why nesessionmanager can't load my extension under OS X

Nov 23 17:25:13 --- last message repeated 1 time ---
Nov 23 17:25:13 rMBP nesessionmanager[68673]: NESMVPNSession[Demo VPN:3232C53B-E6D8-4425-9B85-ADB15904CFBC]: Received a start command from app[70009]
Nov 23 17:25:13 rMBP nesessionmanager[68673]: NESMVPNSession[Demo VPN:3232C53B-E6D8-4425-9B85-ADB15904CFBC]: status changed to connecting
Nov 23 17:25:13 rMBP app[70009]: __58-[NEVPNConnection updateSessionInfoWithCompletionHandler:]_block_invoke: Failed to retrieve connectTime
Nov 23 17:25:13 rMBP app[70009]: ViewController.swift.reloadManagers()[54]:2
Nov 23 17:25:13 rMBP nesessionmanager[68673]: Failed to find the VPN app for plugin type com.yarshuremac.app
Nov 23 17:25:13 --- last message repeated 1 time ---
Nov 23 17:25:13 rMBP nesessionmanager[68673]: Failed to find the primary plugin (type = com.yarshuremac.app)
Nov 23 17:25:13 rMBP nesessionmanager[68673]: NESMVPNSession[Demo VPN:3232C53B-E6D8-4425-9B85-ADB15904CFBC]: status changed to disconnecting
Nov 23 17:25:13 rMBP nesessionmanager[68673]: NESMVPNSession[Demo VPN:3232C53B-E6D8-4425-9B85-ADB15904CFBC]: status changed to disconnected, last stop reason Plugin failed
Nov 23 17:25:13 rMBP nesessionmanager[68673]: Failed to find the primary plugin (type = com.yarshuremac.app)
Nov 23 17:25:13 rMBP app[70009]: __58-[NEVPNConnection updateSessionInfoWithCompletionHandler:]_block_invoke: Failed to retrieve connectTime
Nov 23 17:25:13 rMBP app[70009]: ViewController.swift.reloadManagers()[54]:1



I have check my.app PlugIns dir have PacketTunnel.appex, why nesessionmanager can't load it ?

Replies

The most common cause for problems like this is that you haven’t get your entitlements set correctly. I recommend you start by double checking your entitlements using the steps I outlined in Debugging Entitlement Issues.

IMPORTANT The requirement for special entitlements means that Network Extension framework providers are only supported within Mac App Store apps.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

1 Xcode build and run, console show this message , need hange Xcode/DerivedData directory setting?


Nov 25 09:20:18 yarshuredeMac-Pro appleeventsd[52]: <rdar://problem/11489077> A sandboxed application with pid 1193, "Surf" checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100013  { "NSDescription"="SecCodeCopySigningInformation() returned 100013, -." }  (handleMessage()/appleEventsD.cp #2098) com.apple.root.default-qos


2 run app don't whith Xcode debuger,console message show INSTALLED extension ,but add vpn config fail, How to debug this?


Nov 25 09:22:17 yarshuredeMac-Pro ***[345]: LaunchServices: Could not store ***-identifiers file at /private/var/db/***/com.apple.lsdschemes.plist
Nov 25 09:22:17 yarshuredeMac-Pro pkd[393]: INSTALLED:com.yarshuremac.Surf.PacketTunnel com.yarshuremac.Surf.PacketTunnel(1.0) <__NSConcreteUUID 0x7fe2d1e49390> C09E340F-ADF3-4BF6-9B54-B76F62830B07 /Users/yarshure/Library/Developer/Xcode/DerivedData/Surf-fvtrwbgjkgwrwgcnitnxgkstgzim/Build/Products/Debug/Surf.app/Contents/PlugIns/PacketTunnel.appex


ov 25 09:22:17 yarshuredeMac-Pro taskgated-helper[1111]: validated embedded provisioning profile: file:///Users/yarshure/Library/Developer/Xcode/DerivedData/Surf-fvtrwbgjkgwrwgcnitnxgkstgzim/Build/Products/Debug/Surf.app/Contents/embedded.provisionprofile
Nov 25 09:22:17 yarshuredeMac-Pro taskgated-helper[1111]: Found 3 provisioning profiles
Nov 25 09:22:17 yarshuredeMac-Pro taskgated-helper[1111]: allowing entitlement(s) for pid=1205 due to provisioning profile




