Enabling content filter on macOS through MDM

App & System Services Networking
mmosbah OP
Created 21h
Replies 0
Boosts 2
Views 62
Participants 1

Hi, I'm adding a Content Filtering (FilterDataProvider) on macOS to an existing app and using MDM to avoid user interaction. I start by pushing the following payloads to my machine: com.apple.system-extension-policy com.apple.webcontent-filter

And then installing notarized pkg containing my app and the NE.

Inspecting the system logs shows the following error:

neagent Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon

And calling submit(request: .activationRequest(forExtensionWithIdentifier: bundleId, queue: queue))

results in:

Missing entitlement com.apple.developer.system-extension.install

Installing from Xcode on a SIP disabled machine works fine and both NE and CF are working as expected.

I followed the steps mentioned here https://developer.apple.com/forums/thread/737894 however the embedded entitlements already contained -systemextension suffix so I'm not sure if re signing and the subsequent steps are needed.

I also double checked that com.apple.developer.system-extension.install is present, certificates are not expired and that get-task-allow is not present in the embedded profile.

Here is what my release entitlement file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider-systemextension</string>
	</array>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>com.company_name.app_name.network-extension.content-filter</string>
	</array>
</dict>

and my release app entitlement:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.endpoint-security.client</key>
	<true/>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
</dict>
</plist>

redacted logs

@eskimo may I ask for your help here!

Replies  0
Boosts  2
Views  62
Participants  1
Enabling content filter on macOS through MDM
First post date Last post date
 
 
Q