What is the officially supported method to automatically start a NETransparentProxyProvider after user login?

Question

Created May ’26

Replies 3

Boosts 0

Participants 2

We are developing a DLP agent that uses a NETransparentProxyProvider to perform traffic inspection and modification. Our architecture currently includes:

LaunchAgent, which monitors user session activity (login/logout, session activation)
Container App, which:
- installs and activates a System Extension
- creates and saves the NETransparentProxyManager configuration
- starts the transparent proxy via startVPNTunnel.

We would like to automate the startup of the Transparent Proxy for all users, including newly created users, in a way that is fully supported by macOS. We are looking for official guidance on the correct and supported mechanism for starting a user‑level Network Extension (specifically NETransparentProxyProvider) automatically at user login.

Questions:

What is the recommended and supported way to automatically start a NETransparentProxyProvider at user login?
Are there any constraints or best practices we should follow when designing an automatic startup flow for a Network Extension such as NETransparentProxyProvider?

We would appreciate official clarification on the supported deployment patterns for starting a user‑level Transparent Proxy Network Extension automatically in multi‑user enterprise environments.

Answered by DTS Engineer in 895749022

Sorry it’s taken a while to get back to you here. I had to go back’n’forth with NE engineering about this, and WWDC didn’t exactly speed things up.

On the plus side, I learnt something new. I was originally under the impression that only the container app could get the manager object (NEAppProxyProviderManager in this case), get the connection object from that (via the connection property, of type NEVPNConnection), and thus start and stop the proxy. However, it seems I missed a critical memo. Once you’ve created the configuration — from the container app or using MDM — then any app that shares an app group with the container app can get the the manager object, get the connection property from that, and use that to start and stop the VPN.

Neat-o!

This means that you can return to your login approach, and create a launchd agent that starts the proxy on login.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Answer 1

DTS Engineer OP

Apple

May ’26

Accepted Answer

mechanism for starting a user‑level Network Extension

I want to start by clarifying this “user level” concept.

A transparent proxy is not really a user-level thing. On macOS there’s a single networking stack and all users, and the system, use that stack. Your transparent proxy exists, at least conceptually, within the networking stack, and thus it sees network traffic from all users.

Additionally, if you use sysex packaging then your NE provider is loaded by what is effectively a launchd daemon, which is completely disconnected from any user login state.

Finally, macOS supports zero or more user login sessions, with an arbitrary mix of GUI and non-GUI sessions. You proxy needs to account for that flexibility. Having a launchd agent is a good start, because that will be instantiated in each login session (the exact behaviour depends on how you set LimitLoadToSessionType).

Given all of the above, I don’t think it makes sense to start and stop the proxy as users log in and out. Rather, I’d have the proxy running all the time and then have your launchd agent inform the proxy about login sessions coming and going. The proxy can then take that into account when it decides whether to proxy a flow in its handle-new-flow method.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Answer 2

___Pavel___ OP

May ’26

Thank you for response!

I am going to use onDemandRules to startup Transparent Proxy.

NEOnDemandRuleConnect *connectRule = [NEOnDemandRuleConnect new];
connectRule.interfaceTypeMatch = NEOnDemandRuleInterfaceTypeAny;

Is it supported way?

Answer 3

DTS Engineer OP

Apple

7h

Recommended

Sorry it’s taken a while to get back to you here. I had to go back’n’forth with NE engineering about this, and WWDC didn’t exactly speed things up.

On the plus side, I learnt something new. I was originally under the impression that only the container app could get the manager object (NEAppProxyProviderManager in this case), get the connection object from that (via the connection property, of type NEVPNConnection), and thus start and stop the proxy. However, it seems I missed a critical memo. Once you’ve created the configuration — from the container app or using MDM — then any app that shares an app group with the container app can get the the manager object, get the connection property from that, and use that to start and stop the VPN.

Neat-o!

This means that you can return to your login approach, and create a launchd agent that starts the proxy on login.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"