Various apps are failing to connect with LuLu enabled

[jguerin]

Spotify shows up as offline if I have LuLu enabled (though everything else seems to work fine):

I've tried uninstalling and reinstalling:

systemextensionsctl list
5 extension(s)
--- com.apple.system_extension.network_extension
enabled active  teamID  bundleID (version)  name    [state]
*   *   UBF8T346G9  com.microsoft.wdav.netext (101.21.50/101.21.50)Microsoft Defender ATP Network Extension [activated enabled]
        VBG97UB4TA  com.objective-see.lulu.extension (2.3.0/2.3.0)  Extension   [terminated waiting to uninstall on reboot]
*   *   VBG97UB4TA  com.objective-see.lulu.extension (2.3.0/2.3.0)  Extension   [activated enabled]
        VBG97UB4TA  com.objective-see.lulu.extension (2.3.0/2.3.0)  Extension   [terminated waiting to uninstall on reboot]
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
*   *   UBF8T346G9  com.microsoft.wdav.epsext (101.21.50/101.21.50)Microsoft Defender ATP Endpoint Security Extension   [activated enabled]

I've attached the log output when toggling LuLu then trying to load Spotify, but the snippet that I see seems to suggest that Spotify should be connecting fine: lulu_log.txt

2021-02-22 11:06:45.843337+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found process object in cache: /Applications/Spotify.app (pid: 15168)
2021-02-22 11:06:45.843591+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] looking for rule for com.spotify.client:Developer ID Application: Spotify (2FNC3A47ZF) -> /Applications/Spotify.app
2021-02-22 11:06:45.843645+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule match: 'any'
2021-02-22 11:06:45.843771+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found matching rule for 15168/Spotify: RULE: pid: all, path: /Applications/Spotify.app, name: Spotify, code signing info: {
    signatureAuthorities =     (
        "Developer ID Application: Spotify (2FNC3A47ZF)",
        "Developer ID Certification Authority",
        "Apple Root CA"
    );
    signatureIdentifier = "com.spotify.client";
    signatureSigner = 3;
    signatureStatus = 0;
}, endpoint addr: *, endpoint port: *, action: 1, type: 2
2021-02-22 11:06:45.843805+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule says: ALLOW
2021-02-22 11:06:45.843865+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] verdict: 
    drop = NO
    remediate = NO
    needRules = NO
    shouldReport = NO
    pause = NO
    urlAppendString = NO
    filterInbound = NO
    peekInboundBytes = 0
    filterOutbound = NO
    peekOutboundBytes = 0
    statisticsReportFrequency = none
2021-02-22 11:06:46.080756+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] method '-[FilterDataProvider handleNewFlow:]' invoked
2021-02-22 11:06:46.080908+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] flow: 
        identifier = D89B5B5D-793C-4940-CF1B-D9146C180200
        sourceAppIdentifier = 2FNC3A47ZF.com.spotify.client
        sourceAppVersion = 1.1.53.608.g7ed9c03a
        sourceAppUniqueIdentifier = 20:{length = 20, bytes = 0x8a1843e99e33a8d7cc50db62e0518cd897cad682}
        procPID = 490
        eprocPID = 15168
        direction = outbound
        inBytes = 0
        outBytes = 0
        signature = 32:{length = 32, bytes = 0xf76037c6 a9dba709 f6ab5843 998e44ee ... eae212fc 80a800e1 }
        socketID = 2186c14d91bcf
        localEndpoint = 0.0.0.0:0
        remoteEndpoint = 207.46.217.20:53
        protocol = 17
        family = 2
        type = 2
        procUUID = 9302B976-8377-3DA2-AAEE-F40B8CE365CC
        eprocUUID = A1229D44-7A2B-3E3A-991A-A218F62DF9DF
2021-02-22 11:06:46.080944+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] remote endpoint: 207.46.217.20:53 / url: (null)
2021-02-22 11:06:46.081239+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found process object in cache: /Applications/Spotify.app (pid: 15168)
2021-02-22 11:06:46.081426+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] looking for rule for com.spotify.client:Developer ID Application: Spotify (2FNC3A47ZF) -> /Applications/Spotify.app
2021-02-22 11:06:46.081465+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule match: 'any'
2021-02-22 11:06:46.081567+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found matching rule for 15168/Spotify: RULE: pid: all, path: /Applications/Spotify.app, name: Spotify, code signing info: {
    signatureAuthorities =     (
        "Developer ID Application: Spotify (2FNC3A47ZF)",
        "Developer ID Certification Authority",
        "Apple Root CA"
    );
    signatureIdentifier = "com.spotify.client";
    signatureSigner = 3;
    signatureStatus = 0;
}, endpoint addr: *, endpoint port: *, action: 1, type: 2
2021-02-22 11:06:46.081592+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule says: ALLOW
2021-02-22 11:06:46.081663+1000 0x1c622    Debug       0x0                  15096  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] verdict: 
    drop = NO
    remediate = NO
    needRules = NO
    shouldReport = NO
    pause = NO
    urlAppendString = NO
    filterInbound = NO
    peekInboundBytes = 0
    filterOutbound = NO
    peekOutboundBytes = 0
    statisticsReportFrequency = none

