@Matt, thanks for the reply. I saw that thread and my initial query has been solved. However can you help with some additional questions. As per my understanding, when you deploy a network extension via a container app, you get two prompts of notification. One is to "Install" the system extensions and the second is to allow the user to run the "Network Capability" contained in the extension. this is by design to let the user know that some system extension has been installed. I read somewhere that during an install by MDM, you can bypass the second segment I mentioned above. Correct me if I'm wrong but the first part (i.e. the install) cannot be bypassed by any means. A user has to select allow as a prompt. My second question is, is it possible to deploy a system extensions contained in .pkg file, instead of an .app ? Lets say I have system extension and a command line tool app enclosed in a .pkg file. Is it possible to totally forgo the requirement of an .app to deploy this ? Thirdly, can the Network Extensions API collect bytes sent/bytes recieved per process ? My understanding of this API is rusty at best atm, but if I was to try, I would imagine an application layer proxy could capture this information and instead of blocking/allow, like in the SimpleFirewall example, we would simply allow but keep track of all the bytes sent/recieved. My endgoal is something similar to Network tab in Activity monitor.

I think to deploy a system extension or network extension module, you need an app bundle. A command line app built from C or Objective C or CPP won't be able to deploy the network extension module.. If my understanding is correct, you can deploy the SE module using a dummy app, but using some sort of IPC Connection, your cpp CLI app can communicate with the SE module. Correct me if Im wrong, Im trying to do the exact same steps as you.