How to uninstall a systemextension with SIP on

App & System Services Networking
richard_wang OP
Created Jul ’21
Replies 6
Boosts 0
Views 2.1k
Participants 4

Hi there,

We are using systemextension for network and now we try to turn on SIP and install/uninstall systemextension.

Current status is that: with SIP on, systemextension can be installed correctly, but cannot be uninstalled.

The install/uninstall code is like below. Calling installSystemExtension() from the entrance of ProxyManger.swift:loadProxyManager returns success: activation request succeeded And systemextension list common shows the newly installed sysExt.

But calling uninstallSystemExtension() from the entrance of ProxyManger.swift:remove() results in error: deactivation request failed authorization: unauthorized And systemextension list common shows no difference.

	@available(macOS 11.0, *)
	private func installSystemExtension() {
		log.info("[LogApp] will submit activation request")
		let request = OSSystemExtensionRequest.activationRequest(
			forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy",
			queue: .main
		)
		request.delegate = self
		OSSystemExtensionManager.shared.submitRequest(request)
		log.info("[LogApp] did submit activation request")
	}
	
	// MARK: - Unload System Extension
	
	@available(macOS 11.0, *)
	public func uninstallSystemExtension() {
		log.info("[LogApp] will submit deactivation request")
		let request = OSSystemExtensionRequest.deactivationRequest(
			forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy",
			queue: .main
		)
		request.delegate = self
		OSSystemExtensionManager.shared.submitRequest(request)
		log.info("[LogApp] did submit deactivation request")
	}

Thanks in advance for any suggestion.

Replies  6
Boosts  0
Views  2.1k
Participants  4
DTS Engineer OP
Apple
Jul ’21

There is, alas, no supported way to programatically uninstall a system extension. See this thread for more, and also this post.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
richard_wang OP
Aug ’21

Thanks for sharing. Do you have any update on the status of r. 70246597, r. 66312716 or r. 67923914? I cannot find any result form https://openradar.appspot.com/

When (beginning from which macOS version) can this uninstall sysExt issue be resolve?

I tried Monterey, and it is of the same issue.

I see questions like this a lot so I want to clarify one thing: The SystemExtensions framework is intended to be used by a GUI app to load and unload system extensions in response to user actions. It’s not meant to be called from a command-line tool, regardless of how that command-line tool is packaged. Calling it from a command-line tool is unsupported and may yield weird results.

I recently filed a bug to get this clarified in the framework’s documentation (r. 70246597). We also have a bug on file to add more options for installing and uninstalling system extensions (r. 66312716), although if you have specific requirements in that space it wouldn’t hurt to file your own bug describing those requirements.

Finally, a lot of folks who ask about this are primarily focused on deploying to managed environments, and such environments can do more with system extensions using MDM.

Share and Enjoy

— Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@apple.com"

Uninstall is a major hole in the sysex story right now )-: For example, you can currently install a sysex on a managed Mac but not uninstall it. The sysex team is aware of these problems (r. 67923914) but I’ve no info to share as to when they might be resolved.

Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Multiline BlockQuote

0
DTS Engineer OP
Apple
Aug ’21

Do you have any update on the status of r. 70246597, r. 66312716 or r. 67923914?

As far as I know there’s been no progress on the system extension uninstall issue.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
ryanvana--e OP
Sep ’21

In this earlier comment, there's this note:

Finally, a lot of folks who ask about this are primarily focused on deploying to managed environments, and such environments can do more with system extensions using MDM.

Do you have any more details on what more things an MDM can do to uninstall system extensions? I've been doing a lot of Googling but it seems like most options will still show the end user a confirmation dialog.

I know Quinn says in top comment that there's no programmatic way to uninstall a system extension, but I was wondering if there's an MDM way that I might be missing.

0
DTS Engineer OP
Apple
Sep ’21

Do you have any more details on what more things an MDM can do to uninstall system extensions?

This post links to a bug (r. 67923914), and the status of that bug hasn’t changed since I posted about it here last month.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
EoinN OP
Sep ’21

@eskimo you say that the only way to uninstall is to drag to the trash. Is the use of an AppleScript in a script recommended? I can see that work to ask the user to remove the extension?

0
How to uninstall a systemextension with SIP on
First post date Last post date
 
 
Q