Failed to enable the Network Extension

Question

Created Feb ’25

Replies 4

Boosts 1

Participants 3

In my application, there is a Network Extension with the bundle ID com.***.agent.yyy.zzz.ne. There is a user upgraded their system to macOS Sequoia 15.3, they faced an issue where enabling this Network Extension failed. Even after uninstalling the application and the Network Extension, restarting the system, and reinstalling multiple times, the enabling process still failed. it alert: Failed to enable the Network Extension.

When checking the status via "systemextension list", it always shows "activated waiting for user".

This shows the normal enabling process log:

This shows the log when the enabling fails upon clicking. Strangely enough, there is no activation operation log when it fails. What could be the problem?

Boost

Answer 1

GreyLuo OP

Feb ’25

Only this one user is experiencing this strange issue .
When clicking the switch to enable the Network Extension, the window for entering the password doesn't even pop up.

could you please tell me how to troubleshoot it ?

0

Answer 2

GreyLuo OP

Feb ’25

This is error that filter "Extension":

2025-02-08 15:44:18.191 Df authd[197:18d4f] [com.apple.Authorization:authd] Failed to authorize right 'com.apple.system-extensions.admin' by client '/System/Library/ExtensionKit/Extensions/SettingsSystemExtensionController.appex' [3006] for authorization created by '/System/Library/ExtensionKit/Extensions/SettingsSystemExtensionController.appex' [3006] (3,0) (-60005) (engine 86) 2025-02-08 15:44:18.191 E SettingsSystemExtensionController[3006:603e] [com.apple.sx:Controller] Failed to allow changes for <private> : Error Domain=OSSystemExtensionErrorDomain Code=1 "" UserInfo={NSLocalizedDescription=}

0

Answer 3

DTS Engineer OP

Apple

Feb ’25

That -60005 error is errAuthorizationDenied. Is there any chance they’ve changed how com.apple.system-extensions.admin is set up? What does the following show?

% security authorizationdb read com.apple.system-extensions.admin | plutil -p -
…
{
  "class" => "rule"
  "comment" => "Authorize a 3rd party application which wants to manipulate system extensions."
  "created" => 723599790.4667161
  "modified" => 723599790.4667161
  "rule" => [
    0 => "authenticate-admin-nonshared"
  ]
  "version" => 0
}

Also change the rule to which it delegates:

% security authorizationdb read authenticate-admin-nonshared | plutil -p -     
…
{
  "allow-root" => 0
  "authenticate-user" => 1
  "class" => "user"
  "comment" => "Authenticate as an administrator."
  "created" => 723599790.4667161
  "group" => "admin"
  "modified" => 723599790.4667161
  "session-owner" => 0
  "shared" => 0
  "timeout" => 30
  "tries" => 10000
  "version" => 1
}

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

ConradSun OP

2w

Hi, I recently encountered the same issue after updating the macOS system, and I just fixed it. This needs to be credited to Eskimo's response.

Before I fixed the issue:

security authorizationdb read com.apple.system-extensions.admin | plutil -p -
YES (0)
{
  "class" => "rule"
  "created" => 695120029.1478879
  "modified" => 713695351.319139
  "rule" => [
    0 => "is-root"
  ]
  "version" => 0
}

That's strange, because there is no comment mentioned by Eskimo, and the rule is also incorrect.

Then I reset the system extension authorization policy.

sudo security authorizationdb reset com.apple.system-extensions.admin

The authorization policy is now normal, and the system extension can be activated properly.

security authorizationdb read com.apple.system-extensions.admin | plutil -p -
YES (0)
{
  "class" => "rule"
  "comment" => "Authorize a 3rd party application which wants to manipulate system extensions."
  "created" => 772013763.103967
  "modified" => 772013763.103967
  "rule" => [
    0 => "authenticate-admin-nonshared"
  ]
  "version" => 0
}

0