We are developing a DLP agent that uses a NETransparentProxyProvider to perform traffic inspection and modification. Our architecture currently includes: LaunchAgent, which monitors user session activity (login/logout, session activation) Container App, which: installs and activates a System Extension creates and saves the NETransparentProxyManager configuration starts the transparent proxy via startVPNTunnel. We would like to automate the startup of the Transparent Proxy for all users, including newly created users, in a way that is fully supported by macOS. We are looking for official guidance on the correct and supported mechanism for starting a user‑level Network Extension (specifically NETransparentProxyProvider) automatically at user login. Questions: What is the recommended and supported way to automatically start a NETransparentProxyProvider at user login? Are there any constraints or best practices we should follow when designing an automatic startup flow for a Network Extension such as NETransparentProxyProvider? We would appreciate official clarification on the supported deployment patterns for starting a user‑level Transparent Proxy Network Extension automatically in multi‑user enterprise environments.

Hello, I am working on a DLP (Data Leak Prevention) agent which must programmatically install our custom Root CA certificate into the System Keychain with the "Always Trust" policy. This is required for our network inspection module. The installation process is currently handled by a LaunchDaemon. I am using the following command: security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain The certificate is successfully added to the System Keychain, but the "Always Trust" policy is completely ignored. The certificate remains untrusted until the user manually opens System Settings and explicitly changes the trust settings. Our DLP agent is specifically designed for environment where MDM is not present and we can not rely on MDM to push profiles. Is it officially possible to set "Always Trust" for certificate programmatically from a LaunchDaemon? Thank you in advance!

Hello, I am working on a DLP system for macOS. The application must analyze and potentially block network traffic. Currently, I am using NETransparentProxyProvider for traffic analysis and looking for the best solution to block network traffic. I believe the blocking can be implemented by capturing the flow and choosing not to proxy/forward it further (dropping it). However, I am unsure how the OS and other applications will react to this approach. As far as I know, macOS provides a dedicated NEFilterDataProvider (Content Filter) specifically designed for traffic filtering and blocking. I have two questions regarding the architecture: Is it safe to block flows directly using a Transparent Proxy? Will dropping/ignoring the flow without forwarding it cause any unexpected system behavior, socket hangups, or performance issues? Or is it highly recommended to strictly use a Content Filter (NEFilterDataProvider) for the blocking aspect? Can a single container app install and manage more than one Network Extension in the system? For example, if the best practice dictates separating the logic, can my single DLP macOS application bundle and install both a Transparent Proxy (for analysis/routing) and a Content Filter (for blocking) simultaneously? Thank you in advance!

Hello, I am working on a network security and DLP (Data Loss Prevention) solution. A core requirement of our architecture is the ability to modify network traffic payloads in-flight (e.g., stripping sensitive data or altering packets). So, the only way to implement this is via the NETransparentProxyProvider which allows us to handle, evaluate, and modify network flows (NEAppProxyFlow). However, because this is such a powerful mechanism, my primary goal is to ensure the absolute stability of the operating system. I want to minimize the risk of interfering with core Apple services. When evaluating a flow, I have access to NEFlowMetaData, specifically properties like sourceAppUniqueIdentifier and sourceAppAuditToken. Could you please assist me with the following questions: Is there a recommended list of Apple system Application IDs (Bundle IDs) or executable names that should be strictly bypassed (ignored) by the Network Extension to maintain system integrity? Since system daemons can change between OS releases, are there any programmatic best practices or specific rules to dynamically identify core OS traffic that must not be intercepted? Are there any specific network ports or protocols that Apple strongly recommends excluding from NENetworkRule matches at the proxy provider configuration level to ensure daemons like apsd or mDNSResponder function correctly? Thank you in advance.

Hello, I am working on a DLP solution for macOS that relies on the Network Extension (NETransparentProxyProvider) for network traffic analysis. Could you please clarify: is it technically possible and officially supported to use a LaunchAgent as the container app to install and manage the Network Extension? If not, what is the recommended approach in case of GUI less application? Thank you in advance.

