Title: Developer ID + DNS Proxy system extension: profile mismatch for `com.apple.developer.networking.networkextension`

If this is a known limitation or bug in how Xcode validates NE entitlements for Developer ID

Indeed, this is a known bug in Xcode’s code-signing support )-:

is there a recommended workaround?

You have to sign your product manually, outside of Xcode.

Exporting a Developer ID Network Extension has all the details here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

As a follow‑up for anyone hitting the same issue:

Per Quinn’s advice, I switched to manual signing outside Xcode and followed the “Exporting a Developer ID Network Extension” guidance. The code signing / notarization side now looks correct and works locally:

• Host app and DNS Proxy system extension are both signed with Developer ID Application for our team (for example, TEAMID1234).
• com.apple.developer.networking.networkextension in both host and system extension entitlements uses `dns-proxy-systemextension.
• The app bundle identifier is com.myapp.agent.MyProxy.
• The installer pkg is signed with Developer ID Installer: MyApp Inc (TEAMID1234), notarized with notarytool (status: Accepted), stapled, and passes `pkgutil --check-signature.
• On the test Mac (macOS 14.4, Apple Silicon), sudo installer -pkg MyProxy_…pkg -target / succeeds, the app appears in/Applications, and spctl --assess -vvv -t exec reportssource=Notarized Developer ID`. The app launches and the DNS Proxy system extension runs (any remaining issues are now inside our Network Extension code, not related to installation).

The remaining problem is MDM deployment (third‑party MDM):

• The notarized pkg is uploaded as a Custom macOS app (Delivery shows “MDM, Munki”).
• In the relevant group, the Install Method for this app is set to MDM; the device is not in any Munki assignment group and has no Munki client installed.
• Other macOS apps from the same group generate InstallApplication commands and install successfully on this device.
• This particular app (bundle id com.myapp.agent.MyProxy) never gets an InstallApplication / InstallEnterpriseApplication command for this Mac, despite the assignment being present. From the vendor’s description it appears to be evaluated as “NotApplicable” on their backend
• A System Extension Policy profile is present on the device, allowing our Team ID (e.g. TEAMID1234) and system extension bundle ID com.myapp.agent.MyProxy.dnsProxy for the Network extension type.
• Device‑level installation has been tested both enabled and disabled in the app settings; manual installation via installer works in both cases.

So we effectively have:

• A Developer ID–signed, notarized pkg that installs and runs correctly when executed manually on the same Mac.
• A healthy MDM‑managed device that successfully installs other apps via InstallApplication.
• Only this one Developer ID DNS Proxy app being treated as “not applicable” for MDM installation.

My questions for DTS / anyone familiar with the MDM side of Developer ID Network Extensions:

1. Are there any additional constraints (beyond code signing and notarization) that could cause an MDM server to treat a notarized Developer ID pkg containing a dns-proxy-systemextension as NotApplicable on macOS 14.x Apple Silicon, even when the same pkg installs and runs correctly via installer?
2. Are there any recommended pkg‑level metadata or structure requirements (minimum OS version, architecture filters, specific Info.plist keys, etc.) that MDM implementations are expected to enforce for Developer ID Network Extensions when deciding whether to send InstallApplication?
3. Is there any Apple guidance or known limitation around using `InstallApplication with Developer ID DNS Proxy system extensions on macOS 14.x that MDM vendors should be following?

Any pointers on how to verify that a given Developer ID DNS Proxy pkg is “MDM‑deployable” (beyond notarization and spctl) would be greatly appreciated.

Update (MDM‑managed macOS 14.4 device):

After some additional testing with our third‑party MDM, the Custom macOS app now does get installed via MDM (the notarized Developer ID PKG is assigned to a group with Install Method = MDM and Auto Deploy, and /Applications/MyProxy.app appears on the target Mac with the expected bundle id and version). However, on that MDM‑managed macOS 14.4 (Apple Silicon) device the app still cannot be launched. Finder shows a generic “MyProxy can’t be opened” error, and the process is killed immediately on launch.

The key detail from the system log is that the decision is coming from the ConfigurationProfiles / MDM side rather than from Gatekeeper:

taskgated-helper[…]: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles]
Disallowing com.myapp.agent.MyProxy because no eligible provisioning profiles found

At the same time:

• spctl --assess -vvv -t exec /Applications/MyProxy.app reports source=Notarized Developer ID.
• codesign -dvv confirms the app is signed with our Developer ID Application certificate and has com.apple.developer.networking.networkextension = dns-proxy-systemextension, com.apple.developer.system-extension.install, sandbox, and app group entitlements only.
• The PKG is signed with Developer ID Installer, notarized with notarytool (status: Accepted), and passes pkgutil --check-signature.

So on a non‑MDM machine the same notarized Developer ID PKG installs and the app launches and runs its DNS Proxy system extension successfully. On an MDM‑managed machine, the app installs via MDM but taskgated-helper (ConfigurationProfiles) blocks the launch with “no eligible provisioning profiles found”, as if a provisioning profile were required for these entitlements even though this is a Developer ID distribution. This leads to a follow‑up question for DTS:

• Is this behavior (ConfigurationProfiles / taskgated-helper requiring an “eligible provisioning profile” for a Developer ID app that has dns-proxy-systemextension entitlements and was delivered via MDM as a Custom macOS app) expected, or is it a bug in how macOS 14.x applies MDM/ConfigurationProfiles policy to Developer ID Network Extensions?

If this is expected, any clarification on the intended model for deploying Developer ID DNS Proxy system extensions via MDM (in particular, whether MDM delivery is supposed to place additional provisioning‑profile‑like requirements on such apps) would be very helpful.

I can’t really help you with MDM stuff. If you need help in that space, you can try over in Business & Education > Device Management but you might have more luck over in the Apple Support Community, run by Apple Support, and specifically in the Business and Education topic areas.

However, I can help you with this:

on that MDM‑managed macOS 14.4 (Apple Silicon) device the app still cannot be launched.

That sounds less like an MDM issue and more like a Gatekeeper issue.

codesign -dvv confirms the app is signed with our Developer ID Application certificate and has …

I see no mention of the App ID (com.apple.application-identifier) and Team ID (com.apple.developer.team-identifier) entitlements. Any app that uses restricted entitlement should be signed with those entitlements because they tie the app to its provisioning profile. I talk about this, in a very different context, in TestFlight, Provisioning Profiles, and the Mac App Store.

Oh, and in your case this applies to both the app and the appex, which need separate App ID and thus separate profiles.

If that’s not the issue then I recommend that you work through the process in Resolving Trusted Execution Problems to see if that turns up anything.

Oh, and it’d also be good to install macOS 14 in a ‘victim’ VM and install your app there without involving MDM, just in confirm that MDM isn’t a factor.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"