .... I am trying to compare the entitlements but I may miss any error as I am not an expert with this. Quinn, would really appreciate if you can point any error. Thanks

Capturing more details abt the extensions. Also we are not installing and enabling ES on the machines where the issues are reported. The provisioning profile for NE looks like: % security cms -D -i /Applications/MyorgSystemExtensions.app/Contents/Library/SystemExtensions/com.Myorg.CMF.networkextension.systemextension/Contents/embedded.provisionprofile ... <key>Entitlements</key> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> </array> <key>com.apple.application-identifier</key> <string>REPLACEDID.com.Myorg.CMF.networkextension</string> <key>keychain-access-groups</key> <array> <string>REPLACEDID.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>REPLACEDID</string> </dict> ... The provisioning profile for ES looks like: % security cms -D -i /Applications/MyorgSystemExtensions.app/Contents/Library/SystemExtensions/com.Myorg.CMF.endpointsecurity.systemextension/Contents/embedded.provisionprofile ... <key>Entitlements</key> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.application-identifier</key> <string>REPLACEDID.com.Myorg.CMF.endpointsecurity</string> <key>keychain-access-groups</key> <array> <string>REPLACEDID.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>REPLACEDID</string> </dict> ...

Next question: What are you hoping to gain by using an App Group? Which processes are you sharing content between? And what sort of content? We have app and library which does IPC communication with System Extension to Install and configure, in similar way it was done in Apple sample project for 'SimpleFirewall'. I could see 'com.apple.security.application-group' used there as well. But this 'app-group' entitlement as been working fine in Catallina (10.15) and Bigsur OS for Intel Mac machines. Why could it start failing in M1 macbooks? Also on some M1 machines it is working fine.

I’m going to recommend that you open a DTS tech support incident Thanks Quinn. I already created a TSI for the same this morning (IST). Also given the reference for this discussion so that I may not need to explain again the things which we discussed here. Let me know if u need to know the follow-up/TSI number.

Thanks Matt and Quinn for your response. Is this other service signed by the same team as your sysex? Yes both systemExtn and service is signed by same team. And what context is it running in? As a daemon? Or in a GUI login context? Or something else? It is a daemon, but build outside the systemexten container. I have a limitation that I cannot keep this daemon in same container. I have related question, is there a way I could block/disable the 'Disconnect' button for the VPN in network settings? Current this can be disabled even without opening the lock (bottom). Or Can we somehow disable the effect of the disconnect action, ie user cannot stop VPN from this place?

Thanks Quinn, both the approach will work for me. But the 2nd approach is more suitable as it will be independent of the App (SysEx) which is doing 'addObserver' for VPN status. I was trying to find a small example of code for: SCNetworkConnection vpnConn = <?> SCNetworkConnectionStatus status = SCNetworkConnectionGetStatus(vpnConn) Could you please help me with API and arg which i can use to get 'SCNetworkConnection' in my C++ project?

is your service visible to SCNetworkConnection? I dont see my service where you suggested: % networksetup -listallnetworkservices An asterisk (*) denotes that a network service is disabled. USB 10/100/1000 LAN Thunderbolt Bridge Wi-Fi Bluetooth PAN To get this working you need to start with a service ID. I’m not sure whether the system allocates a service ID for a transparent proxy. Do I need to anything special while configuring my TransparentProxyProvider in my App, which will let the system allocate serviceID to my VPN?

Thanks Quinn, I will probably raise a feedback for the development team if they can add some provision for outside process (container app) to be able to monitor the VPN status. Meanwhile I will go with the 1st approach what you and Matt suggested. Thanks

Thanks for the response Quinn.

This is serious security concern as a user can disable Proxy client by using this option thus exposing mac machines and company resources to malicious access in internet. I will raise the feedback/enhancement request for the same but will request to take it on priority.

Thanks Owara for sharing the info. I will pass this information accordinly.

Feedback generated for this request: https://feedbackassistant.apple.com/feedback/9779236

Thanks for the response @meaton, I wanted to understand it further on how the manual route of creating utun interface and doing read/write can limit any functionalities. I was going through openvpn code and seems they also have used manual method to create utun interface to read/write operation for tunneling L3 packets. For me also it seems an easier way to use the utun method as it is easy to maintain the code avoiding the sandboxing and app groups and managing the inbound and outbound connections..