NetworkExtension: Unsatisfied entitlements: com.apple.security.application-groups

Question

freefire OP

Created Oct ’21

Replies 8

Boosts 0

Views 1.6k

Participants 2

Setup Details:

ProductName: macOS
ProductVersion: 11.5.1
BuildVersion: 20G80
Platform: arm64
Rosetta2 emulator is installed.

My Network extension app having below entitlement is not working on many M1 Macbooks. Behavior is very random, on some M1 systems it does work without any issue and on few system it never works:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/var/db/mds/</string>
        <string>/usr/local/myorg/Mcp/bin/</string>
        <string>/usr/local/myorg/StatefulFirewall/bin/</string>
    </array>
    <key>com.apple.developer.endpoint-security.client</key>
    <true/>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>app-proxy-provider-systemextension</string>
        <string>content-filter-provider-systemextension</string>
    </array>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>group.com.myorg.endpoint</string>
    </array>
    <key>com.apple.security.automation.apple-events</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

Error in system extension:

2021-09-30 12:41:53.049345-0400 0x361f5b   Error       0x0                  60247  0    taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.myorg.CMF.networkextension: Unsatisfied entitlements: com.apple.security.application-groups

More logs are attached:

More detail logs

At one instance, the package which is working on many M1 machines, crashed with 'EXC_CRASH (Code Signature Invalid)' exception:

Process:               com.myorg.CMF.networkextension [503]
Path:                  /Library/SystemExtensions/*/com.myorg.CMF.networkextension
Identifier:            com.myorg.CMF.networkextension
Version:               ???
Code Type:             X86-64 (Translated)
Parent Process:        launchd [1]
Responsible:           com.myorg.CMF.networkextension [503]
User ID:               0

Date/Time:             2021-09-30 12:55:27.365 -0400
OS Version:            macOS 11.5.1 (20G80)
Report Version:        12
Anonymous UUID:        BBAF0CEC-BDE6-1239-9E5D-9099403D7616


Time Awake Since Boot: 63 seconds

System Integrity Protection: enabled

Crashed Thread:        Unknown

Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x1

kernel messages:

VM Regions Near 0 (cr2):
--> 
    mapped file                 102b7f000-102baf000    [  192K] r-x/r-x SM=COW  Object_id=2f6c9e1b

Backtrace not available

Unknown thread crashed with ARM Thread State (64-bit):
..................

Could you please help me understand why the same package which is working fine on Intel Mac machines and also working fine on some of M1 Mac machine will fail on other M1 mac machines?
What could we be doing wrong here?

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’21

App groups work very differently on the Mac than on iOS. See this post for the background to this.

It looks like you’re building a system extension rather than an NE app extension. Furthermore, it looks like your sysex includes both an NE provider and an ES client. Is that right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

freefire OP

Oct ’21

Thanks for the response Quinn. Yes you are right this is System Extension app, also we also we build two extension for NE providers (Content Filter and App/Transparent Proxy Provider) and for Endpointsecurity.

My App entitlement looks like:

$ codesign -d --entitlements :- /Applications/MyorgSystemExtensions.app
Executable=/Applications/MyorgSystemExtensions.app/Contents/MacOS/MyorgSystemExtensions
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.application-identifier</key>
    <string>REPLACEDID.com.Myorg.containerapp</string>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>app-proxy-provider-systemextension</string>
        <string>content-filter-provider-systemextension</string>
    </array>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.developer.team-identifier</key>
    <string>REPLACEDID</string>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>group.com.Myorg.endpoint</string>
    </array>
</dict>
</plist>

SystemExtension entitlement looks like:

$ codesign -d --entitlements :- /Applications/MyorgSystemExtensions.app/Contents/MacOS/MyorgSystemExtensions
Executable=/Applications/MyorgSystemExtensions.app/Contents/MacOS/MyorgSystemExtensions
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.application-identifier</key>
    <string>REPLACEDID.com.Myorg.containerapp</string>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>app-proxy-provider-systemextension</string>
        <string>content-filter-provider-systemextension</string>
    </array>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.developer.team-identifier</key>
    <string>REPLACEDID</string>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>group.com.Myorg.endpoint</string>
    </array>
</dict>
</plist>

Provisioning file looks like:

$ security cms -D -i /Applications/MyorgSystemExtensions.app/Contents/embedded.provisionprofile