Nov 25 09:22:28 yarshuredeMac-Pro Surf[1205]: ViewController.swift.reg()[74]:2
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Registered for dynamic store notifications on keys: (
     "State:/Users/ConsoleUser"
  )
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to load configuration with ID <__NSConcreteUUID 0x7fd159d06210> 52A0DD7B-71E8-45C7-9B38-B13DE6D7E758
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to create a session with type 1 and configuration ID <__NSConcreteUUID 0x7fd159d06210> 52A0DD7B-71E8-45C7-9B38-B13DE6D7E758
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to load configuration with ID <__NSConcreteUUID 0x7fd159d19570> 75FB9849-D4C8-4447-86AB-501BFD3249DE
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to create a session with type 1 and configuration ID <__NSConcreteUUID 0x7fd159d19570> 75FB9849-D4C8-4447-86AB-501BFD3249DE


Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: NESMVPNSession[Demo VPN:539C333D-CCF5-455A-9440-581C482B65E6]: Received a start command from Surf[1205]
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: NESMVPNSession[Demo VPN:539C333D-CCF5-455A-9440-581C482B65E6]: status changed to connecting
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to find the VPN app for plugin type com.yarshuremac.Surf
Nov 25 09:22:28 --- last message repeated 1 time ---
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to find the primary plugin (type = com.yarshuremac.Surf)
Nov 25 09:22:28 --- last message repeated 1 time ---
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: NESMVPNSession[Demo VPN:539C333D-CCF5-455A-9440-581C482B65E6]: status changed to disconnecting
Nov 25 09:22:28 yarshuredeMac-Pro Surf[1205]: ViewController.swift.reg()[87]:Got a nil response from the provider
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: NESMVPNSession[Demo VPN:539C333D-CCF5-455A-9440-581C482B65E6]: status changed to disconnected, last stop reason Plugin failed
Nov 25 09:22:28 yarshuredeMac-Pro Surf[1205]: __58-[NEVPNConnection updateSessionInfoWithCompletionHandler:]_block_invoke: Failed to retrieve connectTime
Nov 25 09:22:28 yarshuredeMac-Pro Surf[1205]: ViewController.swift.reg()[74]:1
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to find the VPN app for plugin type com.yarshuremac.Surf
Nov 25 09:22:28 yarshuredeMac-Pro nesessionmanager[1208]: Failed to find the primary plugin (type = com.yarshuremac.Surf)


3 trace nesessionmanager process, and found read config file fail,which process write this files?


access("/Library/Preferences/SystemConfiguration/VPN-com.yarshuremac.Surf.plist\0", 0x4, 0x561F) = -1 Err#2
access("/var/db/SystemConfiguration/VPN-com.yarshuremac.Surf.plist\0", 0x4, 0x561F) = -1 Err#2


4 found my app vpn config in /Library/Preferences/com.apple.networkextension.plist, System Preferences/network preference have my vpn config

I have request DTS , Follow-up: 632233650

meet same issue, how it solved at last ? many thanks!

I'm having a similar problem, but only with profiles created by Apple Configurator. I don't think its an entitlements issue because profiles created by my app work fine. Also my Configurator profile works fine on other Macs (all running Sierra 10.12.1).


default 14:03:08.473626 -0800 nesessionmanager NESMVPNSession[Configurator:AB1EFED1-930F-4756-9B06-67CE036022A3]: Received a start command from com.apple.preference.network.re[892]

default 14:03:08.474057 -0800 nesessionmanager NESMVPNSession[Configurator:AB1EFED1-930F-4756-9B06-67CE036022A3]: status changed to connecting

default 14:03:08.474506 -0800 nesessionmanager not switching as we're not in ~/Library/Keychains/: /Library/Keychains/System.keychain (0)

default 14:03:08.474576 -0800 nesessionmanager not switching as we're not in ~/Library/Keychains/: /Library/Keychains/System.keychain (0)

