Add network extension docs (#895)

mlw · web-flow · commit cf57c466351b · 2026-04-04T13:37:32.000-04:00
This adds information about required profiles changes as well as installation/upgrade/verification instructions for the network extension. **New Page: Profiles: Network Extension:** <img width="3114" height="5902" alt="localhost_3000_deployment_profile-network-extension_" src="https://github.com/user-attachments/assets/04011018-e4ec-4338-9a23-d9d39abc117a" /> **New Page: Network Extension:** <img width="3114" height="3570" alt="localhost_3000_deployment_network-extension_" src="https://github.com/user-attachments/assets/ce07ab7e-e612-4295-8c3d-eecd12d60900" /> **Updated Page: Profiles: System Extension** <img width="3114" height="5994" alt="localhost_3000_deployment_profile-system-extension_" src="https://github.com/user-attachments/assets/27fdb7dc-9ab3-430b-824f-017eee13fc89" />
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,4 @@ compile_commands.json
 .cache/
 .vscode/*
 .zed**
+docs/superpowers/
diff --git a/docs/docs/deployment/install-package.md b/docs/docs/deployment/install-package.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 7
+sidebar_position: 8
 ---
 
 # Install Santa Package
diff --git a/docs/docs/deployment/migration.md b/docs/docs/deployment/migration.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 8
+sidebar_position: 10
 ---
 
 # Migration
diff --git a/docs/docs/deployment/network-extension.md b/docs/docs/deployment/network-extension.md
@@ -0,0 +1,86 @@
+---
+sidebar_position: 9
+---
+
+# Network Extension
+
+Santa includes an optional network [system
+extension](https://developer.apple.com/documentation/systemextensions) that can
+monitor and control network traffic. It provides two capabilities: a content
+filter for monitoring network flows and a DNS proxy for intercepting DNS queries.
+
+:::info
+
+The network extension requires a [Workshop](https://northpole.dev/) subscription
+and will not activate without one.
+
+:::
+
+## Installation
+
+### Enabling the feature
+
+Workshop customers must enable the network extension on a
+[tag](https://docs.workshop.cloud/tags). Navigate to the tag's sync
+settings and enable the **Network Extension** setting. The network extension
+will only be installed on hosts that are members of a tag with this setting
+enabled.
+
+### Automatic installation
+
+The network extension is lazily installed by default. Activating a network
+extension tears down all existing network connections, which can disrupt users.
+To minimize impact, Santa will automatically install or upgrade the network
+extension when:
+
+- The system reboots
+- The system wakes from sleep (e.g. when the laptop lid opens)
+
+The network extension [profiles](profile-network-extension.md) must be installed
+for automatic installation to succeed silently. If the profiles are not installed
+and a user is logged in, macOS will display its standard prompt asking the user
+to approve the extension.
+
+### Manual installation
+
+If you need to install the network extension immediately, you can trigger it
+manually:
+
+```text
+sudo santactl install --network-extension
+```
+
+:::caution
+
+This will tear down existing network connections and can interrupt active
+network operations. Use with care.
+
+:::
+
+## Verification
+
+You can check the status of the network extension using `santactl status`. The
+output includes a Network Extension section:
+
+```text title="santactl status"
+>>> Network Extension
+  Enabled                   | Yes
+  Loaded                    | Yes
+```
+
+- **Enabled** means the appropriate Workshop settings have been configured to
+  allow the network extension to run on the system.
+- **Loaded** means the network extension has been installed and activated via the
+  network extension provider configuration.
+
+You can also run `santactl version` to view version information:
+
+```text title="santactl version"
+santad               | 2026.3 (build 187, commit 47a21b0d)
+santactl             | 2026.3 (build 187, commit 47a21b0d)
+SantaGUI             | 2026.3 (build 187, commit 47a21b0d)
+santanetd (BETA)     | 2026.3 (build 187, commit 2149a1ce)
+```
+
+If a newer version of the network extension is available, it will be noted in the
+output and installed on the next reboot or sleep/wake cycle.
diff --git a/docs/docs/deployment/profile-background.md b/docs/docs/deployment/profile-background.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 4
+sidebar_position: 5
 ---
 
 # Profiles: Background Apps
diff --git a/docs/docs/deployment/profile-configuration.md b/docs/docs/deployment/profile-configuration.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 6
+sidebar_position: 7
 ---
 