....
    <key>Entitlements</key>
    <dict>
        <key>com.apple.developer.endpoint-security.client</key>
        <true/>           
                <key>com.apple.developer.system-extension.install</key>
        <true/>
                <key>com.apple.developer.networking.networkextension</key>
        <array>
                <string>packet-tunnel-provider-systemextension</string>
                <string>app-proxy-provider-systemextension</string>
                <string>content-filter-provider-systemextension</string>
                <string>dns-proxy-systemextension</string>
                <string>dns-settings</string>
        </array>
                <key>com.apple.application-identifier</key>
        <string>REPLACEDID.com.Myorg.containerapp</string>
                <key>keychain-access-groups</key>
        <array>
                <string>REPLACEDID.*</string>
        </array>
                <key>com.apple.developer.team-identifier</key>
        <string>REPLACEDID</string>
    </dict>
....

I am trying to compare the entitlements but I may miss any error as I am not an expert with this. Quinn, would really appreciate if you can point any error.

Thanks

0

Answer 3

DTS Engineer OP

Apple

Oct ’21

Yes you are right this is System Extension app, also we also we build two extension for NE providers (Content Filter and App/Transparent Proxy Provider) and for EndpointSecurity.

To be clear, that’s a single sysex with multiple extension points within the sysex, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

freefire OP

Oct ’21

Capturing more details abt the extensions. Also we are not installing and enabling ES on the machines where the issues are reported. The provisioning profile for NE looks like:

% security cms -D -i  /Applications/MyorgSystemExtensions.app/Contents/Library/SystemExtensions/com.Myorg.CMF.networkextension.systemextension/Contents/embedded.provisionprofile
...
    <key>Entitlements</key>
    <dict>
        <key>com.apple.developer.endpoint-security.client</key>
        <true/>
                <key>com.apple.developer.system-extension.install</key>
        <true/>
                <key>com.apple.developer.networking.networkextension</key>
        <array>
                <string>packet-tunnel-provider-systemextension</string>
                <string>app-proxy-provider-systemextension</string>
                <string>content-filter-provider-systemextension</string>
                <string>dns-proxy-systemextension</string>
                <string>dns-settings</string>
        </array>
                <key>com.apple.application-identifier</key>
        <string>REPLACEDID.com.Myorg.CMF.networkextension</string>
                <key>keychain-access-groups</key>
        <array>
                <string>REPLACEDID.*</string>
        </array>            
                <key>com.apple.developer.team-identifier</key>
        <string>REPLACEDID</string>
    </dict>
...

The provisioning profile for ES looks like:

% security cms -D -i  /Applications/MyorgSystemExtensions.app/Contents/Library/SystemExtensions/com.Myorg.CMF.endpointsecurity.systemextension/Contents/embedded.provisionprofile
...
    <key>Entitlements</key>
    <dict>
        <key>com.apple.developer.endpoint-security.client</key>
        <true/>
                <key>com.apple.developer.system-extension.install</key>
        <true/>              
                <key>com.apple.application-identifier</key>
        <string>REPLACEDID.com.Myorg.CMF.endpointsecurity</string>              
                <key>keychain-access-groups</key>
        <array>
                <string>REPLACEDID.*</string>
        </array>            
                <key>com.apple.developer.team-identifier</key>
        <string>REPLACEDID</string>
    </dict>
...

0

Answer 5

DTS Engineer OP

Apple

Oct ’21

But for ES we have a separated extension.

OK.

Next question: What are you hoping to gain by using an App Group? Which processes are you sharing content between? And what sort of content?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

freefire OP

Oct ’21

Next question: What are you hoping to gain by using an App Group? Which processes are you sharing content between? And what sort of content?

We have app and library which does IPC communication with System Extension to Install and configure, in similar way it was done in Apple sample project for 'SimpleFirewall'. I could see 'com.apple.security.application-group' used there as well.

But this 'app-group' entitlement as been working fine in Catallina (10.15) and Bigsur OS for Intel Mac machines. Why could it start failing in M1 macbooks? Also on some M1 machines it is working fine.

0

Answer 7

DTS Engineer OP

Apple

Oct ’21

We have app and library which does IPC communication with System Extension to install and configure

OK. At this point I’m going to recommend that you open a DTS tech support incident so that I (or more likely Matt :-) can allocate the time to investigate this properly.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 8

freefire OP

Oct ’21

I’m going to recommend that you open a DTS tech support incident

Thanks Quinn. I already created a TSI for the same this morning (IST). Also given the reference for this discussion so that I may not need to explain again the things which we discussed here. Let me know if u need to know the follow-up/TSI number.

0