Also, this is on the Mac, right? Yes, forgot to mention, MacOS Sonoma 14.7 TN3134 makes it clear that DNS proxies must be packaged as a system extension on the Mac. However, you don’t mention activating your sysex. Are you doing that? I followed the instructions here to set Allow user management of kernel extensions from identified developers in my mac, also disabled SIP just in case and ran successfully sudo systemextensionsctl developer on without luck. I never saw the alert for allowing the system extension in the Security section of Privacy & Security. I have a post, Debugging a Network Extension Provider, that explains my general advice for this. Followed the instructions here to set the "First Light" log, which I never see in the console log, I still see the log: Found 0 registrations for com.myteam.dns-proxy-tests.ne (com.apple.networkextension.dns-proxy) And made sure to follow the instructions for XCode to copy and run the application package from the Applications directory.

After you activate your sysex by passing an activation request to the submitRequest(:) method, do you see the request(:didFinishWithResult:) delegate get called? If so, what was the result? I have: func activate() { let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.bowtie.dns-proxy-tests.ne", queue: DispatchQueue.main) request.delegate = self let extensionManager = OSSystemExtensionManager.shared print("Submitting request to activate system extension...") extensionManager.submitRequest(request) } I do see "Submitting request to activate system extension..." but after that I don't see any of the delegate being called if I kill and start the application again, but if I run it again by "replacing"(in xcode) the already running one I see the error delegate being called: Request failed with error: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 1.) But that only happens when I run it again when it's already running otherwise none of the delegates are called

System Extensions framework is meant to be called from a GUI application. Is that the case here? I see a lot of folks try to use the framework from a command-line tool (or daemon or whatever) that’s pretending to be a GUI app, and that often ends badly. I'm using a gui container app, it's just the default App macos template from xcode with the init for the App class changed to start the system extension. Check that you’re container app has a reasonable structure and that the sysex is embedded within that: Seems almost identical:  tree Applications/dns-proxy-tests.app Applications/dns-proxy-tests.app └── Contents ├── Info.plist ├── Library │   └── SystemExtensions │   └── com.myteam.dns-proxy-tests.ne.systemextension │   └── Contents │   ├── Info.plist │   ├── MacOS │   │   └── com.myteam.dns-proxy-tests.ne │   ├── _CodeSignature │   │   └── CodeResources │   └── embedded.provisionprofile ├── MacOS │   ├── __preview.dylib │   ├── dns-proxy-tests │   └── dns-proxy-tests.debug.dylib ├── PkgInfo ├── Resources ├── _CodeSignature │   └── CodeResources └── embedded.provisionprofile Check that the app is signed with at least the following entitlements: Seems to have them Executable=/Applications/dns-proxy-tests.app/Contents/MacOS/dns-proxy-tests [Dict] [Key] com.apple.application-identifier [Value] [String] <...>.com.myteam.dns-proxy-tests [Key] com.apple.developer.networking.networkextension [Value] [Array] [String] dns-proxy [Key] com.apple.developer.system-extension.install [Value] [Bool] true [Key] com.apple.developer.team-identifier [Value] [String] <...> [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] group.com.myteam.dns-proxy-test [Key] com.apple.security.files.user-selected.read-only [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true Same for sysex  codesign -d --ent - Applications/dns-proxy-tests.app/Contents/Library/SystemExtensions/com.myteam.dns-proxy-tests.ne.systemextension Executable=/Applications/dns-proxy-tests.app/Contents/Library/SystemExtensions/com.myteam.dns-proxy-tests.ne.systemextension/Contents/MacOS/com.myteam.dns-proxy-tests.ne [Dict] [Key] com.apple.application-identifier [Value] [String] <...>.com.myteam.dns-proxy-tests.ne [Key] com.apple.developer.networking.networkextension [Value] [Array] [String] dns-proxy [Key] com.apple.developer.team-identifier [Value] [String] <...> [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] group.com.myteam.dns-proxy-test [Key] com.apple.security.get-task-allow [Value] [Bool] true