 # Profiles: Santa Configuration
diff --git a/docs/docs/deployment/profile-network-extension.md b/docs/docs/deployment/profile-network-extension.md
@@ -0,0 +1,131 @@
+---
+sidebar_position: 3
+---
+
+# Profiles: Network Extension
+
+Santa includes an optional network [system
+extension](https://developer.apple.com/documentation/systemextensions) that can
+monitor and control network traffic. It provides two capabilities: a content
+filter for monitoring network flows and a DNS proxy for intercepting DNS queries.
+:::info
+
+The network extension requires a [Workshop](https://northpole.dev/) subscription
+and will not activate without one.
+
+:::
+
+Like the endpoint security system extension, loading the network extension
+requires approval. For organizations deploying Santa, this step can be automated
+by sending an appropriate profile via an MDM.
+
+Enabling the network extension requires two separate payloads: a
+[Web Content Filter](https://developer.apple.com/documentation/devicemanagement/webcontentfilter)
+payload for the content filter provider and a
+[DNS Proxy](https://developer.apple.com/documentation/devicemanagement/dnsproxy)
+payload for the DNS proxy provider.
+
+:::warning
+
+You must also update your [system extension profile](profile-system-extension.md)
+to allow the network extension. Without this, macOS will not permit the extension
+to load without manual user intervention.
+
+:::
+
+For installation and verification steps, see the
+[Network Extension](network-extension.md) page.
+
+## Generating the profile
+
+The process for adding these payloads to your machines will differ depending on
+which MDM you are using. Many MDMs have specific support for these kinds of
+profiles. In that case, you will need the following information:
+
+### Content Filter
+
+- Filter Type: `Plugin`
+- Plugin Bundle ID: `com.northpolesec.santa`
+- Filter Data Provider Bundle Identifier: `com.northpolesec.santa.netd`
+- Filter Data Provider Designated Requirement: `identifier "com.northpolesec.santa.netd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "ZMCG7MLDV9"`
+- Filter Sockets: `true`
+- Filter Packets: `false`
+
+### DNS Proxy
+
+- App Bundle Identifier: `com.northpolesec.santa`
+- Provider Bundle Identifier: `com.northpolesec.santa.netd`
+
+## Example Profile
+
+If your MDM doesn't have an option to add Content Filter or DNS Proxy profiles
+but does have the option for deploying custom profiles, you can use the following
+example as a template.
+
+```xml showLineNumbers
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadType</key>
+			<string>com.apple.webcontent-filter</string>
+			<key>PayloadIdentifier</key>
+			<string>com.northpolesec.santa.content-filter</string>
+			<key>PayloadUUID</key>
+			<string>A1B2C3D4-5555-6666-7777-888899990000</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>PayloadDisplayName</key>
+			<string>Santa Content Filter</string>
+			<key>UserDefinedName</key>
+			<string>Santa Content Filter</string>
+			<key>FilterType</key>
+			<string>Plugin</string>
+			<key>PluginBundleID</key>
+			<string>com.northpolesec.santa</string>
+			<key>FilterDataProviderBundleIdentifier</key>
+			<string>com.northpolesec.santa.netd</string>
+			<key>FilterDataProviderDesignatedRequirement</key>
+			<string>identifier "com.northpolesec.santa.netd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "ZMCG7MLDV9"</string>
+			<key>FilterSockets</key>
+			<true/>
+			<key>FilterPackets</key>
+			<false/>
+		</dict>
+		<dict>
+			<key>PayloadType</key>
+			<string>com.apple.dnsProxy.managed</string>
+			<key>PayloadIdentifier</key>
+			<string>com.northpolesec.santa.dns-proxy</string>
+			<key>PayloadUUID</key>
+			<string>A1B2C3D4-1111-2222-3333-444455556666</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>PayloadDisplayName</key>
+			<string>Santa DNS Proxy</string>
+			<key>AppBundleIdentifier</key>
+			<string>com.northpolesec.santa</string>
+			<key>ProviderBundleIdentifier</key>
+			<string>com.northpolesec.santa.netd</string>
+		</dict>
+	</array>
+	<key>PayloadDisplayName</key>
+	<string>Santa Network Extension</string>
+	<key>PayloadIdentifier</key>
+	<string>com.northpolesec.santa.netd.profile</string>
+	<key>PayloadUUID</key>
+	<string>A1B2C3D4-AAAA-BBBB-CCCC-DDDDEEEEFFFF</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadDescription</key>
+	<string>Enables the Santa network content filter and DNS proxy extensions.</string>
+</dict>
+</plist>
+```
diff --git a/docs/docs/deployment/profile-notifications.md b/docs/docs/deployment/profile-notifications.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 5
+sidebar_position: 6
 ---
 
 # Profiles: Notifications
diff --git a/docs/docs/deployment/profile-system-extension.md b/docs/docs/deployment/profile-system-extension.md
@@ -41,6 +41,18 @@ and malicious scripts from bypassing Santa. If you decide at some later point to
 uninstall Santa, you will need to remove the system extension profile before
 attempting to uninstall.
 
+:::info Network Extension
+Enterprise deployments that include Santa's [network
+extension](profile-network-extension.md) should also allow the following in this
+profile:
+
+- Allowed extension types: `NetworkExtension`
+- Allowed extensions: `com.northpolesec.santa.netd`
+
+The highlighted lines in the example below include the network extension. These
+lines can be safely removed if you are not deploying the network extension.
+:::
+
 ## Example Profile
 
 If your MDM doesn't have an option to add a System Extension profile but does
@@ -97,20 +109,26 @@ example as a template.
 				<key>ZMCG7MLDV9</key>
 				<array>
 					<string>com.northpolesec.santa.daemon</string>
+<!-- highlight-next-line -->
+					<string>com.northpolesec.santa.netd</string>
 				</array>
 			</dict>
 			<key>AllowedSystemExtensionTypes</key>
 			<dict>
 				<key>ZMCG7MLDV9</key>
 				<array>
 					<string>EndpointSecurityExtension</string>
+<!-- highlight-next-line -->
+					<string>NetworkExtension</string>
 				</array>
 			</dict>
 			<key>NonRemovableSystemExtensions</key>
 			<dict>
 				<key>ZMCG7MLDV9</key>
 				<array>
 					<string>com.northpolesec.santa.daemon</string>
+<!-- highlight-next-line -->
+					<string>com.northpolesec.santa.netd</string>
 				</array>
 			</dict>
 		</dict>
diff --git a/docs/docs/deployment/profile-tcc.md b/docs/docs/deployment/profile-tcc.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 3
+sidebar_position: 4
 ---
 
 # Profiles: TCC
diff --git a/docs/docs/deployment/troubleshooting.md b/docs/docs/deployment/troubleshooting.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 9
+sidebar_position: 11
 ---
 
 # Troubleshooting
