I'm trying to build a network extension distributed outside the app store, so I'm creating a system extension. The parent app is written in C# and the mono runtime and requires com.apple.security.cs.allow-jit to get past the hardened runtime requirements. The system extension itself is objective-c. When I sign and notarize with hardened runtime with the com.apple.security.cs.allow-jit I get the error: Hardened Runtime relaxation entitlements disallowed on System Extensions This is true even if the com.apple.security.cs.allow-jit is only on the parent app, not the extension itself. If I don't use the exemption on the parent app my app fails with: curprot cannot be write+execute I take this to mean that the mono runtime can't do whatever JIT magic it needs. How do I combine system extensions with curprot cannot be write+execute on the parent app?