Thanks again for the answer! One question though - "so you can use sendProviderMessage to communicate back and forth" - this is exactly what I want to do, but AFAIK, I can send only NSData via this function, and I have no idea how to convert SecKey to a Data object. Can you please advise on how to do it?

Thanks for the answer Matt! I already have the key at the Containing app, I got it with SecIdentityCopyPrivateKey() (I have the SecIdentity so I can use this func). My question was about the 'next step' - I want to send this key to the System-Extension. I can I do it? (OR how can I get this key directly via the sys-ext, instead of getting it at the containing app and sending it, but I guess this is not possible because the app runs under user, and sys-ext runs by root).

Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

Thanks for the reply! It's happening also on Big Sur. "Possibly the VPN transport is going down and it's not properly reconnected on the wake cycle" I think this is the case, the question is how to solve it? One option I thought of is to unset disconnectOnSleep: This way when the Mac will enter sleep, the OS won't kill (and won't restart) the VPN, and I'll do it manually. Then I'll start it only on awake, and not before that. Does it seem like a good approach? Any other solution to this problem? And lastly - should I open a bug for this behavior?

"Do you mean loading the exact same HTTP content in Safari does open the custom URL scheme?" - Yes, that's what I meant. Thanks for the explanation!

Thanks for the answer! But while this explain the issue, any idea why the same scenario works when it's done with an external browser? Https server, which opens my custom URL scheme, and everything works as expected.

OK, once I'll have the Crash Report I'll open a bug report and update. Thank you!

True, it probably crashed. But regarding to the log "BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked " - is it coming from the OS, or can happen because of my code?

Are you grabbing something out of the Keychain to perform authentication with and this is failing? No. The scenario where it usually reproduces: I'm trying to connect with some invalid code, so connection fails Upon this failure I'm updating the VPN configuration (removing on-demand), and save it After the saving completed, I'm waiting few seconds, entering a correct code and saving the VPN configuration again (and set on-demand). After the saving is completed, I'm trying to start the VPN. Nothing from keychain here, and I did see the above MacOS error: -25304 error, but even with this error it was able to save the conf, and it did try to trigger the VPN (but then I got the log 'session in state connecting', see Console).

Another update - I just found this, which might be the same - https://developer.apple.com/forums/thread/75118

The console output is attached (I can't edit the original question) Console output - https://developer.apple.com/forums/content/attachment/c5c58501-fbb1-4928-b49f-d910722b51b3

Got it, thanks! So the only remaining question is about managed.vpn.shared

Thanks Matt! Regarding "Therefore when you access an App Group or Keychain Group in this context you are accessing a different container than the container app or app extension is." So that means I can't save something at the userDefaults and read it at the App Extension. Is there any way that some info can be saved at the containing app, and the system extension will have access to this information? (not a message between the app and the sys extension, but a write at the app, and read at a later stage at the extension)

Hi @meaton, any updates on this one?

Great, I don't know how I missed it! Fixed it now, thank you very much! (P.S - missed it because I'm using exit(0) to terminate the Extension, to fix a bug where connecting 'very fast' after last disconnection would cause disconnection after 20 sec)