Hi :wave: I started a new project to experiment with EndpointSecurity framework. It seems to have been worked, but when I try to add XPC I face some troubles. I am not able to send XPC message from my app to my system extension. No runtime error, but when I'm inspecting logs: That correspond to this code: https://github.com/tony-go/TestES/blob/main/Extension/main.swift#L21-L30 Full project: https://github.com/tony-go/TestES/ I thought at first that it could come from a missing @objc somehere but it does not seems ... I also wonder why I cannot catch this error at runtime ?

hi all. I subscribe the notify write event, every time I recieve a notify write event message i will send log data and reply block(didn't do nothing) with async method to host app(Objc XPC API).host app will reply immediately once it recieves data. after a while my sysext crashed, then I checked system log find the log below. launchd: exited with exit reason (namespace: 30 code: 0xc40000000004aaaa) - (unknown reason) is it because of exceeding the maximum limit of xpc's block queue length, or too many memory allocation, or... by the way, host app didn't crash. how this happened exactly? how could i solve it?

Hello. Is there a legal way to block iOS devices from being mounted on macOS? I noticed, that when an iOS device is connected, it pretends to be like a storage device but it is not. It not even going through diskArbitration. It seems that some fileProvider is taking place there. I know that it is possible to do via the MDM profile: <key>PayloadContent</key> <dict> <key>.GlobalPreferences</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>ignore-devices</key> <true/> </dict> </dict> </array> </dict> </dict> But is there some programmatic solution? If I use EndpointSecurity and block file operations for the usbmuxd process on /var folder, it prevents iOS devices from being mounted. But wouldn't be there any negative side effects from such a solution?

Hello community we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events. Upon inspection of the log files, we found the following (but not on all machines): [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' and [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content. A feedback has already been filed: FB13174804 An additional code-level support was returnd woithout any explanation. Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros. Any idea, whats going on here? Frank Fenn Sophos Inc.

[Q] What type of profiles are officially reported by the ES_EVENT_TYPE_NOTIFY_PROFILE_ADD and ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE events? It looks like to be only Configuration Profiles. Which would make sense as the properties of es_profile_t match closely the payload keys of a configuration profile file. Also only addition and removal of configuration profiles are reported when playing with configuration profiles and provisioning profiles.

I am going through the list of ways to check if my app is given Full Disk Access (FDA) or not. Out of which only one method is supported by apple. @note The only supported way to check if an application is properly TCC authorized for Full Disk Access * is to call es_new_client and handling ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED in a way appropriate * to your application. I have implemented this method using EndpointSecurity and calling it from a root process as required. But when I disable System Integrity Protection (SIP) and call it, it succeeds without FDA. No error is thrown. Then I tested, in our app both EndpointSecurity and protected folder access (like Documents folder) functionalities are working fine even without FDA when SIP is disabled. Now my questions are When SIP disabled, does every app has FDA access by default?. Is there any use case that still needs FDA access when SIP is off?. Is there any way to check for FDA permission given or not whenever SIP is off, since above method won't work in that case?.

When you use the eslogger command line tool to dump 'profile add' and 'profile remove' notify events, the instigator process seems to always be reported to be the mdmclient process whatever the "real" instigator is: the Profiles pane in System Settings.app. a MDM solution the profiles command line tool. [Q] Is this expected? Because for another family of notify events where there is also an instigator field, the instigator points to the "real" instigator.

Hello! I'm trying to capture socket state changes for an endpoint security product and have tried the Endpoint Security APIs as well as a Network Extension but there doesn't seem to be a way to detect listening sockets in real time. I've so far been able to capture all process, file and network flow/packet information in real-time but I'm also interested in getting an event when a server socket is opened for listening for incoming connections. Is there a way to do this? If yes, can someone please point me to the documentation or any other information on how to go about it? Thanks!

