@meaton Thanks for the reply! I tried what you said, but I'm still getting the 'Library not loaded: @loader_path/3rdParty.dylib' error. What I've tried so far: Drag the dylib files into the sysExt target (so they will be included at the 'Link Binary With Libraries' Add the dylib files into the 'Embed Frameworks' (build Settings) Then I tried to add the dylib files both to 'Link Binary With Libraries' and to 'Embed Frameworks' As I wrote before, I also set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the relevant lib folder. $(PROJECT_DIR)/libs But the extension still fails to find the dylib More details: I didn't create those dylibs, they are from a 3rd party I have also the headers, and I'm calling some of 'their' functions ('I'm using the API') - is it even possible to embed the dylib in such case? In case it relevant - I'm running the my app from Xcode, not from the Application folder (for development purpose) What else can I try here? Is there any way to 'debug' this / get more useful information?

4 years later.. disconnectOnSleep is set: disconnectOnSleep = true And I have the following on-demand rule (to always connect when there's traffic): tunnelProviderManager.isOnDemandEnabled = true let onDemandRuleConnect = NEOnDemandRuleConnect() tunnelProviderManager.onDemandRules = [onDemandRuleConnect] This causes a problem on sleep - When the Mac is about to enter sleep stopTunnelWithReason is called (by OS) and VPN stops some other app has outgoing traffic the on-demand rule is matched, and the OS calls to startTunnel() //BUG here Mac enter sleeps, but the VPN is still 'enabled' There's no reason for the OS to restart the VPN if it's going to enter sleep mode. It should ignore on-demand rules in such cases. Any way to workaround this problem (and keep the 'disconnectOnSleep = true')?

@dispatchMain - This behavior is documented: If the local system has System Extension developer mode enabled, the manager always calls this method when it finds an existing installation, even if the version identifiers match.

Thanks @meaton! Regarding so if your provider has not crashed or a new instance has not been created the previous state should be help in memory too If the user presses the 'connect' button, startTunnelWithOptions is called, then user disconnects, completion handler is called from the provider, and after a few minutes, the user reconnects again. I saw that it's still using the same provider, and not creating a new instance. Is this expected? Will it behave differently if the new connection will be started via on-demand rules (and not manually by the user)?

Does this traffic also match the proxy rules? Yes, the proxy should handle all traffic. However, it seems like an inconsistent behavior - on a full tunnel, traffic won't reach the proxy (and the traffic matches the proxy rules), and on split-tunnel, all traffic will reach the proxy, even the "claimed" traffic. Isn't it a bug? Anyway to bypass this without changing the proxy settings?

The proxy is set at the system level via System Preferences. Why does traffic that claimed by the tunnel is getting sent to this proxy? (On a 'full tunnel', the traffic won't reach this proxy)

Thanks for the advice :) I did try to check the behavior, and when the user upgraded the app, he needed to allow system extensions again. This was unexpected (for me) so this is the reason I asked this. However, the user got the first version of the app via an MDM service, and then (few days later), the app inform the user that a new version is available, and the user chose to install it. Here the installation wasn't don't via MDM. So to summarize, I'm not sure if the 'please allow system extension' popup at the second time is expected/ a bug / or if it's related to who/what installed the new version.

No, this is the only difference. If I'm setting newSettings.ipv4Settings?.includedRoutes =  [NEIPv4Route.default()] The traffic won't reach to the Ethernet proxies. Setting includedRoutes to some specific routes will behave differently - all routes (+ the routes included at the tunnel) will be sent to Ethernet proxies.

Is your app or MDM config falling into a case where the Extension is being uninstalled somehow? This is basically what I asked - I know that the user didn't terminate/uninstall the extension (nor the app). What I want to check is if it was uninstalled (mistakenly) by the MDM, so this is why I'm wondering about those 2 lines: sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID **** Any clue on how to debug if it was uninstalled by the MDM?

Thanks eskimo! Two more questions: Should I submit a bug report? I guess I have nothing to do with "The process generates code, like with a JIT, and has problems with that.", but if it's the first reason - "Something invalidate a page of existing code" - is this 'something' can be my application? Or again, it's a case where I can't do anything like the first option?

Update: I just read that login items installed via Service Management framework won't appear at the system preferences, so no problem on this area.

I just changed the bundle id of the helper app, to be the same as the containing app's bundle id + a postfix. So if the containing app bundle id is com.mycompany.myapp, the bundle id of the helper app would be com.mycompany.myapp.helper Is this is what you meant by superset? Anyway, after this change I still don't see any Login Item (not in Users & Groups, and not in Security and Privacy), but, the app is now active after a Mac restart, so it's already a big improvement.

Edit: I'm using the same Developer ID certificate as my main app, but for the embedded app I'm not using any provisioning profile (I set it to 'None'), is it ok?

Edit: I'm talking about system-extension, distributed outside the App Sore, with a custom installer.

First - thank you for your time answering those questions! Regarding the SecKey - the key was stored at the Keychain via a profile created at Apple Configurator - I filled the VPN and the Certificate payloads, and installed the profile. I can get the SecKey at the containing app, but when trying to call SecKeyCopyExternalRepresentation, it returns nil. It's not tied to a smart card..Any idea why SecKeyCopyExternalRepresentation returns nil?