We're looking at taking a Network Extension VPN implemented as an App Extension, and porting it to a System Extension. We still intend to distribute through the app store as well, but have requests for out-of-store distribution. I remember seeing a thread about this some time back, but I haven't been able to locate it. If someone has a link to that thread please point me that way :-) We have some questions about bundle IDs, APIs, and entitlements, because we're looking to minimize customer disruption. Can we just add the SystemExtension entitlement to the current App ID for the network extension, update the profile, and continue with the same ID, or will we need to define a new ID? What will happen if someone installs the application from a package outside the app store, and then goes to the app store page for the application? Will the App Store recognize that the app is already installed? What about version differences? It looks like our management app can still use sendProviderMessage to communicate with the extension, and that we don't need XPC unless we want to give other applications the ability to talk with the extension. Is this correct? Can a System Extension use the NSWorkspace openURL API? It looks like a System Extension doesn't have the option of writing to a file, because it's not running as a logged in user and doesn't have access to a user's file systems. Is this correct? For certificate-based authentication the SystemExtension needs to be able to access and use a client certificate. Is there a recommended way for the extension to access the client certificate, e.g, if the extension starts without the GUI because of an on-demand VPN configuration? In that case it doesn't seem like it would have keychain access.

We're seeing nessionmanager problems caused by having a configuration present on the system which. Has includeAllNetworks set in the protocol Was previously connected & then disconnected After VPN disconnection we sometimes see that DNS and other things are not working. The VPN extension is no longer running, so I'd expect that settings would have been cleaned up, but they aren't in some cases. The system won't recover on its own, and when we delete the VPN configuration we see a set of messages from VPN session manager. There are two I've seen, on different systems. One shows the utun interface being cleaned up, and various network settings being removed. The other refers to deregistering an Enterprise VPN Session, [NESMVPNSession unsetDefaultDropAll], and IP Drop-All disabled. In both of these cases the cleanup is being done hours after the session was disconnected and the extension unloaded from memory. Does anyone know what exactly is happening there, and why the OS isn't cleaning up on disconnect?