Hello there. We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM. However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC. Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension. It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?

When attempting to configure a network extension on iOS in the absence of user authorization or MDM provisioning, the call to saveToPreferences() on NEDNSProxyManager fails with an error of code 10 in domain "NEConfigurationErrorDomain". I want to test for this condition in order to present a more helpful message to the user. However, it appears that NEConfigurationErrorDomain is not declared in any system header. Why not? How do I test for this? Must I resort to a comparison against a string literal "NEConfigurationErrorDomain"? What other error codes exist in this error domain?

As of MacOS 13 beta 2 (22A5286j), es_new_client() fails with ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED despite having Full Disk Access granted. (The same code works correctly on Monterey and earlier OS versions.) Is this a known regression? Have the API or prerequisites changed? I could find no germane mention in the Ventura release notes. thanks, -ben

Attempts to install the iPadOS 16 beta all fail on my “iPad Pro (11-Inch)” (FTXN2C/A), with about 20 GB free storage. Methods I've tried: Over the air, after installing the profile from Apple Developer web site. Result: the 5.6 GB image downloads; "verifying update"; device reboots; progress bar briefly shows a sliver of progress for half a minute or so; device reboots again; presents the regular 15.5 lock screen, and behaves as though I'd never dowloaded the update at all. Connected by USB, via Finder, option-clicking "Check for Updates" and choosing the .ipsw image. Result: “A software update is required to update your iPad”, followed by “Can’t install the software because it is not currently available from the Software Update server”. Connected by USB, via Apple Configurator. Result: ““The operation couldn’t be completed. (AMRestoreErrorDomain error 10 - Failed to handle message type StatusMsg (Protocol error)) [AMRestoreErrorDomain – 0xA (10)]”; iPad is bricked; forced to reinstall a fresh 15.5 image and restore from backup. For what it's worth, for the past few years no beta version of iPadOS has installed properly over the air (although the RC versions do, and tethered .ipsw-based installations have also worked). Anybody clue me in here? thanks,

I'm implementing an NEFilterDataProvider subclass on iOS, and am trying to make outbound network connections from it. Is this supposed to work? URLSession doesn't do it (the connection is never established); perhaps that's by design, considering NEProvider offers createTCPConnection(to:enableTLS:tlsParameters:delegate:) which seems to be designed for the job. However, calling this method doesn't work either; the connection never completes, and alternates between connecting and waiting state while the logging things like this: nw_endpoint_handler_start [C8 Hostname#2169586f:443 initial path ((null))] nw_endpoint_handler_reset_mode [C8 Hostname#2169586f:443 waiting path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4, dns)] reset nw_connection_report_state_with_handler_on_nw_queue [C8] reporting state waiting And on the first waiting state, the NWTCPConnection's error shows: The operation couldn’t be completed. (kNWErrorDomainDNS error -65563 - DNS Error: ServiceNotRunning) which seems a bit strange because I'm connecting to an IP address (no DNS lookup required). Am I overlooking something? Or is an NEFilterProvider prohibited from actually making its own outbound connections? thanks, -ben

Hi there. In short: I've been unsuccessful at getting the Endpoint Security sample app https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security to operate properly. When run, taskgated-helper logs com.example.apple-samplecode.SampleEndpointAppXXXXXXXXXXX.Extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client repeatedly (where XXXXXXXXXX is the team ID). I have SIP disabled and systemextensionsctl developer on. Despite this I've also dragged the built product into /Applications before launching, yet it makes no difference. (Note: there also appears to be an oversight in the setup instructions; it proved necessary to manually insert my team ID into the [OSSystemExtensionRequest activationRequestForExtension:queue:] call in ViewController.m:28. Unlike the NetworkExtension sample project, this one doesn't try to determine the bundle ID programmatically.) The video at https://developer.apple.com/videos/play/wwdc2020/10159/ (around 8:30) implies that a specific provisioning profile must be generated by Apple on request. Is that accurate? The “request an entitlement” form at https://developer.apple.com/contact/request/system-extension/ doesn't ask for a bundle identifier or anything like that, so it's not clear how the granting of this entitlement is supposed to manifest. Furthermore, the text at https://developer.apple.com/system-extensions/ implies that turning off SIP should be sufficient for development testing—that certainly proves true for a NetworkExtension content filter, for example. Is it also supposed to be true for Endpoint Security, or are the entitlement and bespoke provisioning required in advance of being able to even test locally? thanks, b