Something very simple, like a content filter which denies all network connections when it’s active.
Back in the day, building a NetworkExtension (NE) provider was tricky because the OS was so far in front of the tools. That’s no longer the case, and Xcode makes this process reasonably straightforward [1]. To get started:
Create a new app from the template of your choice.
In that app, create two new targets from the Network Extension template. In the first, choose Filter Control from the Provider Type. In the second, choose Filter Data.
In all three targets, make sure there is a Network Extensions slice in the Signing & Capabilities tab of the target editor, and make sure the Content Filter checkbox is set.
Note The default NE templates configure an app group. This isn’t always necessary, so it’s a good idea to delete it when you start off and then add it back in if and when you need it.
In the data provider, change the
return
statement in the handleNewFlow(_:)
method to return .drop()
.
The project should now build and run. Some things to note:
Make sure you test on a device. NE providers are not supported in the simulator.
You can configure your content filter using a configuration profile. See the (somewhat misnamed) WebContentFilter payload.
For debugging purposes only, you can configure your content filter programmatically using
NEFilterManager
.IMPORTANT This only works for Development builds of your app, that is, if it has the
get-task-allow
entitlement. In production a content filter is only supported on supervised devices and must be configure using a profile.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
[1] Nowadays it’s the folks who are building SystemExtension-based providers for macOS 10.15 that have to live on the bleeding edge (-:
