Activating System Extension fails with OSSystemExtensionErrorValidationFailed

When trying to activate my System Extension of type Network Extension, the delegate receives OSSystemExtensionErrorValidationFailed as error. However, when I remove the NEMachServiceName entry that Xcode created in the Info.plist file (and where I replaced the ID with the real ID of the System Extension), the activation succeeds.


Without that key I can even create a connection and start it, yet nothing seems to happen when I do so. System Preferences shows the created connection and that it is in state connecting but I see no process getting spawned and it doesn't seem as if the class set for the key com.apple.networkextension.packet-tunnel is ever created either. There's no error reported anywhere and nothing seems to happen until I stop the connection again.


I wonder if there is a general problem with the validity of that System Extension and removing the NEMachServiceName doesn't really solve that problem, it just prevents that problem from being detected. Or is the key NEMachServiceName even a requirement for a System Network Extension and it is expected behavior that I cannot be launched if that key isn't present? Signing and profile are managed by Xcode and Xcode says everything is okay and entitlements should be okay as well.


When installing without that key, I can also see that the extension has been installed using "systemextensionsctl list". However, everytime I activate the same system extension again from my app, it seems as if the installed one is uninstalled and the same version is then reinstalled. Not sure if that is an indicator of a problem or just because I start my app from Xcode and the system extension gets a new build ID on every run.

Or is the key

NEMachServiceName
even a requirement for a System Network Extension and it is expected behavior that I cannot be launched if that key isn't present?

My experience is that

NEMachServiceName
is a hard requirement.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So you are basically saying:

Without a NEMachServiceName entry in the Info.plist, a System Network Extension cannot work at all?


This is all a bit confusing, as a normal Network Extension didn't require such a key and a System Extension that is not a Network Extension apparently neither. There is no documentation on the differences between a Network Extension and a System Network Extension, so it's currently even unclear which entitlements or capabilities a System Network Extension or its hosting app really require or which Info.plist keys must be set.


It turns out our validation problem was related to the App Group missing in the entitlements of the System Extension, despite the fact that Xcode itself manages these entitlements and in the UI everything looked correct. Making Xcode re-create everything solved the problem so far.

Without a

NEMachServiceName
entry in the
Info.plist
, a System Network Extension cannot work at all?

That was my experience. I left it out (because I wasn’t planning to do any IPC in my trivial test project) and the NE sysex failed to load with a nice log message telling me that

NEMachServiceName
was required.

Actually, I take that back. Looking at this again, it seems that the requirement is that the

NEMachServiceName
, if present, must be prefixed by one of the app groups. It should allow you to leave it out entirely.

Alas, I don’t have time to test this tonight.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Activating System Extension fails with OSSystemExtensionErrorValidationFailed
 
 
Q