A dumb question about NEVPNStatusDidChangeNotification

this notification only gets sent to the application that loads & starts the VPN?

Correct.

If I want some other process to be aware of it, I have to use the SC* APIs?

That’s a more complex question. To start, System Configuration framework is only available on macOS. Beyond that, it kinda depends on what specific state transitions the other processes care about:

• For basic stuff it may be better for the other processes to use Network framework.

• For highly detailed stuff, you could have your NE sysex vend information via its XPC service.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Surprisingly, the basic stuff seems to be surprisingly hard: what I was looking for was the equivalent of NEVPNStatusDidChangeNotification -- or basically, just a notification that a network change had happened. The behaviour causing this desire is if the sysex is disabled by the user, or if it dies, I want to be able to recover. Not too difficult, right? But polling is really a bad idea, and there isn't (that I can see?) a blocking "connect to XPC service" call.

"Have everyone try to connect to their counterparts over xpc" is a fallback option, but I have a nagging but incomplete memory of a system-wide way to be notified if there are any network changes. (Reachability isn't it, since you need to give it an address to be able to reach, n'est-ce pas?)

Alas, no, NWPathMonitor does not get notified when the transparent app proxy is enabled or disabled. :(