Two or more System Extension activation on Ventura

Hello!

After submitting two OSSystemExtensionRequest (let's say Endpoint and Network extensions), when the user allows only one (endpoint) extension, we receive request: didFinishWithResult callback for both manager delegates. This leads us to falsely believe that both our extensions are allowed.

We tried to prevent this by using propertiesRequestForExtension where our (network) delegate will ask for properties, check if the given extension is enabled and then finish if it's ok. If it's not enabled, however, we receive no second callback when the user allows the other extension.

We thought that we would need to submit another OSSystemExtensionRequest for the extension that wasn't allowed to receive a callback when it finally is. However, the second and all other consecutive requests immediately finish and we receive request: didFinishWithResult even when the user does not allow the second extension.

Example:

  1. Endpoint and Network managers submit OSSystemExtensionRequest
  2. User only allows Endpoint extension
  3. Endpoint manager checks the properties, finds out it's enabled and finishes
  4. Network manager checks the properties, finds out it's disabled
  5. Network manager sends another OSSystemExtensionRequest
  6. Network manager immediately receives request: didFinishWithResult
  7. Network manager checks the properties, finds out it's disabled
  8. ....

This loop ends when the user finally allows the network extension, when the manager finds out that it's enabled. Is there something we are missing? Shouldn't another OSSystemExtensionRequest finish with requestNeedsUserApproval. How should we go about this issue?

Many thanks, Denis

I’ve never actually dug into the mechanics of adding two sysexes to an app before, so I’m going to ignore that part for the moment. Rather, I have a simple question: Why are you using two sysexes rather than bundling both functions into one? Are there circumstances where the user might want to install your ES functionality but not you NE one? Or vice versa?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, we implement the service oriented architecture, so we have these functionalities separated. We could also consider SOLID principles. As to your question, yes. We allow our customers to "pick" what they want, or rather, disable what they don't want as they might have something other installed in its place (e.g. some network proxy, monitor). This way, if they do not need or want to have one extension or the other, they can opt out of it.

This issue does not occur on Monterey, Big Sur or Catalina. They do not broadcast these request completions to all managers, just call the respective ones that have been completed/finished.

This way … they can opt out of it.

Fair enough.

This issue does not occur on Monterey, Big Sur or Catalina.

That definitely sounds like a bug to me, and I encourage you to file it as such. Please post your bug number, just for the record.

Can you work around this by submitting your requests in sequence? That is, if you plan to submit two requests, submit one first, wait for it to be approved, and then submit the other. That’s kinda clunky but it should work.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sorry for the late response, I submitted the bug but forgot to reply here (number: FB11979161)

As for the workaround, doing this in sequence would be, as you say, clunky. We assume that in most of the customers will allow both extensions at the same time, and if they opt out of one, they can turn it off in our settings later.

Thanks for the help :)

Hello,

Does anybody know if there is any news for this bug? Thank you!

Luca Severini

There's actually a more worrying issue around this as I'm managing to start my VPN system extension even if the user doesn't allow it.

Are you sure that the extension is not working for you? It is for me.

When only one App requests permission to install a System Extension, the user only has two choices in System Settings: ignore the request or allow it. This means that if the user ignores the request nothing will be installed.

However when there's more than one request to activate an extension at the same time there seem to be three options: ignore all requests, allow some, or allow all.

The problematic option, at least from what I'm seeing, is "allow some".

Leaving the toggle turned OFF and disallowing some extensions is what seems to not be really disallowing those extensions... I can still start them both with the App I'm working on, and with a third party app named Lulu that I used to test this further.

Is this expected?

Two or more System Extension activation on Ventura
 
 
Q