Enabling content filter on macOS through MDM

Question

Created Nov ’24

Replies 2

Boosts 2

Participants 2

Hi, I'm adding a Content Filtering (FilterDataProvider) on macOS to an existing app and using MDM to avoid user interaction. I start by pushing the following payloads to my machine: com.apple.system-extension-policy com.apple.webcontent-filter

And then installing notarized pkg containing my app and the NE.

Inspecting the system logs shows the following error:

neagent Failed to find a com.apple.networkextension.filter-data extension inside of app com.company_name.app_name.daemon

And calling submit(request: .activationRequest(forExtensionWithIdentifier: bundleId, queue: queue))

results in:

Missing entitlement com.apple.developer.system-extension.install

Installing from Xcode on a SIP disabled machine works fine and both NE and CF are working as expected.

I followed the steps mentioned here https://developer.apple.com/forums/thread/737894 however the embedded entitlements already contained -systemextension suffix so I'm not sure if re signing and the subsequent steps are needed.

I also double checked that com.apple.developer.system-extension.install is present, certificates are not expired and that get-task-allow is not present in the embedded profile.

Here is what my release entitlement file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider-systemextension</string>
	</array>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>com.company_name.app_name.network-extension.content-filter</string>
	</array>
</dict>

and my release app entitlement:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.endpoint-security.client</key>
	<true/>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
</dict>
</plist>

redacted logs

@eskimo may I ask for your help here!

Boost

Answer 1

DTS Engineer OP

Apple

2w

You’re some distance away from anything that I have direct experience with. Lemme ask about this first:

and my release app entitlement … com.apple.developer.endpoint-security.client

So you’re trying to put an ES client and NE content filter in the same sysex? That should work, but it certainly complicates things.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

mmosbah OP

2w

No, our main app is an ES sysex and we are trying to install a second sysex from within the same bundle containing the NE content filter if the customer have the feature needing the CF enabled.

We have a workaround in place where we install the NE on the pkg postinstall and only activate the CF if the customer config needs it, drawback here is the added complexity and that the NE is installed for everyone.

Any recommendations?

0