We have a MacOS app that includes a system extension with A content filter using both socket and packet providers. Our normal method for deployment will be by an MDM solution, for which we have created a profile intended to pre-approve the system extension and content filter. This works correctly for the system extension but we are unable to get the content filter pre-approval to work. We have scoured this and other forums and docs but there is no clear reason why our web content filter profile doesn't work. Our payload for the web content filter looks like this: dict keyFilterDataProviderBundleIdentifier/key stringcom.example.ourapp.net/string keyFilterDataProviderDesignatedRequirement/key stringidentifier "com.example.ourapp.net" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX/string keyFilterPacketProviderBundleIdentifier/key stringcom.example.ourapp.net/string keyFilterPacketProviderDesignatedRequirement/key stringidentifier "com.example.ourapp.net" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX/string keyFilterPackets/key true/ keyFilterSockets/key true/ keyFilterType/key stringPlugin/string keyFilterGrade/key stringfirewall/string keyPayloadDescription/key stringWeb Content Filter Payload/string keyPayloadDisplayName/key stringWeb Content Filters/string keyPayloadEnabled/key true/ keyPayloadIdentifier/key stringcom.apple.webcontent-filter.8237701A-4ED8-473A-AC86-4BEFF6662A62/string keyPayloadType/key stringcom.apple.webcontent-filter/string keyPayloadUUID/key string8237701A-4ED8-473A-AC86-4BEFF6662A62/string keyPayloadVersion/key integer1/integer keyPluginBundleID/key stringcom.example.ourapp/string keyUserDefinedName/key stringExample OurApp/string /dict For the filter Filter[Data|Packet]ProviderBundleIdentifier and the Filter[Data|PacketProvider]DesignatedRequirement fields, the values are derived from using codesign -dr- path to system extension bundle. For the PluginBundleID the value is the identifier of the enclosing app. This requirement is mention in this post - https://developer.apple.com/forums/thread/667016. The rest of the fields are derived from the various examples online. Beyond this, I can't see any reason this should not work. There are reports from some users saying they have got their profiles to work but can't confirm that. Is there something wrong in the payload above? Are we missing some fields? Are there any specific requirements for some of these fields I have missed? I can't find detailed documentation for this payload for content filters. We're testing on mainly on Catalina, is pre-approval of content filter actually working for Catalina? Big Sur? Any pointers would be appreciated. Thanks.

We have a Content Filter implementation that caches NEFilterSocketFlow instances seen from handleNewFlow(), we do this so that we can update the flow verdict at a later time. For example we allow it to start with but later decide to block it. However, when we do this we often see errors reported in Console like this when we call the update() function. Failed to find flow 7ABC4FC7-7031-4C5B-BA4B-F198B4DE344D to update its verdict But the update() method does not return anything, so we can't know that the flow is no longer valid. Is there any way to verify a flow is still valid before trying to update the verdict?

In another question on this forum (https://developer.apple.com/forums/thread/124775) eskimo stated that launching a system extension from an daemon is not the right approach and that the OSSystemExtensionRequest.activationRequest API should be called from an App. My question is, does this same restriction apply to a LaunchAgent started App? If so, to ensure activation as soon as possible is the only option to use a SMLoginItemSetEnabled helper to start the App on login?

We have a macOS app that contains a system extension content filter as part of the app bundle. The main container app is a relatively simple process to perform activation and deactivation of the content filter. From guidance given on this forum, our container app has a GUI component (AppDelegate) which on launch activates the content filter if needed, e.g. on initial install or update. This works as intended, provided the user is logged in. However, we would normally expect the install/update/removal to be performed by remote management, e.g. pushed by JAMF, which often happen when no user was logged in on the device. Note, we have a MDM profile which provides pre-authorization of the system extension and content filter to negate the requirement for the user to respond to prompts during install. Trying to perform a remote install or removal, requires calling the main container app to run without a logged in user which fails because the app terminates as there is no GUI context to run in. Trying a container app without a GUI component appears to be unreliable and often hangs during content filter activation. What is the correct way to perform installation or removal, without a user login, via remote management?

Is there a "app-friendly" version of the security update notes available? For example, https://support.apple.com/en-gb/HT213256 for macOS 11.6.6 lists the CVE IDs for issues addressed but not in a format that would be easy to parse. We'd like be be able to identify which CVEs a system has already had addressed, by comparing running OS version against the list published by Apple. Scraping a web page is not wholly reliable, but I assume Apple have this data in a more digestible format. Is this or could this be made available? Thanks, Dave

Based on the example EvenBetterAuthorizationSample, we are blessing a helper to enable our Sandboxed container app the communicate with another process via XPC. When the helper is installed, it requires the user to authorize the helper providing admin credentials via a popup. This makes distribution difficult where customers want to push our app to their staff devices but the staff members do not have admin access. Our product also uses a content filter, for which our customers can push a MDM profile to allow the system extension and content filter to be activated without needing user interaction. Is there an equivalent profile that can be provided via MDM to allow the privileged helper install without needing the user to provide credentials?