OK. So in a SwiftUI app the type that conforms to App isn’t a class, it’s a struct. But the OSSystemExtensionRequest delegate must be an object. That suggests you’ve created some sort of manager object for this process. I’ve seen problems like this where the app wasn’t doing anything to hold the delegate in memory, and thus it got released while the request was still in flight (OSSystemExtensionRequest itself only maintains a weak reference). Are you sure that’s not happening here? I'm using a static variable in the App class trying to prevent that from happening: @main struct dns_proxy_testsApp: App { static let systemExtensionManager = SystemExtensionManager() var body: some Scene { WindowGroup { ContentView() } } init() { Self.systemExtensionManager.activate() configureDNSProxy() } } I also added the deinit to investigate, and it's never called. This is the full class implementation of the delegate class SystemExtensionManager: NSObject, OSSystemExtensionRequestDelegate { func activate() { let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.myteam.dns-proxy-tests.ne", queue: DispatchQueue.main) request.delegate = self let extensionManager = OSSystemExtensionManager.shared print("Submitting request to activate system extension...") extensionManager.submitRequest(request) } func request(_ request: OSSystemExtensionRequest, actionForReplacingExtension existing: OSSystemExtensionProperties, withExtension ext: OSSystemExtensionProperties) -> OSSystemExtensionRequest.ReplacementAction { print("Replacing extension: \(existing.bundleIdentifier) with \(ext.bundleIdentifier)") return .replace } func requestNeedsUserApproval(_ request: OSSystemExtensionRequest) { print("Request \(request) needs user approval.") } func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) { print("Request finished with result: \(result)") } func request(_ request: OSSystemExtensionRequest, didFailWithError error: any Error) { print("Request failed with error: \(error.localizedDescription)") } deinit { print("Deinitializing SystemExtensionManager") } } I also tried defining it as a global variable instead of static but I don't see any change.

One more data point is that now I see:  systemextensionsctl list 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] <...> com.myteam.dns-proxy-tests.ne (1.0/1) - [validating by category]

As to what that is, it’s hard to say. If you monitor the logging done by sysextd when you try to activate your sysex, what do you see? Specifically, log for log entries with a subsystem of com.apple.sx. Regardless of whether I'm trying to install my system extension I see periodically, every ~30s/1min default 18:05:02.264132-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:02.264318-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:02.309334-0300 sysextd dispatchRequest(cmd: list) But this is a full log capture when trying to install the system extension: default 18:05:02.015902-0300 sysextd dispatchRequest(cmd: nsxpc) default 18:05:02.194894-0300 sysextd client activation request for com.myteam.dns-proxy-tests.ne default 18:05:02.215024-0300 sysextd extension <...> com.myteam.dns-proxy-tests.ne (1.0/1) advancing state from realizing to staging default 18:05:02.216109-0300 sysextd Importing content from application to staging area originPath: /Applications/dns-proxy-tests.app/Contents/Library/SystemExtensions/com.myteam.dns-proxy-tests.ne.systemextension, uniqueIdentifier: 5A113AA1-2BD0-4275-8AFB-B0704280958F default 18:05:02.216144-0300 sysextd Container path: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F default 18:05:02.216240-0300 sysextd Bundle path: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension default 18:05:02.216445-0300 sysextd Making directory for container default 18:05:02.216717-0300 sysextd Importing bundle from origin into container default 18:05:02.217789-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/_CodeSignature/CodeResources default 18:05:02.217885-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/_CodeSignature/CodeResources default 18:05:02.218183-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/_CodeSignature default 18:05:02.218267-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/_CodeSignature default 18:05:02.218858-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/MacOS/com.myteam.dns-proxy-tests.ne default 18:05:02.218890-0300 sysextd Changing permissions to: 0o100644 default 18:05:02.218982-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/MacOS/com.myteam.dns-proxy-tests.ne default 18:05:02.219276-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/MacOS default 18:05:02.219353-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/MacOS default 18:05:02.219665-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/embedded.provisionprofile default 18:05:02.219708-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/embedded.provisionprofile default 18:05:02.219887-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/Info.plist default 18:05:02.219927-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents/Info.plist default 18:05:02.220057-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents default 18:05:02.220091-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension/Contents default 18:05:02.220201-0300 sysextd Copied and processing: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension default 18:05:02.220237-0300 sysextd Imported: /Library/SystemExtensions/.staging/5A113AA1-2BD0-4275-8AFB-B0704280958F/com.myteam.dns-proxy-tests.ne.systemextension default 18:05:02.220264-0300 sysextd extension <...> com.myteam.dns-proxy-tests.ne (1.0/1) advancing state from staging to validating default 18:05:02.225301-0300 sysextd validating <private> default 18:05:02.248883-0300 sysextd extension <...> com.myteam.dns-proxy-tests.ne (1.0/1) advancing state from validating to validating_by_category default 18:05:02.250022-0300 sysextd validate: category: com.apple.system_extension.network_extension, extension: com.myteam.dns-proxy-tests.ne default 18:05:02.264132-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:02.264318-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:02.309334-0300 sysextd dispatchRequest(cmd: list) default 18:05:02.329559-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:02.329750-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:09.074187-0300 sysextd dispatchRequest(cmd: list) default 18:05:12.396544-0300 sysextd dispatchRequest(cmd: list) default 18:05:12.421911-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:05:12.422239-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:06:12.966849-0300 sysextd dispatchRequest(cmd: list) default 18:06:13.001513-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:06:13.001811-0300 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted default 18:06:13.437459-0300 sysextd client connection (pid 68309) invalidated The only thing that stand out for me is: default 18:05:02.248883-0300 sysextd extension <...> com.myteam.dns-proxy-tests.ne (1.0/1) advancing state from validating to validating_by_category default 18:05:02.250022-0300 sysextd validate: category: com.apple.system_extension.network_extension, extension: com.myteam.dns-proxy-tests.ne But IDK if that has any more info that the validating by category that we already saw.

