Network system extensions locations

Question

Created Sep ’21

Replies 4

Boosts 0

Participants 2

Under macOS (and especially when using MDM), is it the case that a system extension (in particular, a Transparent Proxy Provider or Endpoint Security extension) must be embedded in an application bundle in /Applications? Or can they be located in some other location, or even directly installed into /Library/SystemExtensions and then activated via a LaunchDaemon? Does it matter whether it's distributed via the App Store or part of enterprise distribution? (Yes, my next step is to look into MDM, about which I know very little. 😄)

This is a case of me being confused by the documentation, and looking at some existing products.

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’21

Under macOS (and especially when using MDM), is it the case that a system extension (in particular, a Transparent Proxy Provider or Endpoint Security extension) must be embedded in an application bundle in /Applications?

Yes [1].

Does it matter whether it's distributed via the App Store or ~~part of enterprise distribution~~ independently using Developer ID?

No, it works fine for both.

Note I’ve reworked your question because macOS does not have “enterprise distribution”. Most enterprises use Developer ID signing for internal distribution, so the question makes most sense as I’ve rewritten it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On production systems. You can use systemextensionsctl to relax this restriction on development systems.

0

Answer 2

kithrup OP

Sep ’21

I keep getting terminology wrong -- downside to talking to myself a lot. 😄

So everything should be in, say, /Applications/Mediocre.app but we can (using MDM) have things pre-installed, including a LaunchDaemon or LaunchAgent or whatnot, right?

Thank you again. 😄

0

Answer 3

DTS Engineer OP

Apple

Sep ’21

So everything should be in, say, /Applications/Mediocre.app

Yes.

but we can (using MDM) have things pre-installed, including a LaunchDaemon or LaunchAgent or whatnot, right?

No. A system extension acts much like a launchd daemon, and it’s implemented as one under the bonnet, but it is not a vanilla launchd daemon. You can uses MDM to install an app containing a sysex and then activate that sysex, and you get a similar effect, but that’s not the same as installing a launchd daemon.

And on the agent front, the NE sysex model does not support anything like a launchd agent. Your app could install an agent (most commonly that’d be a Service Management login item, installed using SMLoginItemSetEnabled) but that’s unrelated to its sysex functionality.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

kithrup OP

Sep ’21

Ha ha, sorry, I was not clear: I can have a LaunchDaemon, that would normally be installed as part of the app, installed via MDM stuff, and, completely separately, the app could be installed via the same mechanism to /Applications and would not need to be run a first time to install the daemon. The answer to that sounds like a confident yes, which pleases me.

0