Entitlement Request Support

Target platforms: macOS 14 & 15 (distributed outside the Mac App Store …)

The key reference you need here is TN3134 Network Extension provider deployment. It explains how, when distributing your app directly on the Mac, using Developer ID signing, you must package your NE providers as a sysex. You can only use appex packaging when distributing on the App Store.

And directly distributing a sysex requires the -systemextension suffix, which is why the Developer website is setting up your profile that way.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@DTS Engineer

Thank you for the clarification.

Just to confirm: our current app is built using the legacy NetworkExtension framework and uses NEPacketTunnelProvider inside an .appex. We're distributing the app outside the Mac App Store via a .pkg installer and signing with Developer ID.

We understand that the provisioning portal automatically adds the -systemextension suffix to entitlements, and your reply referenced TN3134, which appears to mandate System Extensions for direct distribution.

Could you please confirm definitively:

Is there any way to continue using the legacy Network Extension framework (i.e., .appex-based NE providers) outside the Mac App Store on macOS 14+?

Or are we required to fully migrate our app to use System Extensions (SystemExtensions.framework) instead of legacy .appex NE providers when distributing via .pkg?

If there's no workaround, we’ll proceed with migrating to System Extensions—but given the scope of such a change, we wanted to confirm directly.

@DTS Engineer In this attached file, do we need to change anything, are any API's changed?