I have an app with System Extension, which I've notarized.
I've tried 2 cases : With Hardened runtime on System Extension.
Without Hardened runtime on System Extension.
Once I've notarized the App Bundle, I notarize the app package both of which succeeded successfully, and Stapled correctly.
When I try to run the App with SIP enabled, I get the following error :
Hardened Runtime relaxation entitlements disallowed on System Extensions
Post
Replies
Boosts
Views
Activity
I have 2 different App Bundles : Main App Bundle .
Uninstaller App Bundle.
The Uninstaller App Bundle is not inside the Main App bundle.
I am creating a packet tunneling system extension from the the Main App Bundle. Is there a way I could use NEVPNManager's loadAllFromPreferences to access the VPN created from the main app bundle and remove that VPN ?
I can think of using IPC to communicate from Uninstaller App Bundle to the main App Bundle to let the Main App Bundle know when to delete the VPN, but is there a way to do it directly from the Uninstaller App Bundle, so that in case the main process from the Main App bundle isn't running I could still remove the VPN ?
Also, embedded inside the Main App Bundle is another executable file which run as LaunchDaemon. Could I use the LaunchDaemon process to remove the VPN profile as well?
I am working on a Packet Tunnel System Extension on MacOS. There are times when it appears that certain actions like opening and closing the socket are taking too long. The only thing I see in the logs are these messages corresponding to those actions and they don't happen often as well :
default 14:08:09.148452-0400 symptomsd defusing ticker tickerFatal having seen progress by flow for ***_PROCESS, rxbytes 4980 duration 301.752 seconds started at time: Mon Oct 19 14:03:07 2020
What does this log basically imply? What are its effects on the System? Any specific way to figure out what exactly is causing it?
I am using the DTK Mac mini with Big Sur version 11.0 Beta (20A5299w).
I went to the Recovery mode and tried to change the Security Policy to Reduced Security mode but that mode isn't getting applied for some reason and it doesn't give an error as to why that's happening. Is changing the SIP disabled on a DTK?
Any idea as to how I can disable SIP?
I am trying to debug some executables and can't do it without disabling SIP.
I am using the DTK Mac mini with Big Sur version 11.0 Beta (20A5299w).
I get the following error in Software Update while trying to update Big Sur to 11.0.1:
An error occurred while downloading the selected updates. Please check your internet connection and try again.
When I look at the console I see the following :
[PreflightPrerequisite] Informing client that the preflight prerequisite phase failed with error: Error Domain=SUMacControllerError Code=7722 "[SUMacControllerErrorPreflightPrerequisiteCheckFailed=7722] Failed to perform PreflightPrerequisite operation: com.apple.BuildInfo.preflight.error:12 | The base build is not compatible for this install method.: [com.apple.BuildInfo.preflight.error:12]" UserInfo={NSUnderlyingError=0x134f0cbb0 {Error Domain=com.apple.BuildInfo.preflight.error Code=12 "The base build is not compatible for this install method." UserInfo={BIPreflightAlternateInstallerRecommended=true, NSLocalizedFailureReason=The base build is not compatible for this install method., NSLocalizedDescription=The base build is not compatible for this install method.}}, SUMacControllerErrorIndicationsMask=0, NSDebugDescription=[SUMacControllerErrorPreflightPrerequisiteCheckFailed=7722] Failed to perform PreflightPrerequisite operation: com.apple.BuildInfo.preflight.error:12 | The base build is not compatible for this install method.: [com.apple.BuildInfo.preflight.error:12], NSLocalizedDescription=Current device configuration and target is invalid for install in the current state. Please try again.}
Is the DTK not allowed to be updated?
I get the following error while trying to load save the configuration for NEFilter :
Failed to save configuration Error Domain=NEFilterErrorDomain Code=3 "(null)"
This is how I am trying to create the configuration :
let config = NEFilterProviderConfiguration()
config.username = "Test User"
config.organization = "Test Organization"
config.filterBrowsers = true
config.filterSockets = true
config.serverAddress = "localhost"
NEFilterManager.shared().providerConfiguration = config
NEFilterManager.shared().isEnabled = true
NEFilterManager.shared().saveToPreferences { (error) in
if let saveError = error{
print("Failed to save configuration \(saveError)")
return
}
}
I checked the following things :
The Team ID is consistent across the App, Control Extension and Data Extension.
The App ID prefix matches the Team ID.
The Bundle ID for Control Extension and Data Extension are children id of the App's Bundle ID.
The deployment target is set to 11.0 for the App, and the extensions.
The App and the extensions do have the content-filter-provider and get-task-allow entitlement. Moreover the device is supervised.
The NSExtensionPrincipal Class is the ModuleName.CustomClassName
I also tried to manually create an unsigned profile consisting of the Content Filter Payload, which has the plugin Bundle Id which is the same as the App's Bundle ID.
How can I further debug this issue?
My understanding is that for development purposes having the get-task-allow entitlement should be enough to test the filter, and the device may not be supervised unless I am testing this on a Distribution build and in that case it would require an MDM profile. Is that correct?
I get the following error while trying to copy a file from Filter Bundle to the Documents Directory :
sandbox deny(1) file-write-create
Is any file write permission completely restricted in the FilterDataProvider?
The reason I need to copy the file to the Documents Directory is to make modifications to the file, which in my understanding I can't do directly to the file by accessing it from the Bundle.
How can I make modifications to a file from FilterDataProvider if the FilterDataProvider doesn't have any write permissions?
Is using the FilterControlProvider the only option to make any changes to a file?
I am building prototypes which use the ScreenTime API.
I noticed a couple of things :
After getting the authorization on the child device, If I were to use another app that needs authorization then it returns "Authorization conflict" error. Is that the correct behavior. Would only one single app get the Family control Authorization? For the second app to get authorization, I had to revoke authorization from the first app.
