Endpoint Standard: Mac sensor unable to block connections handled by App Proxy Provider (per-app VPN)
search cancel

Endpoint Standard: Mac sensor unable to block connections handled by App Proxy Provider (per-app VPN)


Article ID: 288444


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense)


  • An issue has been found where the CBC Sensor is not able to block network connections tunneled by a per-app VPN using Apple’s App Proxy Provider when the endpoint is placed in quarantine. 
  • This is for all internet-accessing apps


  • Endpoint Standard Sensor : All Versions
  • Apple macOS: All Supported Versions


This has been identified as an issue with MacOS System Extension and network filtering framework limitations 


  • VMWare Carbon Black is working with Apple for an in-product solution
  • As a workaround, create a special policy for quarantined endpoints to block the sites from being able to load over the per-app VPN tunnel, whether in Chrome or Safari or any other application configured to use the per-app VPN. This policy should be configured with a "Blocking and Isolation" rule to block any per-app VPN application running on the endpoint. Please refer to the following example for Workspace One Tunnel. Please note that the application path will vary depending on the per-app VPN used:
  1. Navigate to sensor settings of the policy
  2. Under "Prevention" tab > "Blocking and Isolation" section > "Application at path" section, add the following path(this path should be updated based on the per-app VPN used)  :
Applications at path: /Applications/VMware Tunnel.app/Contents/PlugIns/macOSAppProxyProvider.appex/Contents/MacOS/macOSAppProxyProvider
Operation attempt: Runs or is running
Action: Deny operation
  • Applying this policy to a sensor prevents the per-app VPN network traffic from running by blocking the App Proxy Provider responsible for the per-app VPN tunnel.