I am looking at the requirements to develop a network extension.
Does a network extension have to be contained within an application? Or could it be contained within a plugin bundle and run from a daemon that loads this plugin?
Thanks, Don
Network Extension container?
Does a network extension have to be contained within an application?
Yes.
Well, that was easy (-:
Be aware that macOS supports two different flavours of NE provider, app extension and system extensions. Some provider types are supported by both but some are only available as a sysex.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks Quinn. I have a project that has a need to install/start a network extension from a daemon process. Our architecture uses plugins for different features. The idea is to create a plugin bundle which would be able to download the app bundle with the network extension and install it. Can the daemon/plugin run the app to install the network extension?
Also once the NE is installed, can a root process uninstall the NE? AFAIK this cannot be done.
Thanks, Don
I have a project that has a need to install/start a network extension from a daemon process.
There’s no supported way to do this, at least not directly. See this post.
Most folks who try to do this are doing it in support of deployment to managed environments. If that’s the case here, look at the various configuration profile payloads that let you manage system extensions and NE configurations (VPN, content filter, and so on).
If you’re not targeting a managed environment my advice is that you let the user do this from your container app.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hi Quinn,
Ideally when a URL is determined to be blocked, we want to show a custom blocked page.
Is there a way to inject a "blocked" page to the browser that initiated the network connection? Maybe from the network extension in the NEFilterDataProvider subclass?
Thanks, Don
Is it supported that a network extension is able to communicate with a daemon through and IPC mechanism?
Yes.
The only thing to watch out for here is the App Sandbox. All NEs, both appex and sysex, must be sandboxed. The sandbox prevents you from reaching out to arbitrary XPC services. However, you can allow this using a temporary exception entitlement. If you’re shipping outside the Mac App Store, which it sounds like you are, using a temporary exception entitlement for this is fine.
Is there a way to inject a "blocked" page to the browser that initiated the network connection?
On iOS you can do this by blocking the flow with a remediation verdict. However, that seems to be unavailable on macOS. I’m not sure what macOS filters are expected to do for this.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I will look at your suggestion for the temporary exception entitlement.
Thanks, Don