In this article:

    Applicable to

    • Twingate Component: App Store Client, Standalone Client
    • Platform: macOS

    Overview

    After starting the Twingate client, it appears to login instantly without prompting authentication and there are no resources listed within the dropdown menu. Users are also unable to access protected resources.

    Cause

    The described behaviour is a symptom of installing / upgrading to the App Store version of the Twingate client over a previously installed standalone version of the Twingate client.

    The standalone client requires the installation of a system extension which conflicts with the App Store version. In some rare cases the system extension becomes orphaned after an uninstall of the standalone client or when the App Store version is installed over the top of the standalone client.

     

    Checking for an orphaned extension

    If you have uninstalled the standalone client but are still experiencing this issue, confirm if the system extension is still active and/or enabled by running the following command in terminal:

    systemextensionsctl list

    Example output with system extension present:

    --- com.apple.system_extension.network_extension
    enabled	active	teamID	bundleID (version)	name	[state]
    *	*	6GX8KVTR9H	com.twingate.macos.tunnelprovider (2023.250/1)	TunnelProvider.macos	[activated enabled]

     

    Further more, if you wish to confirm that the App Store version of the client has been installed over the standalone version you can run the following command on the device in question:

    plutil -p /Library/Receipts/InstallHistory.plist | grep -B5 -A3 "com.twingate.macos"

    Example output, displaying consecutive App Store updates, followed by a standalone update and then another App Store update leading to an orphaned system extension which presents this issue.

      810 => {
        "date" => 2024-12-18 16:01:27 +0000
        "displayName" => "Twingate"
        "displayVersion" => "2024.347"
        "packageIdentifiers" => [
          0 => "com.twingate.macos"
        ]
        "processName" => "appstored" <--- APP STORE CLIENT
      }
    --
      873 => {
        "date" => 2025-01-13 17:35:48 +0000
        "displayName" => "Twingate"
        "displayVersion" => ""
        "packageIdentifiers" => [
          0 => "com.twingate.macos"
        ]
        "processName" => "Installer". < -- STAND ALONE CLIENT
      }
    --
      882 => {
        "date" => 2025-02-12 21:31:42 +0000
        "displayName" => "Twingate"
        "displayVersion" => "2025.28"
        "packageIdentifiers" => [
          0 => "com.twingate.macos"
        ]
        "processName" => "appstored". < ---- APP STORE VERSION

     

    Resolution

    The simplest resolution is to remove the Appstore version and install the standalone version, taking advantage of a fuller feature set client at the same time.

    If you wish to continue using the App Store version and have an orphaned system extension then the easiest way to remove it is by installing the standalone client again. This will terminate the orphaned system extension when it installs a new one. Afterwards you can remove stand alone client again which should remove the new system extension along with it. We recommend using the drag/drop to trash method versus using rm -f in terminal.  You can use the systemextensionsctl list command throughout the process to verify that both system extensions were terminated/removed. A restart may be required.

    Should this not remove the extension, please refer to our more detailed documentation on uninstalling the client here.

    If you have never had the stand alone client installed and confirmed that the system extension is not present then you are most likely facing a different issue and the solution here is not applicable.

     

    Proactive Remediation

    The most significant impact occurs when individual users have local permissions to install updates and new apps. This is especially true if you distribute and update the App store Twingate client via MDM, but users have the permission to install the standalone version over the top and then the latest App Store version is pushed via MDM when it is available, installing over the standalone version and orphaning the system extension.

     

    In this scenario, you may wish to proactively extract device details from Twingate to see if any devices have the standalone version of the client installed. Below are two methods available to Twingate admins to extract the relevant data.

     

    Method 1:

    In the Admin Console, navigate to your Device page (under the Devices tab), select any applicable filters then scroll all the way to the bottom of the list.

    Once the list appears in its entirety, simply select the table content and copy & paste it into Excel or equivalent, the structure will remain intact.

    Method 2:

    Alternatively, you can use the API to list all devices in your environment, including associated emails, Client version and more.

    The GraphQL query to use is called “Devices”, more details can be found in our API documentation here: https://www.twingate.com/docs/api#group-Operations-Queries