Network Extension installation and multiple users

The System Extensions API is intended to be used by a GUI app in response to user actions (see this post). Folks who try to automate this inevitably run into problem. My recommendation is that:

• For normal user scenarios, you use the System Extensions API as it was intended to be used.

• If you need to support managed scenarios, you lean into the configuration profile sys and NE configuration options.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It is a (faceless, but with menubar icon/menu) GUI app. It just happens to be automatically launched as an agent, both to ensure it's there for everyone, and to keep it running. It isn't automated, more than any other program is, and it's there to interact with (included activating and deactivating) the extension, as is required by Apple's design. And all that is done in a GUI context, which causes user interaction if necessary. (The only weird thing we're doing is, as part of the postinstall script, using launchctl bootstrap to get it running for all currently-logged in users. As is documented.)

And none of that answers my question, which was whether or not SysPrefs being launched on a resigned console was expected behaviour or not.

(Also, it reproduces when not run as a launch agent, so that's not the issue. It seems to be that the system will, when one user clicks "Open security prefs", open it on all sessions where the containing app is running. I'll try to make a small test case for a feedback, but that will take a fair amount of time when I don't particularly have a lot right now.)

I filed FB11653435, and attached a very simple project to it which demonstrates the issue.