Reference: Client Accelerator Endpoint System Extensions
  
Reference: Client Accelerator Endpoint System Extensions
For endpoint clients with macOS versions 11 and later, you’ll need to allow a system extension from the SteelheadMobile.app to load when installing Client Accelerator software versions 6.3.0 and later. We recommend deploying the Riverbed-signed payload file on your macOS endpoints by using a mobile device management (MDM) tool. Extension installations that are not preapproved through your MDM tool require your endpoint users to manually authorize the extension, which requires administrator privileges on the endpoint.
Pushing the extension in a configuration policy using a MDM server
Allow the system extension in a mass deployment by pushing a device configuration policy using the MDM of your choice.The MDM tool should push a configuration policy with the following payloads to the endpoint clients:
“com.apple.system-extension-policy” -allows the system extension to load.
The following is a sample payload:
<key>PayloadUUID</key>
<string>A3A74DCA-0360-40BE-9BC9-18B2492F721B</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadOrganization</key>
<string>Riverbed Technology Inc.</string>
<key>PayloadIdentifier</key>
<string>A3A74DCA-0360-40BE-9BC9-18B2492F721B</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>9F8TH6546M</key>
<array>
<string>com.riverbed.SteelheadMobile.appproxyextension</string>
</array>
</dict>
“com.apple.webcontent-filter” -allows the filtering and monitoring of traffic.
The following is a sample payload:
<key>FilterDataProviderBundleIdentifier</key>
<string>com.riverbed.SteelheadMobile</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>"com.riverbed.SteelheadMobile" and (certificate leaf|field.1.2.840.113635.100.6.1.91 /* exists */ or certificate 1field.1.2.840.113635.100.6.2.61 /* exists */and certificate leafffield.1.2.840.113635.100.6.1.13)/*exists*/and certificate leaf subject. OU] = "9F8TH6546M"</string>
<key>FilterPacketProviderBundleIdentifier</key>
<string>com.riverbed.SteelheadMobile.appproxyextension</string>
<key>FilterPacketProviderDesignatedRequirement</key>
<string>"com.riverbed.SteelheadMobile" and (certificate leaf|field.1.2.840.113635.100.6.1.91 /* exists */ or certificate 1field.1.2.840.113635.100.6.2.61 /* exists */and certificate leafffield.1.2.840.113635.100.6.1.13)/*exists*/and certificate leaf subject. OU] = "9F8TH6546M"</string>
<key>FilterPackets</key>
<true/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadDisplayName</key>
<string>Web Content Filter Payload</string>
<key>PayloadIdentifier</key>
<string>C0A15A40-C521-4043-9828-E280208EBC2B</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>C0A15A40-C521-4043-9828-E280208EBC2B</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.riverbed.SteelheadMobile</string>
<key>UserDefinedName</key>
<string>com.riverbed.SteelheadMobile.appproxyextension</string>
<key>VendorConfig</key>
Allowing the extension manually on the endpoint client
This section describes how to manually allow the extension to load on the endpoint client during installation of Client Accelerator 6.3.0 and later. These steps require administrator privileges on the endpoint.
1. During installation of Client Accelerator 6.3.0 and later, you will be prompted that a system extension from the SteelheadMobile.app has been blocked. Using your administrator credentials, open the system security settings and allow the extension to load.
2. After you allow the extension to run, you will be prompted to allow Client Accelerator to filter and monitor network activity. Click Allow.
Troubleshooting on Mac client
After a new software installation or upgrade, if the system extension is not allowed to run, then the status of the Client Accelerator will be listed as critical. While the Client Accelerator is in a critical state, traffic is passed through without optimization. Use the following command to see whether the network extension is allowed and active.
To know if the system extension is successfully allowed, run the “systemextensionsctl list” command on the Mac client. Execution of this command does not require administrator privileges. If the extension is active it will list its state as “activated enabled” as seen below:
% systemextensionsctl list
...
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
...
* * 9F8TH6546M com.riverbed.SteelheadMobile.appproxyextension (100.0.0.0/7.0.0 #0 DEV-BUILD) appproxyextension [activated enabled]

If the system extension is waiting for user approval then the state will be listed as “activated waiting for user” as seen below:
% systemextensionsctl list
...
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
...
* 9F8TH6546M com.riverbed.SteelheadMobile.appproxyextension (100.0.0.0/7.0.0 #0 DEV-BUILD) appproxyextension [activated waiting for user]
Troubleshooting using a sysdump
If the user has not approved to run the System Extension then following message should be seen in <sysdump>/var/log/riverbed.log:
System Extension Activation request <request_id> needs user approval
The following is a sample error message:
2022-11-03 07:46:46.383 Df SteelheadMobile[10605:31fb6] [com.riverbed.shm:ui] System Extension Activation request <OSSystemExtensionActivationRequest: 0x600002963450> needs user approval.
If the system extension is approved by the user, but activation of the system extension fails, the following log message will be seen in <sysdump>/var/log/riverbed.log:
System Extension Activation request <request_id> failed with <error_code>
The following is a sample error message:
2022-11-03 07:39:55.074 E SteelheadMobile[9933:2f452] [com.riverbed.shm:ui] System Extension Activation request <OSSystemExtensionActivationRequest: 0x600001790960> failed with Error Domain=OSSystemExtensionErrorDomain Code=8 "(null)"
If the optimization service fails to connect to the system extension then following messages should be seen in <sysdump>/var/log/riverbed.log:
Could not connect to /example/var/root/Library/Containers/com.riverbed.SteelheadMobile.appproxyextension/Data/PipeService: Connection refused
 
Could not connect to intercept: Connection refused
The following are sample log messages:
2023-01-31 08:57:10.503323-0800 0x68949 Default 0x0 11043 0 rbtsport: [com.riverbed.shm:log] [intercept/NetworkExtensionConnection.WARN] - {- -} Could not connect to /example/var/root/Library/Containers/com.riverbed.SteelheadMobile.appproxyextension/Data/PipeService: Connection refused
 
2023-01-31 08:57:10.503862-0800 0x68949 Default 0x0 11043 0 rbtsport: [com.riverbed.shm:log] [MacTproxyMsgChannel.WARN] - {- -} Could not connect to intercept: Connection refused