[jguerin]

It's getting worse :( If I have LuLu enabled, Microsoft Teams seems to be in a zombie state where it keeps trying to connect and eventually timing out. If I disable LuLu, Teams works fine.

[gcpmusic]

On which OS you have those issue. Here works like a charm on both Mojave and Big Sur !!

[jguerin]

Oops, I forgot to add that. I'm on MacOS 11.3 Beta

[gcpmusic]

. . well I tried the beta 3 and nothing works there. Even a simple applescript and reverted back to last stable.

[jguerin]

Updated to the latest Beta (11.3 Beta (20E5196f)), and same problem :( Teams and Spotify connect fine if I disable LuLu, but are blocked from connecting if it's enabled.

[jguerin]

Ok weird. I dual-boot MacOS. The primary partition is my personal one and works fine with Spotify and LuLu enabled. The secondary is my work one and is InTune-joined, running Microsoft Defender for Endpoint. That secondary one is the one that is having issues with various apps (Teams and Spotify) connecting when LuLu is enabled. Maybe there's an issue with multiple network filters in 11.3 Beta?

[jguerin]

Updated to 11.3 Beta (20E5210c) and am still seeing issues with Spotify if LuLu is enabled.

[jguerin]

Updated to 20E5217a and I don't seem to be seeing issues with LuLu enabled any more. Will keep an eye out over the next few days.

[jguerin]

Unfortunately, it's still occurring. I'm wondering if it's to do with the order of loading of the network filters. I uninstalled my VPN client, but I still have Microsoft Defender for Endpoint running (I can't disable that filter).

[jguerin]

Confirmed that once I disabled the Defender ATP content filter, LuLu works correctly again. I've submitted a bug report to Apple: FB9055173

[ftp-br]

Hi, the same thing happened to me in 2023 😅 So I managed to find the solution. On LuLu, I've added a custom rule to authorize a custom traffic on Teams, to the following paths:

▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (GPU).app/Contents/MacOS/Microsoft Teams Helper (GPU) ▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (Plugin).app/Contents/MacOS/Microsoft Teams Helper (Plugin) ▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (Renderer).app/Contents/MacOS/Microsoft Teams Helper (Renderer) ▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper.app/Contents/MacOS/Microsoft Teams Helper

After doing this, I've restarted Teams, and everything is working as it should be 👍

[ftp-br]

Hi, the same thing happened to me in 2023 😅 So I managed to find the solution. On LuLu, I've added a custom rule to authorize a custom traffic to the following paths:

▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (GPU).app/Contents/MacOS/Microsoft Teams Helper (GPU) ▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (Plugin).app/Contents/MacOS/Microsoft Teams Helper (Plugin) ▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (Renderer).app/Contents/MacOS/Microsoft Teams Helper (Renderer) ▪ /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper.app/Contents/MacOS/Microsoft Teams Helper

After doing this, I've restarted Teams, and everything is working as it should be 👍

For the Spotify, I've made the same process. Added a custom rule to authorize a custom traffic to the following paths:

▪ /Applications/Spotify.app/Contents/Frameworks/Spotify Helper (Renderer).app/Contents/MacOS/Spotify Helper (Renderer) ▪ /Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper ▪ /Applications/Spotify.app/Contents/MacOS/Spotify ▪ /Applications/Spotify.app

[jguerin]

I've weirdly not been seeing these prompts lately.