True, it probably crashed. But regarding to the log "BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked " - is it coming from the OS, or can happen because of my code?

OK, once I'll have the Crash Report I'll open a bug report and update. Thank you!

Thanks for the answer! But while this explain the issue, any idea why the same scenario works when it's done with an external browser? Https server, which opens my custom URL scheme, and everything works as expected.

"Do you mean loading the exact same HTTP content in Safari does open the custom URL scheme?" - Yes, that's what I meant. Thanks for the explanation!

Thanks for the reply! It's happening also on Big Sur. "Possibly the VPN transport is going down and it's not properly reconnected on the wake cycle" I think this is the case, the question is how to solve it? One option I thought of is to unset disconnectOnSleep: This way when the Mac will enter sleep, the OS won't kill (and won't restart) the VPN, and I'll do it manually. Then I'll start it only on awake, and not before that. Does it seem like a good approach? Any other solution to this problem? And lastly - should I open a bug for this behavior?

Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

Thanks for the answer Matt! I already have the key at the Containing app, I got it with SecIdentityCopyPrivateKey() (I have the SecIdentity so I can use this func). My question was about the 'next step' - I want to send this key to the System-Extension. I can I do it? (OR how can I get this key directly via the sys-ext, instead of getting it at the containing app and sending it, but I guess this is not possible because the app runs under user, and sys-ext runs by root).

Thanks again for the answer! One question though - "so you can use sendProviderMessage to communicate back and forth" - this is exactly what I want to do, but AFAIK, I can send only NSData via this function, and I have no idea how to convert SecKey to a Data object. Can you please advise on how to do it?

First - thank you for your time answering those questions! Regarding the SecKey - the key was stored at the Keychain via a profile created at Apple Configurator - I filled the VPN and the Certificate payloads, and installed the profile. I can get the SecKey at the containing app, but when trying to call SecKeyCopyExternalRepresentation, it returns nil. It's not tied to a smart card..Any idea why SecKeyCopyExternalRepresentation returns nil?

Edit: I'm talking about system-extension, distributed outside the App Sore, with a custom installer.

Edit: I'm using the same Developer ID certificate as my main app, but for the embedded app I'm not using any provisioning profile (I set it to 'None'), is it ok?

I just changed the bundle id of the helper app, to be the same as the containing app's bundle id + a postfix. So if the containing app bundle id is com.mycompany.myapp, the bundle id of the helper app would be com.mycompany.myapp.helper Is this is what you meant by superset? Anyway, after this change I still don't see any Login Item (not in Users & Groups, and not in Security and Privacy), but, the app is now active after a Mac restart, so it's already a big improvement.

Update: I just read that login items installed via Service Management framework won't appear at the system preferences, so no problem on this area.

Thanks eskimo! Two more questions: Should I submit a bug report? I guess I have nothing to do with "The process generates code, like with a JIT, and has problems with that.", but if it's the first reason - "Something invalidate a page of existing code" - is this 'something' can be my application? Or again, it's a case where I can't do anything like the first option?

Is your app or MDM config falling into a case where the Extension is being uninstalled somehow? This is basically what I asked - I know that the user didn't terminate/uninstall the extension (nor the app). What I want to check is if it was uninstalled (mistakenly) by the MDM, so this is why I'm wondering about those 2 lines: sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID **** Any clue on how to debug if it was uninstalled by the MDM?