After getting the Family Control authorization, I was still able to log out from the child iCloud account. My understanding was that, sign out shouldn't be allowed for the child.
After getting the Family Control authorization, I was still able to delete the app that received the Family Control authorization. Once the app received authorization, the child should be blocked from deleting that app right?
Could someone please clarify on these?
I've created a test project in which I can successfully receive the FamilyControl authorization for the child device.
Then on the parent device(where the parent account is logged in as the iCloud account), I basically used the following test code as provided in the documentation FamilyActivityPicker
struct ExampleView: View {
@State var selection = FamilyActivitySelection()
@State var isPresented = false
var body: some View {
Button("Present FamilyActivityPicker") { isPresented = true }
.sheet(isPresented: $isPresented) {
FamilyActivityPicker(selection: $selection)
}
.onChange(of: selection) { newSelection in
let applications = selection.applications
let categories = selection.categories
let webDomains = selection.webDomains
}
}
}
I get the following error on the view :
The operation couldn't be completed. (FamilyControls.ActivityPickerRemoteViewError error 1)
For authorization errors I was able to look into the FamilyControlsError enum in the FamilyControls framework, but I can't find an enum for ActivityPickerRemoteViewError.
Any idea as to why it's failing to load?
I believe I am using the right setup in terms of the account that I am logged in to. I do have the FamilyControl capability, and I was able to successfully provide authorization for the child.
Is there any other prerequisite that needs to be done to load the FamilyActivityPicker?
Also, Do you know where I can find the error codes corresponding to ActivityPickerRemoteViewError ?
What does error 1 indicate?
I do see the following in the console logs :
2021-06-09 16:42:38.430112-0400 NN Family Control[849:38700] [lifecycle] [u 9F1F2B94-76F6-4D8F-ADE3-6D1C14EE5074:m (null)] [com.apple.FamilyControls.ActivityPickerExtension(1)] Connection to plugin interrupted while in use.
2021-06-09 16:42:38.476929-0400 NN Family Control[849:38704] [lifecycle] [u 9F1F2B94-76F6-4D8F-ADE3-6D1C14EE5074:m (null)] [com.apple.FamilyControls.ActivityPickerExtension(1)] Connection to plugin invalidated while in use.
I was able to start the device activity monitor. I was able to see the Device Activity Monitor Extension as a process, and was able to attach to it via Xcode.
Now I am trying block a specific 3rd party application, via the Shield.
I am using this piece of code for intervalDidStart :
override func intervalDidStart(for activity: DeviceActivityName) {
NSLog("Interval started for Device Activity")
let blockedApps : Set<Application> = [Application(bundleIdentifier: "com.facebook.Facebook")]
store.application.blockedApplications = blockedApps
super.intervalDidStart(for: activity)
}
I've declared store in the DeviceActivityMonitor class as follows :
let store = ManagedSettingsStore()
This is the error I see in the Console:
Error Domain=UsageTrackingErrorDomain Code=1 "Something without a application-identifier entitlement tried to manage usage budgets" UserInfo={NSLocalizedDescription=Something without a application-identifier entitlement tried to manage usage budgets}
The above use case should work right? I should be able to apply the settings inside DeviceActivityMonitorExtension?
What does the application-identifier entitlement look like?
How do I use it?
On the filter Data provider, based on certain conditions I either allow or drop the packets.
I've set the "shouldReport" field to true.
On the filter control provider, I do override the handleReport function.
When I drop the packet in handleInboundComplete, with the following line :
result = NEFilterDataVerdict.drop()
return result
The flow is getting dropped as expected.
I also expect that handleReport, inside FilterControlProvider to get called with the report stating whether the flow was dropped or allowed. But this does not happen.
Any ideas, why?
Is there a better way for Filter Control provider to know about the verdict made by Filter Data Provider, about a flow?
What is the NSExtensionPointIdentifier for ShieldConfigurationProvider, to change the appearance of the shield for Family Controls?
I am able to see the list of Applications using the Family ActivityPicker on the child but not able to see it on the parent device. I can see the list of categories but there aren't any applications on each of the categories. My expectation is to see the applications which are installed on the child device. Please correct me if that is not the expected behavior.
The family sharing is setup correctly, and on requesting authorization, it does fail to get the authorization as expected, because it's the parent account.
I do see the correct behavior on the child device. I did provide authorization and I can see the list of applications inside the picker on Beta 2.
On the parent device I see the following errors in the console :
Connection error from Optional("com.apple.ManagedSettingsAgent"): Couldn’t communicate with a helper application.
Attempts remaining: 1
Failed to fetch effective value for com.apple.ManagedSettings.effective-media-settings.changed: Couldn’t communicate with a helper application.
Failed to open usage store with error: The file “Store.plist” couldn’t be opened because there is no such file.
Any ideas?
Is the com.apple.developer.kernel.increased-memory-limit entitlement working as of iOS 15 Beta 3.
As of right now if I try to add this entitlement on Beta 3 or below, the Automatic Signing fails.
How much extra memory would be provided for an Application or its extension with this entitlement?
With Xcode 12 the following lines of code had been working fine :
CFRunLoopSourceRef runloop = CFMessagePortCreateRunLoopSource(kCFAllocatorDefault, this->m_localPort, 0);
CFRunLoopAddSource(CFRunLoopGetCurrent(), runloop, kCFRunLoopCommonModes);
CFRunLoopRun();
Xcode 13 is basically causing this to crash at CFRunLoopRun with the following error :
[CFData release]: message sent to deallocated instance 0x281013cf0
It looks like something got released earlier than it should have.
This works fine with Xcode 12 though. I am assuming this should be a bug, but is there anything I can do to verify this or pin point what exactly is wrong.