System Network Extension deactivated

App & System Services Drivers
roee84 OP
Created Jan ’22
Replies 3
Boosts 0
Views 795
Participants 2

I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers. The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait.

I saw at the logs the following lines:

sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled
sysextd: observer for **** reached success: activated_enabled
sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated
2022-01-12 21:45:50.844914+0200 0x26fa     Activity    0xf149               496    0    sysextd: (Security) SecTrustEvaluateIfNecessary
2022-01-12 21:45:50.926046+0200 0x26fa     Default     0x0                  496    0    sysextd: request contains no authorizationref
2022-01-12 21:45:50.926390+0200 0x26fa     Default     0x0                  496    0    sysextd: returning cdhash for arbitrary arch x86_64 of extension ****
sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated
nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel
...
...
sysextd: received request to remove MDM payload with UUID ****
sysextd: removed MDM payload with UUID ****
sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption
sysextd: deactivateExtension called for **** in state "activated_enabled"
 sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall

Is this issue related somehow to MDM profiles? Is it related to "client connection invalidated" ? And what is this thing?

How can I debug it/ understand where's the problem?

Replies  3
Boosts  0
Views  795
Participants  2
Systems Engineer OP
Apple
Jan ’22

Well, this log for:

sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall

Typically means that the user uninstalled the System Extension. It can also mean that the System Extension is running or active, but the user is wanting to uninstall it so the Extension was terminated. Is your app or MDM config falling into a case where the Extension is being uninstalled somehow?

This can happen when dragging the container app into the Trash from the Finder.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
roee84 OP
Jan ’22

 Is your app or MDM config falling into a case where the Extension is being uninstalled somehow?

This is basically what I asked - I know that the user didn't terminate/uninstall the extension (nor the app). What I want to check is if it was uninstalled (mistakenly) by the MDM, so this is why I'm wondering about those 2 lines: sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID ****

Any clue on how to debug if it was uninstalled by the MDM?

0
Systems Engineer OP
Apple
Jan ’22

Any clue on how to debug if it was uninstalled by the MDM?

I do not know the exact logs, but if you install the MDM for macOS debugging profile, do you see any logs that pertain to the MDM client initiating the uninstall before the sysextd logs that mention:

advancing state from activated_enabled to terminating_for_uninstall

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
System Network Extension deactivated
First post date Last post date
 
 
Q