Interestingly, when I get the error delegate: Submitting request to activate system extension... Request failed with error: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 1.) I do see a correlated crash from sysextd Process: sysextd [88810] Path: /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd Identifier: sysextd Version: ??? Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2025-03-25 20:41:37.0472 -0300 OS Version: macOS 14.7 (23H124) Report Version: 12 Anonymous UUID: 603FADAE-E494-E147-DCDB-B19084A67DC1 Sleep/Wake UUID: E39090CA-174C-4227-8E0F-10F5584128BB Time Awake Since Boot: 80000 seconds Time Since Wake: 284 seconds System Integrity Protection: enabled Crashed Thread: 2 Dispatch queue: sysextd.extension_manager Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x0000000104c789e4 Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5 Terminating Process: exc handler [88810] And while I can't trigger the crash, I see a bunch of nesessionmanager crashes from yesterday. ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: nesessionmanager [76320] Path: /usr/libexec/nesessionmanager Identifier: nesessionmanager Version: ??? Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2025-03-24 23:46:30.0376 -0300 OS Version: macOS 14.7 (23H124) Report Version: 12 Anonymous UUID: 603FADAE-E494-E147-DCDB-B19084A67DC1 Sleep/Wake UUID: 9C34E4FD-CF1D-4E4F-93B8-4BEFC9D11D41 Time Awake Since Boot: 56000 seconds Time Since Wake: 9789 seconds System Integrity Protection: enabled Crashed Thread: 1 Dispatch queue: NESMProviderManager queue Exception Type: EXC_BAD_ACCESS (SIGKILL) Exception Codes: UNKNOWN_0x105 at 0x00000000dac11a30 Exception Codes: 0x0000000000000105, 0x00000000dac11a30 Termination Reason: Namespace PAC_EXCEPTION, Code 261 Attached the full crashes in case it's useful sysextd-2025-03-25-204137.txt nesessionmanager-2025-03-24-234630.txt

I just left the app trying to enable the network extension running for a while and then I saw the nesessionmanager crash. Some additional notes: When the sysextd crashes happen there are some logs from the process, these 2 are warnings: error 22:02:22.479413-0300 sysextd cannot open file at line 49295 of [1b37c146ee] error 22:02:22.479437-0300 sysextd os_unix.c:49295: (2) open(/private/var/db/DetachedSignatures) - No such file or directory Also this is a log that I just coincidetally saw while browsing the logs from nesessionmanager: Bundle: <private>, key: SYSEXT_INVALID_MACH_SERVICE_NAME, value: SYSEXT_INVALID_MACH_SERVICE_NAME, table: Localizable, localizationNames: [en], result: System extension %@ has an invalid %@ key in its Info.plist: The value of the %@ key must be prefixed with one of the App Groups in the %@ entitlement.

However, frame 7 in the NE crash suggests that you have an app group mismatch. NE wants your Mach service name to be ‘inside’ an app group. For example, in my test project I have this: My app group, SKMME9E2Y8.com.example.apple-samplecode.QNE2DNSProxyMac, is a prefix of the Mach service name, SKMME9E2Y8.com.example.apple-samplecode.QNE2DNSProxyMac.service, and that’s what NE is checking for. Ah! Very nice, that was it! :D I'll report this bug