Network Extension Providers and the Mac App Store

I want to make sure I understand the implications of some of the answers in the Network Entitlement FAQ post -> https://forums.developer.apple.com/thread/67613


My current commercial enterprise-focused app uses the NKE APIs to protect the user from network threats. It is installed, updated and controlled by a management system built for the administration of the product. If we use the newly provided APIs from the Network Extensions, then it must be distributed by the Mac App Store? If we use these APIs we no longer control the installation/update of (at least) that portion of the product?


Is this correct?

Accepted Reply

Note System extensions are not supported on iOS, so all of the following applies to the Mac only.

A system extension runs system wide. An app extension, conceptually at least, runs on behalf of one user.

The logic behind this is very clear in other contexts. For example, it makes sense that an EndpointSecurity system extension run system wide and a share extension run on behalf of a specific user. This is less clear for NE providers. Some NE provider types are only supported as system extensions. In contrast, NE tunnel providers are supported as both app extensions and system extensions.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

If we use the newly provided APIs from the Network Extensions, then it must be distributed by the Mac App Store?

Until very this was not possible. This changed as of last month, assuming that:

  • You’re creating a NE system extension, not an app extension

  • You’re targeting 10.15 or later

See this thread, specifically my 14 Jan post.

And now I’m off to fix the Network Extension Framework Entitlements FAQ; thanks for the reminder!

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Not related to the original question, but can I ask what's the difference between system extension and app extension?

"Your NetworkExtension provider must be packaged as a system extension, not an app extension."

Note System extensions are not supported on iOS, so all of the following applies to the Mac only.

A system extension runs system wide. An app extension, conceptually at least, runs on behalf of one user.

The logic behind this is very clear in other contexts. For example, it makes sense that an EndpointSecurity system extension run system wide and a share extension run on behalf of a specific user. This is less clear for NE providers. Some NE provider types are only supported as system extensions. In contrast, NE tunnel providers are supported as both app extensions and system extensions.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the quick answer!