IN endpoint security events related to user login/logout activity (as well in lock/unlock and remote session attach/detach) there is a graphical session identifier which is a 32 bit integer typedef struct { es_string_token_t username; ** es_graphical_session_id_t graphical_session_id;** } es_event_lw_session_login_t; Documentation describes it as an opague number @brief es_graphical_session_id_t is a session identifier identifying a on-console or off-console graphical session. A graphical session exists and can potentially be attached to via Screen Sharing before a user is logged in. EndpointSecurity clients should treat the graphical_session_id as an opaque identifier and not assign special meaning to it beyond correlating events pertaining to the same graphical session. Not to be confused with the audit session ID. */ typedef uint32_t es_graphical_session_id_t; Question: is there a way to get this graphical session identifier outside of endpoint security framework, for ex. from process id or audit token? Is there an API for that?

I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal? If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature." I have tried with automatic and manual signing but nothing seems to work.

Description says this event will be raised when "An identifier for a process that notifies endpoint security that it is updating a file." What does this mean ? Similarly when will ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE event be raised ? Do these events get raised if any cloud provider sync app like Google Drive/Dropbox/OneDrive that usages fileprovider framework to sync the data ? In my endpoint secutiry app, I have registered for these events but i didnt receive any event *i do receive other endpoint secutiry events like ES_EVENT_TYPE_NOTIFY_CLONE etc.

I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client. I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call. If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?

I'm finding a way to hook vnode operations, following is a snippet of the code: IOReturn FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void) { // // register our listener // this-&gt;VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback this ); // give a cookie to callback if( NULL == this-&gt;VnodeListener ){ DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) ); return kIOReturnInternalError; } return kIOReturnSuccess; } Here use kauth_listen_scope to get the newly created vnode object, then will hook on it. But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity. So is there any other way to get the newly created vnode object?

I have submitted an application for the Endpoint Security entitlement, however, I have yet to receive any feedback regarding its progress. Could someone kindly advise on the proper procedure to track the current status of my permission request?

Is there an API to query for SIP Protected Paths or someway that this information can be deciphered ? Intent is to mute those paths or a subset for an ES client ?

We have a huge project. Until today we didn't use an .app but now we must in order to use Endpoint security and other stuff. Until today our binary sat in /opt/XYZ/binary.bin Now because of the .app, looks like it will have to be /opt/XYZ/Cool.app/Content/MacOs/binary.bin This change really breaks our code and will cause a massive code change. If I extract the binary from the app and place it in /opt/XYZ/binary.bin and run it, the process is killed. Is there a way to extract it from the app and run it from /opt/XYZ ? any tool, command, resource, etc' will be great.

As enterprise endpoint security/data loss prevention application, we need to detect data which is being transferred out of the enterprise context from their MacOS filesystem through applications like Cloud Sync or Email. Depending on the file content, type and size, we require some time for scanning the content being sent. This can range from milli seconds to few minutes for very large contents. But the Endpoint Security message has to be responded within the provided message deadline else application will be killed. This deadline is reducing with every macos release and its now only 15 seconds on macos sonoma which is blocking our use case of completing the scan before responding. We may scan it before but it imposes challenges of the data being modified before actual sent. So, we have to scan it on the fly and cant rely solely on the previous scans. Is there any way an Enterprise can customize this deadline value depending on the ES message and scanning application may be through MDM setting?

I am developing an app that uses the Endpoint Security API. I need to mute a few processes like: my own process, xcode, etc' ... However, if the muted processes create child processes, I want these processes to be muted as well. The full process tree under muted processes should be muted. How can that be done? Cant see in docs and can't find an example. If it can't be done, whats the closest thing to that I can implement. Thanks!

I have an app that uses Endpoint security. I have 1 client that registered many AUTH and NOTIFY event types. When I I recive an Endpoint Security message (event) and my handler is called. Which thread does it use? If I have 1 client will it always just use the same 1 thread? If not, can it ever happen that I register 1 client, and he will handle more then 1 event in the same time? regardless of the event type or any thing else

new to Apple, MacOS, SystemExtensions. I don't see anything about my topic in system extensions documentation. should I use XPC? or we have a better way here?