Hello, I am developing a macOS Launch Daemon (packaged as a bundle) that acts as an XPC server. For debugging purposes, I am trying to run the daemon's executable directly from the terminal via sudo ./mydaemon.app/Contents/MacOS/myexecutable. Initially, I added the com.apple.security.application-groups entitlement to the daemon. However, when starting the process, it failed to create the XPC service with the following errors: Unsatisfied entitlements: com.apple.security.application-groups Soft-restriction provisioning profile validation failure: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} listener failed to activate: xpc_error=[1: Operation not permitted] To resolve the profile validation failure, I registered a new App Group in the Apple Developer Portal, generated a new provisioning profile for the daemon that includes this group, and embedded it into the bundle (Contents/embedded.provisionprofile). Now, the previous profile error is gone, but I am getting a new identity conflict error, and the XPC listener still fails: Two equal instances have unequal identities. <anon<myproc_name>(501) pid=2818 AUID=501> and <anon<myproc_name>(501)(262) pid=2818 AUID=262> listener failed to activate: xpc_error=[1: Operation not permitted] My questions are: What exactly causes the Two equal instances have unequal identities error? I noticed the Audit UID difference (AUID=501 vs AUID=262). Why does NSXPCListener still fail with Operation not permitted? What is the recommended workflow for debugging a Launch Daemon that requires an App Group provisioning profile for XPC communication? Thank you in advance!

Hello, How does macOS handle coexistence between multiple Transparent Proxy providers from different vendors if their network rules overlap and one provider modifies the traffic? Thank you in advance!

Hello, Is it possible for a Network Extension (running in its sandbox) to act as a client for an XPC service hosted by a Launch Daemon (e.g., to offload data processing)? Are there any specific sandbox restrictions or entitlement requirements for this type of XPC communication? Thank you in advance!

Hello, I am working on a cross-platform application where IPC between a LaunchDaemon and a LaunchAgent is implemented via Unix domain sockets. On macOS, the socket path length is restricted to 104 characters. What is the Apple-recommended directory for these sockets to ensure the path remains under the limit while allowing a non-sandboxed agent to communicate with a root daemon? Standard paths like $TMPDIR are often too long for this purpose. Thank you in advance!

Hello, I need to develop a Network Extension (Transparent Proxy) that sends data to the host application for analysis. Network Extension - XPC client Host application - XPC service I am trying to implement it with XPC. However, when attempting to connect, I see the following error in the system logs on client side. [0x1015a2050] failed to do a bootstrap look-up: xpc_error=[3: No such process] I assume the problem occurs because the Network Extension cannot find the registered XPC service. On the service side, I see the following message in the logs: 2026-02-24 13:15:36.419345+0300 localhost fgstnehost[58884]: (libxpc.dylib) [com.apple.xpc:connection] [0x100bdee70] activating connection: mach=true listener=true peer=false name=TEAM_ID.group.app_id.netfilter.xpc Entitlements Network Extension: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> </array> <key>com.apple.security.application-groups</key> <array> <string>TEAM_ID.group.app_id.netfilter</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.xpc.mach-lookup.global-name</key> <array> <string>TEAM_ID.group.app_id.netfilter.xpc</string> </array> </dict> </plist> Entitlements host application: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>TEAM_ID.group.app_id.netfilter</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.xpc.mach-service.name</key> <array> <string>TEAM_ID.group.app_id.netfilter.xpc</string> </array> </dict> </plist> Server.m @interface XPCServer () @property (nonatomic, strong) NSXPCListener *listener; @end @implementation XPCServer - (instancetype) init { self = [super init]; if (self != nil) { _listener = [[NSXPCListener alloc] initWithMachServiceName: XPC_SERVICE_ID]; _listener.delegate = self; } return self; } - (void) start { [self.listener resume]; } - (BOOL) listener:(NSXPCListener *) listener shouldAcceptNewConnection:(NSXPCConnection *) newConnection { return YES; } @end Client.m @interface XPCClient () @property (nonatomic, strong) NSXPCConnection *connection; @end @implementation XPCClient - (void) connect { self.connection = [[NSXPCConnection alloc] initWithMachServiceName: XPC_SERVICE_ID options: NSXPCConnectionPrivileged]; self.connection.invalidationHandler = ^{ [[OSLogger sharedInstance] error: "XPCClient: connection can not be formed or the connection has terminated and may not be re-established"]; }; self.connection.interruptionHandler = ^{ [[OSLogger sharedInstance] error: "XPCClient: the remote process exits or crashes"]; }; [self.connection resume]; } @end What could be the root cause of this issue? Are there any recommendations for implementing IPC between a Network Extension and aß Host Application? Thank you in advance.

