I have an app that uses Endpoint security. I have 1 client that registered many AUTH and NOTIFY event types. When I I recive an Endpoint Security message (event) and my handler is called. Which thread does it use? If I have 1 client will it always just use the same 1 thread? If not, can it ever happen that I register 1 client, and he will handle more then 1 event in the same time? regardless of the event type or any thing else

new to Apple, MacOS, SystemExtensions. I don't see anything about my topic in system extensions documentation. should I use XPC? or we have a better way here?

I use sample code from [https://developer.apple.com/documentation/endpointsecurity/client?language=objc] but replace ES_EVENT_TYPE_AUTH_EXEC to ES_EVENT_TYPE_AUTH_OPEN, this is the full code: int main(int argc, const char** argv) { @autoreleasepool { es_client_t *client = NULL; es_new_client_result_t newClientResult = es_new_client(&client, ^(es_client_t * client, const es_message_t * message) { switch (message->event_type) { case ES_EVENT_TYPE_AUTH_OPEN: printf("auth open\n"); es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); break; default: panic("Found unexpected event type: %i", message->event_type); break; } }); // Handle any errors encountered while creating the client. switch (newClientResult) { case ES_NEW_CLIENT_RESULT_SUCCESS: // Client created successfully; continue. break; case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED: panic("Extension is missing entitlement."); break; case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED: panic ("Extension is not running as root."); break; case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED: // Prompt user to perform Transparency, Consent, // and Control (TCC) approval. // This error is recoverable; the user can try again after // approving the TCC prompt. // return YOUR_NEW_CLIENT_ERROR_CODE_PROMPT_TCC; break; case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT: panic ("Invalid argument to es_new_client(); client or handler was null."); break; case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS: panic ("Exceeded maximum number of simultaneously-connected ES clients."); break; case ES_NEW_CLIENT_RESULT_ERR_INTERNAL: panic ("Failed to connect to the Endpoint Security subsystem."); break; } // Subscribe the client to the ES_EVENT_TYPE_AUTH_EXEC event. // When the client receives a message with this event type, it must authorize // (allow or deny) the event. es_event_type_t eventTypes[1] = { ES_EVENT_TYPE_AUTH_OPEN }; es_return_t subscribeResult = es_subscribe(client, eventTypes, sizeof(eventTypes)); if (subscribeResult != ES_RETURN_SUCCESS) { panic ("Client failed to subscribe to event."); } NSRunLoop *runLoop = [NSRunLoop currentRunLoop]; [runLoop run]; } } I run this code in xcode, then mouse cursor be a colorful circle and rotating, application exited after about 10 seconds, xcode print: Message from debugger: Terminated due to signal 9 Program ended with exit code: 9 if I subscribe ES_EVENT_TYPE_NOTIFY_OPEN ES_EVENT_TYPE_NOTIFY_CLOSE, it works. What can I do for fix this?

Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events. Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming). This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events. When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended. Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

Hello, I know that EndpointSecurity doesn't support network events, save for some events related to Unix pipes. In WWDC 2020 #10159 Apple says that: Those of you who have already worked with the EndpointSecurity framework have likely noticed that we do not provide events related to networking operations. This is intentional as these are better covered by the NetworkExtension framework. Could you please give me a short and high-level hint how I can use NetworkExtension to provide connect, disconnect events to a monitoring app, that tries to log those events in a database? I would like to receive the remote IP and remote port + local port. From what I've researched, In NetworkExtension documentation it's stated that it's possible to create a "content filter", which would probably be a good source of information; the problem is that because of the privacy requirements, the "content filter" can't send back any information about user data, because it's separated in a restrictive sandbox. So I'm not sure the "content filter" would even be possible to be used as a source of network events. Other types of categories inside NetworkExtension doesn't seem to be a good match for my use case. Is it possible to use NetworkExtension to get information about network events (connect/disconnect), like EndpointSecurity does for i.e. processes (process start/process end)?

Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks

Hello, 3 questions regarding Endpoint Security Framework: Does ESF support tracing the dup2(2) function? There is the ES_EVENT_TYPE_NOTIFY_DUP event, but it seems that it only reports dup(2), not dup2(2)? Does ESF support tracing the dup(2), and close(2) calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well? Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open file A and we get fd1, then open the same file A and we get fd2, then perform dup(fd1), then with ESF it seems that it's impossible to tell if we've duplicated fd1 or fd2. Also this model doesn't support dup2(2) usage at all.

Hello, I am going to use endpoint security framework in my application. Unfortunately, I have not found any clear cut explanation about how to use endpoint security in multithread applications. Can we say the handler block (es_handler_block_t), which is the parameter of es_new_client(), is running in separate thread? Does es_new_client() create new thread? Should I synchronize a handler block and the code which calls es_delete_client()? Should I protect the handler block by mutex? Thank you in advance.

