I have a system extension, it's not meant to be activated by user, i.e. this should be done by MDM. I'd like to verify if the extension is already active, but don't want to cause system popup because this is an error condition, i.e. something went wrong with MDM and we really don't want to confuse users with weird system popups coming out of nowhere. In short - not active, fine, give me an error, but please don't pop. Is there way to do this? Kind of what systemextensionsctl list command does.

Is this kind of setup supported in macOS? keyNEProviderClasses/key dict keycom.apple.networkextension.dns-proxy/key stringDNSProxyProvider/string keycom.apple.networkextension.app-proxy/key stringTrProxyProvider/string /dict I'd like to have one extension that handles both providers - NEDNSProxy and NETransparentProxy, but request to activate it always fails 2021-03-05 08:54:41.881438-0800 ZCC SysExt[2171:37682] [] -[AppDelegate request:didFailWithError:] OSSystemExtensionActivationRequest: 0x600000477300 Error Domain=OSSystemExtensionErrorDomain Code=4 "Extension not found in App bundle" UserInfo={NSLocalizedDescription=Extension not found in App bundle} Extension is in the app bundle.

It seems like whatever NEDNSProxy* does NETransparentProxy* API can also do as a superset. Is there something specific about NEDNSProxy* that makes it preferred type of extension over more generic NETransparentProxy*? The question is more about Apple's intentions when separating DNS into a separate type of a Network Extension.

Instruments shows timestamp in seconds everywhere, but sometimes I need to see it as UTC or local time to synchronize events with other log files. Seems like something extremely obvious, but I can't find a way to change timestamp format or at least show me wall clock time for specific moments. Is this possible at all?

While working on NEDNSProxy* network extension I've noticed that during certain network change events DNS system is getting flooded with DNS requests from all kinds of applications. I guess that's normal and expected, however the API apparently doesn't attempt to control rate and the whole situation is quickly leading to "too many" open connections and blockage of the whole thing in addition to bloated memory and so on. Since we have UDP here there is always a certain amount of time involved while waiting for response (1-2 sec at least) and you may or may not get it after all. More specifically, this call seems to be the place where I should try to control the situation: (BOOL)handleNewUDPFlow:(NEAppProxyUDPFlow *)flow    initialRemoteEndpoint:(NWHostEndpoint *)remoteEndpoint Is there a recommended way to handle such situations? Should I start dropping those flows, adding a delay before processing them or both? What are the thresholds? Does this API have a capacity after which we know that it can't handle flows anymore? This all applies to regular AppProxy APIs too, I think.

This doesn't enumerate even though I do have a gateway. Did anybody have any luck with this function? Its neighbor nw_path_enumerate_interfaces() works fine, connection is also fine. auto path = nw_connection_copy_current_path(connection); nw_path_enumerate_gateways(path, ^bool(nw_endpoint_t gateway) { os_log_info(oslog, "Gateway!"); return true; }

I'm trying to use Network framework for a UDP connection. It works, I get traffic flowing both ways when UDP server is responding, however when the server is down and box sends ICMP port unreachable completion blocks from nw_connection_receive_message() nw_connection_receive() are not getting called. State and viability change handlers are also not getting called. In my app console though I see message [connection] nw_socket_get_input_frames [C1:1] recvmsg(fd 4, 9216 bytes) [61: Connection refused] So somewhere inside of the API it actually gets the ICMP and knows that connection is refused, but how exactly do I get notified about this? This surely beats waiting on connection and timing out if host is nice enough to tell you that port is closed right away.

We are working on NEDNSProxyProvider based feature and trying to understand how to handle cases when there are multiple NEDNSProxyProvider extensions installed on macOS (from different vendors). It seems like first extension loaded should prevent others from loading. Is that so? Controlling priority is not obvious to me in such cases from both user and developers sides. Same question for other system extension APIs - are they supposed to co-exist with others? Thanks!

We are observing a strange case when our VPN client activates on macOS. It configures utun interface through DynamicStore API with fixed non-routable local IP 100.64.0.1. Problem is that this IP is getting registered with DNS server for this host name together with another, real local IP. So DNS query returns two addresses - one is good and another one is bad. This obviously creates a lot of problems. We did traffic capturing with tcpdump and it shows that nsupdate tool is indeed registering both IPs. This seems to be part of OpenDIrectory/Active Directory integration. Is there way to prevent this from happening? VPNs with local only non-routable IPs are very common and I don't understand logic why such IP would be picked for Dynamic DNS update.

We have a launchd service, it's installed by our product and can be updated by this product directly. The updated service binary is delivered as a .zip file. We do notarize this zip with the service inside, it works. Now we cannot staple the ticket to the binary since Mach-O stapling is not supported. My understanding is that we don't need to do anything about this and Gatekeeper will take care of everything (i.e. will check notarization status with Apple). Is this correct assumption? Is there anything else we can do make this work better?