I'm trying to build a network extension distributed outside the app store, so I'm creating a system extension. The parent app is written in C# and the mono runtime and requires com.apple.security.cs.allow-jit to get past the hardened runtime requirements. The system extension itself is objective-c. When I sign and notarize with hardened runtime with the com.apple.security.cs.allow-jit I get the error: Hardened Runtime relaxation entitlements disallowed on System Extensions This is true even if the com.apple.security.cs.allow-jit is only on the parent app, not the extension itself. If I don't use the exemption on the parent app my app fails with: curprot cannot be write+execute I take this to mean that the mono runtime can't do whatever JIT magic it needs. How do I combine system extensions with curprot cannot be write+execute on the parent app?

I want to establish an XPC connection between a network extension and a launch agent. Right now that launch agent is a "sample" app as a stand-in for an existing non-app-store app that is going to be gaining some functionality. My intend is that the NE starts a connection to the launch agent and exposes an interface so that the launch agent can invoke a method on an instance in the network extension. The launch agent is going to keep track of any connections established by the NE and invoke methods as needed on any live NE. My symptom is that my sample launch agent app is not launched automatically like I expected. If I launch the sample app manually I can see my logging that is has created the NSXPCListener instance, but no logging in the [listener:shouldAcceptNewConnection:] method. On the network extension side, I see my invalidation handler called immediately after resume is invoked. I figure I've done at least one of two things wrong: set up the launch agent wrong, so that the OS doesn't know how to launch it set up the connection in the NE wrong so that it is being rejected without even trying to connect My launch agent plist looks like: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> &#9;&#9;<key>Label</key> &#9;&#9;<string>TEAMID.group.my.stuff</string> &#9;&#9;<key>Program</key> <string>/Users/me/.../build/Debug/Sample.app/Contents/MacOS/Sample</string> &#9;&#9;<key>MachServices</key> &#9;&#9;<dict> &#9;&#9;&#9;&#9;<key>TEAMID.group.my.stuff</key> &#9;&#9;&#9;&#9;<true/> &#9;&#9;</dict> </dict> </plist> I'm installing that with a command like: launchctl load path/to/com.me.Sample.plist In the network extension I make a connection with code like: NSXPCConnection* xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:@"TEAMID.group.my.stuff" options:0]; xpcConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(XPCIPC)]; xpcConnection.exportedObject = self; xpcConnection.invalidationHandler = ^() { &#9;&#9;... some logging }]; xpcConnection.interruptionHandler = ^() { &#9;&#9;... some logging }]; [xpcConnection resume]; In the sample app that is intended to be the launch agent I have code like: xpcListener = [[NSXPCListener alloc] initWithMachServiceName:@"TEAMID.group.my.stuff"]; xpcListener.delegate = self; [xpcListener resume]; and then later on in the sample app I have the listener: (BOOL)listener:(NSXPCListener*)listener shouldAcceptNewConnection:(NSXPCConnection*)connection { &#9;&#9;connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(XPCIPC)]; &#9;&#9;connection.invalidationHandler = ^() { &#9;&#9;&#9;&#9;... some logging &#9;&#9;}; &#9;&#9;connection.interruptionHandler = ^() { &#9;&#9;&#9;&#9;... some logging &#9;&#9;}; &#9;&#9;[connection resume]; &#9;&#9;[connection remoteObjectProxyWithErrorHandler:^(NSError* error) { &#9;&#9;&#9;&#9;... some logging &#9;&#9;}]; &#9;&#9;return YES; }