I'm hitting a kernel-side rejection on IOServiceOpen from a host app against my DEXT's IOUserService, before any code in my DEXT's NewUserClient runs. DEXT activation and USB matching succeed; only the user-client connection fails. What works DEXT activates and shows as [activated enabled] in systemextensionsctl list. DEXT matches IOUSBHostInterface for the target device and Start() runs to completion. Inside Start(), CopyInterface() returns successfully and CopyPipe() for the expected endpoints all succeed. Host app receives the matching notification for the DEXT's IOUserService and calls IOServiceOpen(service, mach_task_self(), 0, &connect). What fails IOServiceOpen returns kIOReturnError (0xE00002BC). My DEXT's NewUserClient override is never reached — verified by the absence of any breadcrumb log and by stepping through under lldb (no entry on the DEXT side). This reproduces both with: The original com.apple.developer.driverkit.userclient-access entitlement listing the host bundle ID. The dev fallback com.apple.developer.driverkit.allow-any-userclient-access = true on host + DEXT. (Background: the App ID portal has the bundle-ID list for userclient-access stored as a single newline-joined string instead of separate array entries — see Support Thread 822652 — so I've been using allow-any-userclient-access = true for now. The IOServiceOpen failure persists either way.) Diagnostics I can't get I'd like to confirm the kernel-side rejection reason, but DEXT os_log output is suppressed in Console and: sudo log config --process <dext-pid> --mode "level:debug" log: Unable to set mode for pid <dext-pid> I've tried by PID and by subsystem; both refuse. SIP is in its default state. Any pointer to the correct invocation (or a Configuration Profile to enable DriverKit verbose logging) would unblock me. Environment macOS 26.3.1 (build 25D2128) Xcode 26.3 (build 17C529) Host app: AppKit, sandboxed, Mac App Store distribution DEXT: matches IOUSBHostInterface on idVendor: 0x1452 (DNP) and (pending capability approval) 0x1343 (Citizen) Entitlements on host: com.apple.developer.driverkit, com.apple.developer.driverkit.userclient-access (or allow-any-userclient-access = true for dev) Entitlements on DEXT: com.apple.developer.driverkit, com.apple.developer.driverkit.transport.usb, com.apple.developer.driverkit.allow-any-userclient-access for dev Questions Is IOServiceOpen → kIOReturnError before NewUserClient always an entitlement/sandbox check failure, or are there other kernel-side reasons (matching score, IOService class hierarchy mismatch) that produce the same generic code? What's the correct way to enable DEXT os_log capture so I can see the rejection reason? Is there a known interaction between a malformed userclient-access array on the App ID (Forums Thread 822652) and the kernel's user-client authorization path that would persist even after switching to allow-any-userclient-access = true? Sample profiles, codesign output, and the exact matching dictionary available on request. Thanks.