error 14:03:08.476766 -0800 nesessionmanager Failed to find the VPN app for plugin type com.example.AppBundleID

error 14:03:08.477555 -0800 nesessionmanager Failed to find the primary plugin (type = com.example.AppBundleID)

default 14:03:08.477902 -0800 nesessionmanager NESMVPNSession[Configurator:AB1EFED1-930F-4756-9B06-67CE036022A3]: status changed to disconnecting

default 14:03:08.479134 -0800 nesessionmanager NESMVPNSession[Configurator:AB1EFED1-930F-4756-9B06-67CE036022A3]: status changed to disconnected, last stop reason Plugin failed

It looks to me like the OS can't locate my extension in the app. In the past I've seen similar problems with PluginKit where I had to register the path to my extension, but I've tried that here and don't see PluginKit compaining about anything.

This used to work on this machine. Can't remember when I last tested this - I'm pretty sure it was since upgrading to Sierra.

Is there a way to inform nesessionmanager as to where to find my extension?

I’ve helped a bunch of developers with problems like this. One day I’ll get to write this up as a coherent whole but, until that happens, here’s a bunch of random suggestions.

Confirm the problem on a fresh computer. Network Extension depends on Foundation’s NSExtensions which depends on PlugInKit which depends on Launch Services. Launch Services can get confused, which undermines the whole process. That happens occasionally in the field but it’s much more common on development machines, where you’re building and rebuilding your app many times.

So, before heading down the debugging rabbit hole, you should test if this problem is showing up on just your machine. A good way to do that is to install the app on a fresh machine. I use a virtual machine (VM) for this. I take a snapshot just after setting up the VM and then I restore that snapshot and test.

Make sure your deployment targets are set consistently. It’s easy to set up your project such the

.appex
fails to inherit the deployment target from the project as a whole. You should check this by looking at the built binary, and specifically the
LSMinimumSystemVersion
property in the
Info.plist
of both the
.app
and nested
.appex
.

Check the entitlements. Again, do this in the built binary of both the

.app
and the
.appex
nested within that. For more info, see Debugging Entitlement Issues.

Check that the plug-in is known to PlugInKit. Run

pluginkit -m
to see that it’s included in the list. If not, run
pluginkit -a
to add it.

If you’re creating configurations programmatically, check that you’ve set

providerBundleIdentifier
correctly.

Likewise, if you’re installing configuration profiles, check that the

VPNSubType
property is set correctly.

If you’re working with per-app VPN via a configuration profile, be aware that this supports both app proxy and packet tunnel flavours. Make sure you set the

ProviderType
key in the right place. See this post for an import gotcha.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

There’s one more gotcha to odd to this list.

If you’re installing a configuration profile on macOS, you must set the

ProviderBundleIdentifier
property. It’s not optional on that platform.

Also, the documentation for this property is currently wrong (r. 30672175). It states that it should be at the top level of the

com.apple.vpn.managed
payload, that is, as a peer of
VPNType
,
VPNSubType
, and friends. This is not correct. In reality,
ProviderBundleIdentifier
should be inside the nested
VPN
dictionary, that is, as a peer of
RemoteAddress
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I was helping another developer with this issue today and came across a few other tidbits.

Network Extension providers on the Mac must opt in to the App Sandbox (this is in contrast to iOS, where everything is sandboxed all the time). You should check that your app and provider have the

com.apple.security.app-sandbox
entitlement. Also, if your provider wants to access the network (which seems likely :-) it will also need the
com.apple.security.network.client
entitlement.

If you don’t have the App Sandbox entitlement, your provider will fail to register.

You can fix this problem using the App Sandbox slice of the Capabilities editor in Xcode.

If you’re having plug-in registration problems, you can investigate by looking at PlugInKit log messages:

  1. Run the Console utility.

  2. Enter “com.apple.PlugInKit” into the search field and hit return.

  3. Pull down the menu associated with the token and select Subsystem.

  4. Enable info and debug messages (Action > Include Info Messages, Action > Include Debug Messages).

  5. Repeat your

    pluginkit
    operation and marvel at all the information you see in Console.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"