Obviously we ran into the same problem. To keep the thread posted on what we tried and what seems to work well for us, here's what we did We first tried using Apple script to simulate the behavior of "dragging the app to trash". This did work sometimes. macOS did throw the popup saying something with extension is being moved to trash and things. However other times the container app got removed but the tied extension kept arnd running, putting system into weird state, requiring systemextensionsctl reset. After experimenting, we dropped this for our usecase. We exposed a command line switch in the app. During uninstall/upgrade, we launch the app with this new command line parameter, on seeing this, the app stops the extension using framework and then deactivates it. This cleans things up. Post this we delete the app. This has been holding well so far for us, but we are still experimenting with this. If u happen to try this out, let me know if that works out for you as well. If there's any better strategy, do update the thread please.

Thank you Matt for reverting on this. I will keep your opinion in my mind.

Hello Matt, I have a somewhat related question here. What I am noticing is, if for some reason the system network extension crashes, then it gets relaunched. I can see my system network extension process running in activity monitor however it doesn't serve traffic i.e it requires me to trigger a new startVPNtunnel from the container app again. Is that expected behavior? Does this mean we need to instruct our application users to always have the container app running so that we can detect the extension crashing or other problems via some keepalive messaging and re-trigger the startVPNtunnel or do u have something more spontaneous in mind that can help re-init the extension when it gets auto launched by Apple?

I am seeing the same for 11.2.3 update and I am on MBP 2019 just upgraded to 11.2.2. Download never completes saying the error in internet connectivity.

Hello Matt, If I go with your suggestion, then in second extension how would I know if the packet traversed the first extension? I see flow has a meta data that can be used to identify the application that originated the packet to avoid loops, however i didn't find anything that can tell extensions along the way the pkt has been through?

I remember reading the Apple doc mentioning that blanket rule like that isn't permitted, we either need to specify port and all IP or all port and some IP. Maybe try adding a port specific rule and verify if anything improves.