How to clean useless NetworkExtension

So, I presume we’re talking about Network Extension providers packaged as system extensions on the Mac. If any of that’s wrong, let me know.

Regarding this:

After NetworkExtension is installed, when the software receives a pushed uninstall command, it needs to download the entire software but fails to uninstall this NetworkExtension.

Just to confirm, this “pushed uninstall command” is being issued by your MDM system, right?

If so, I would expect that using MDM to uninstall an app would also uninstall any system extensions that app has installed. It sounds like you’re seeing that this doesn’t happen, in which case I encourage you to file a bug about that. Please post your bug number, just for the record.

How can residual, uninstalled NetworkExtensions be cleaned up when SIP (System Integrity Protection) is enabled?

In general, I expect that the NE container app should provide a UI to uninstall its system extension, in the same way it provides a UI to install it. If that’s not the case, I recommend that you take that up with the app’s developer.

As to how you might work around this, the system does not provide a mechanism to uninstall a sysex other than with systemextensionsctl, and that requires you to disable SIP.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for your response. I have a general security application called container.app (which monitors traffic and generates alerts). The app is not an MDM but contains a NetworkExtension. container.app communicates with my own server. When it receives an uninstall command from the server, it needs to uninstall itself. However, after the uninstallation is completed, residual NetworkExtension files are found. How can these be cleared when SIP is enabled?

Is the only way for the user to trigger the interaction via the UI, where container.app calls deactivationRequestForExtension to uninstall it? But this requires foreground operation—are there no other methods? Residual NetworkExtension issues are quite common in the community. Are there alternative solutions to clear them? For example, can a machO file with the same signature call deactivationRequestForExtension in the background to perform the cleanup?

When it comes to system extensions, there are three uninstall paths that we support:

• MDM

• Deleting the container app in the Finder

• Calling System Extensions framework from the container app as the result of user interaction, that is, with a GUI container app that the user has launched

None of these will leave ‘orphaned’ sysexes lying around [1].

If you head off on other paths then, yeah, you’ll run into weird problems. I can’t really help you much with that. The supported paths are the supported paths for a reason.

If your product can’t use one of these supported paths, my advice is that you file an enhancement request that describes your specific requirements and explains why these supported paths don’t work for you.

If you do file such an ER, please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Although the sysex might not be deleted until the next restart.

Thanks for your reply. I used the following code to uninstall the app files in a command line tool named XXXCoreService:

NSString *targetPath = @"/Applications/Container.app";
NSString *cmdStr = [NSString stringWithFormat:@"rm -rf '%@'", targetPath];
const char *cmd = [cmdStr UTF8String];
rc = system(cmd);

The execution result shows that Container.app was successfully deleted.

However, the NetworkExtension inside Container.app remains in the system.

When I check with the command systemextensionsctl list, the status of the NetworkExtension is still [activated enabled].

Could you advise on the proper method to silently remove the residual NetworkExtension in the command line tool ?

You shouldn’t be using system for anything. It’s a security vulnerability looking for a place to happen.

However, that’s not the main issue here. You would see exactly the same problem if, for example, you called deleted the files directly.

When I check with the command systemextensionsctl list, the status of the NetworkExtension is still [activated enabled].

Yep. When you activate a sysex, the system copies it to a secure location and runs it from that location. Deleting the container app from /Applications has no impact on that copy.

Could you advise on the proper method to silently remove the residual NetworkExtension in the command line tool?

There is no “proper method” to achieve that goal. I suggest you explore the three supported approaches I outlined my previous post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"