Avoiding user input on a Network extensions on MacOS

Question

Created Sep ’21

Replies 2

Boosts 0

Participants 2

So I have implemented the NEDNSProxyManager in my application. This version of the application is replacing an older version which used unbound as a local server to redirect DNS. The application tries to monitor and block some pages when running. All is working ok so far.

However the addition of the network extension means that the user has to allow the extension in the privacy settings, and then accept that the DNS traffic is intercepted, and they can turn all this off in Network preferences in the interfaces sidebar. This bypasses our security. There are some workarounds I can put into the app but in the meantime I have a question.

I know the on iOS there is a requirement to install all of this via an MDM. Is that also possible and/or recommended on macOS. Would the MDM config file remove the necessity of the popups? Does it stop the removal of the

(By the way the user even as an admin seems to have a lot of freedom. It looks like I can delete the wifi interface without any password).

Boost

Answer 1

Systems Engineer OP

Apple

Sep ’21

Would the MDM config file remove the necessity of the popups?

If you are working with an Network System Extension for your application then there is the System Extension Payload specific profile.

Regarding:

Does it stop the removal of the (By the way the user even as an admin seems to have a lot of freedom. It looks like I can delete the wifi interface without any password)

If you mean, does it stop the allow dialog for Network Configurations, then no it does not. This would be an enhancement request.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

EoinN OP

Sep ’21

Hmm I seemed to have deleted a paragraph there. I wasn't just asking about the allow dialog but stopping the user from deleting the extension from the network preferences.

0