Installing and Uninstalling a content filter without user login.

Question

Created Apr ’22

Replies 3

Boosts 0

Participants 2

We have a macOS app that contains a system extension content filter as part of the app bundle. The main container app is a relatively simple process to perform activation and deactivation of the content filter.

From guidance given on this forum, our container app has a GUI component (AppDelegate) which on launch activates the content filter if needed, e.g. on initial install or update. This works as intended, provided the user is logged in.

However, we would normally expect the install/update/removal to be performed by remote management, e.g. pushed by JAMF, which often happen when no user was logged in on the device. Note, we have a MDM profile which provides pre-authorization of the system extension and content filter to negate the requirement for the user to respond to prompts during install.

Trying to perform a remote install or removal, requires calling the main container app to run without a logged in user which fails because the app terminates as there is no GUI context to run in.

Trying a container app without a GUI component appears to be unreliable and often hangs during content filter activation.

What is the correct way to perform installation or removal, without a user login, via remote management?

Boost

Answer 1

Systems Engineer OP

Apple

Apr ’22

What is the correct way to perform installation or removal, without a user login, via remote management?

As you are pointing out, there will be issues if you trying to install, update, remove a System Extension from a machine without a complete user session. This means, that the user has logged in and has an active user interface that they can interact with, i.e., Finder etc.. Installing, removing, or updating a System Extension in this user session is the recommended path because if the user needs to approve or allow something, then they are present to do so and it does not fail in the way you are pointing out.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

muddymurphydog OP

Apr ’22

Hi Matt,

Thanks for the clarification.

Our and our customers' IT departments typically want to be be able to deploy or remove macOS apps via an MDM (JAMF in our case). We distribute an MDM profile to pre-authorize system extension and content filter installation (and removable system extensions on Monterey). The requirement/recommendation to need a logged in user does hamper management of apps via MDM.

Is there any intention or roadmap to support deployment or removal of system extensions with suitable MDM profile but without requiring a user logged in?

Regards, David

0

Answer 3

Systems Engineer OP

Apple

Apr ’22

Is there any intention or roadmap to support deployment or removal of system extensions with suitable MDM profile but without requiring a user logged in?

First, I want to say that I do not know. Now, my opinion on this matter is that I suspect the answer to this is no because for most of the providers the user needs to be present to accept the network configuration prompt, and this has to be done from a user session. From a privacy and workflow standpoint this makes sense also.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0