If this is possible I plan on deploying it on a business environment with around 10k macos users. The ultimate goal is to be able to detect if the system queries a malicious domain.
Post
Replies
Boosts
Views
Activity
Yes I need to do this on device. I have a System Extension (NE Content Filter) running on this devices so i would like to do this from the system extension.
Quinn, thanks for the reply. Im not planning on making security decisions based on this info I just would like to obtain this information for logging purposes. Also Im targeting macOS, and this is an enterprise app.
I would like to know about those better ways to do this that you mentioned.
Quinn, again thanks for the help. I submitted an enhancement request as you suggested, FB9149624. I am not sure I selected the correct category but I could not find one appropriate for this case.
Well, thats even better. Thanks quinn.
What are my options for doing this on device from a system extension?
Thanks matt. Would a NEDNSTransparentProxyProvider be something you guys would consider adding in the future or is that impossible?
I think using a different delegate for each request is appropiate for my use case. I don't think serializing will work for me because my container app does not have a gui and is only used via command line therefore it is only run when I want to activate or deactivate the extension. Thanks to both btw :)
My app runs on macOS, I am currently deploying it to the users via a pkg that is installed through the mdm. I can't use a GUI, I understand what you are saying but I really see no other way to do this.
Thanks for the reply matt. I do receive that callback and the system extension is replaced but as I explained before the new extension does not start.
I know there is a workaround for this because I have seen apps that use system extensions that don't have this problem and they do this using a command line app.
Unfortunately using a GUI is not an option for me, I can't just tell the 10k users in my organization to open a GUI and do the installation process themselves.
Also how does using a GUI make sense in the case of an update to my system extension, the update should require no user interaction.
Lastly: When I say command line app I mean I execute my .app main executable from the command line I don't have a separate binary its just the container app.
Hi could you elaborate more on how you update your system extension. What is the whole process like?
This is happening on handleNewFlow. Given that the direction is inbound I asume the source of the traffic is the remoteEndpoint. Correct?
My system extension downloads a pkg installer and executes it with the command shown above. I do this so the user does the app can update itself with no user interaction. The installer copies the app to /Applications and executes the container app.
If I were to run the installer from the container app instead of from the system extension would it work? Im asking because I saw an implementation where the system extension downloaded the pkg installer and then called the helper app to run that installer.
Yes, when I download the installer and execute it I do go through the replace action.