Hello, I am working on a cross‑platform application that uses libiconv to convert strings to/from Unicode. I need to modify the existing code for compatibility with macOS. However, the call to iconv() fails with an unclear errno value (92) when using "WCHAR_T": std::wstring ConvertToWchar(const std::string& iconvCodeSet, const std::string_view str) { iconv_t conv = iconv_open("WCHAR_T//TRANSLIT", iconvCodeSet.c_str()); if (conv == (iconv_t)-1) { std::cerr << "iconv_open() failed" << std::endl; return {}; } std::wstring out(str.size(), L'\0'); auto inPtr = (char*)str.data(); size_t inSize = str.size(); auto outPtr = (char*)out.data(); size_t outSize = out.size() * sizeof(wchar_t); if (iconv(conv, &inPtr, &inSize, &outPtr, &outSize) == (size_t)-1) { std::cerr << "iconv() failed. errno = " << errno << std::endl; return {}; } if (iconv(conv, nullptr, &inSize, &outPtr, &outSize) == (size_t)-1) { std::cerr << "iconv() failed. errno = " << errno << std::endl; return {}; } iconv_close(conv); return out; } int main() { std::string str1((const char*)u8"ΟΔΥΣΣΕΥΣ"); std::wstring str2 = ConvertToWchar("UTF-8", str1); if (str2.empty()) return 1; std::cout << "converted" << std::endl; return 0; } Using "UTF-32" works fine, but "WCHAR_T//TRANSLIT" fails. What is the recommended way to convert wchar_t strings using libiconv? Why does the conversion fail with "WCHAR_T//TRANSLIT"? Thank you in advance!

Hello, In a launched agent, I need to call into a third‑party library that may occasionally hang. At present, these calls are made from a separate thread, but if the thread hangs it cannot be terminated (pthread_cancel/pthread_kill are ineffective). Would Apple recommend isolating this functionality in a separate process that can be force‑terminated if it becomes unresponsive, or is there a preferred approach for handling such cases in launched agents? Can I use the system call fork() in launched agent? Thank you in advance!

Hello, The customer requires transparent data encryption within their DLP system. All data on external storage must be encrypted and decrypted transparently. How can the data stream (read/write) be controlled? Are there any recommended way? Thank you in advance!

Hello, As part of developing a DLP system, the microphone and speakers should be blocked. My solution involves muting devices by changing the property kAudioDevicePropertyMute. However, this solution allows the user to unmute the device, and the app must implement a property listener to mute the device again. The problem is that muting takes some time and the device is temporarily unmuted. Admittedly, it takes less than a second, but nevertheless, it appears insecure. Is there an Apple-recommended approach to implement such blocking more securely? Maybe some solution which is based on IOKit. Thank you in advance, Pavel

Hello, The application I'm working on must report new hardware connections. To retrieve connected displays information and monitor new connections, I'm using the "Core Graphics" framework (see recommendation https://developer.apple.com/forums/thread/779945). The monitoring logic relies on a callback function which invokes when the local display configuration changes(kCGDisplayAddFlag/kCGDisplayRemoveFlag). #import <Cocoa/Cocoa.h> static void displayChanged(CGDirectDisplayID displayID, CGDisplayChangeSummaryFlags flags, void *userInfo) { uint32_t vendor = CGDisplayVendorNumber(displayID); if (flags & kCGDisplayAddFlag) { if (vendor == kDisplayVendorIDUnknown) { NSLog(@"I/O Kit cannot identify the monitor. kDisplayVendorIDUnknown. displayId = %u", displayID); return; } NSLog(@"%u connected. vendor(%u)", displayID, vendor); } if (flags & kCGDisplayRemoveFlag) { NSLog(@"%u disconnected", displayID); } } int main(int argc, const char * argv[]) { @autoreleasepool { CGDisplayRegisterReconfigurationCallback(displayChanged, NULL); NSApplicationLoad(); CFRunLoopRun(); } return 0; } The test environment is a Mac mini with an external display connected via HDMI. Everything works correctly until the system enters sleep mode. Upon wakeup, the app reports two displays: the first with vendor ID kDisplayVendorIDUnknown and the second with the expected vendor ID. Why does Core Graphics report two connections during wakeup? Is there any way to avoid this? Thank you in advance.