Hello, I requested entitlement 4 times from 4 days ago. But I did not get any kind of response mail. I need entitlement for only development, to check file IO events. Is there any way to request entitlement ? Regards, Daehong

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.

I'm trying to log Endpoint Security events to os_log. I'd be grateful if someone could confirm that using the --oslog option with eslogger actually writes event data to the system log. If I monitor with sudo eslogger exec fork exit I see events at the command line, yet if I add the --oslog option, I don't see those events when monitoring the log with sudo log stream --predicate 'subsystem == "com.apple.eslogger"'. Nor do I see them if I filter in the Console app on just the subsystem "com.apple.eslogger". Have I missed out something with my work? Any help appreciated. Thanks.

I refer to Google's ESF project code to handle NOTIFY events, but after my notifyQueue is set to QOS_CLASS_BACKGROUND, the process memory gets larger when a lot of events occur. Is there any way to fix this without affecting performance The code is as follows： notifyQueue = dispatch_queue_create("notify",dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL,QOS_CLASS_BACKGROUND, 0)); if (msg->action_type == ES_ACTION_TYPE_NOTIFY) { es_message_t *copied_msg = [self copy_message:msg]; if (!copied_msg) { return; } dispatch_async(self->_notifyQueue, ^{ @autoreleasepool { [self handle:copied_msg]; [self free_message:copied_msg]; } }); }

ES_EVENT_TYPE_NOTIFY_CREATE doesnt get triggerd if i copy a file to iPhone connected to mac device. Also, ES_EVENT_TYPE_NOTIFY_MOUNT doesnt get triggered when an iphone is connected to a macos device

This is a topic that comes up regularly, both in my Day Job™ with DTS and here on DevForums. This situation is a bit subtle, and it’s long past the time I should have written a proper explanation of it. If you have questions or comments, put them in a new thread here on DevForums. To ensure that I see your thread, tag it based on the technology you’re using. For example: If you’re working with Endpoint Security, use the Endpoint Security tag. If you’re building a Network Extension provider, use the Network Extension tag. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Inferring High-Level Semantics from Low-Level Operations Apple supports a number of APIs that let you observe low-level operations. For example: An Endpoint Security (ES) client can learn about low-level file system operations, like open and close. A Network Extension (NE) filter provider can learn about outgoing and incoming network packets. Folks using these APIs often want to infer high-level semantics from these low-level operations. For example: An ES client might want to prevent the Finder from copying files to an external drive. An NE filter provider might want to block Safari from fetching specific URLs. While DTS supports these APIs, we don’t support this sort of low-to-high inference. That’s because our goal is to help developers use Apple’s APIs in a sustainable way, and it’s impossible to do this inference in a way that will be binary compatible in the long term. Let me illustrate this with an example. Consider the NE scenario above. It’s easy for an NE packet filter to drop packets being sent to a specific host. However, that approach is very brittle. If something changes in the implementation path from Safari requesting a URL to how that’s rendered as IP packets, your product will break. A great example of such a change is iCloud Private Relay. This isn’t to say that such inference can’t be done at all, just that it’s not possible to do it in a sustainable way. Given that, here’s my advice: Try to work with high-level operations where possible. For example, ES recently added high-level log in and log out notifications, which means you no longer need to infer such events from lower-level ones. If the system doesn’t support the necessary high-level operations, file an enhancement request that describes your requirements. In the meantime, you can have a go at doing this inference yourself, but be aware that DTS can’t support you in that task.

In the ESF framework, if I set up a process through audit token mute. Will the creation and corresponding child processes of this process also be mute mute. mute process A. process A creates a child process B. Whether the child process B is mute？

Hi! There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle." https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num However, as we all know, system will kill ES client, if the message is not answered in (deadline) time. I've a lot questions about this thing: What the "drop" actually is? The event is not provided to es client from the kernel? What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline) Are the dropped events responded by the system immediately, or they do wait something? Are only auth events could be dropped, or notify too? What is the system resolution for dropped auth events? (allow I guess) What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?

We are trying to get access to Endpoint security entitlement for our enterprise app that uses Endpoint Security Extension but after almost 5 month and over 3 requests there is no response from Apple. We kindly asked Apple for entitlement because we have to distribute our application to our customer ASAP. I need some information around this issue. What the reason ? How can I contact support for my requests? Thanks in advance

I have developed a process monitoring software for internal use in my company using the endpointsecurity API. When I tried to package and distribute it to my colleagues, I found out that I need to apply for the com.apple.developer.endpoint-security.client entitlement from Apple. It has been almost 2 months since I submitted the application, but it hasn't been approved yet. I sought help from customer service, but they haven't provided any useful feedback. I'm hoping to get help from the developer community. How can I expedite the approval of the com.apple.developer.endpoint-security.client entitlement? thanks~

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?

Hello, I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions. It seems that endpoint software should now function with MACF by implementing hooks from userland. Does this mean the Endpoint Security Framework will soon become deprecated? I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation. Thanks