User Profile

Hello, We have an AV product for macOS that uses Endpoint Security APIs for authorizing various system activity. The latest Monterey beta 6 introduced support for an event called "ES_EVENT_TYPE_AUTH_COPYFILE" which according to the release notes should be triggered for "copyfile" system call. The problem is I cannot seem to find any activity that actually ends up triggering this system call while using the latest Monterey beta. "/bin/cp" generates two open system calls More high level NSFileManager "copyItemAtPath:toPath:error:" generates a clone event There is a "copyfile" C function that is defined in "copyfile.h" also generates two separate open calls. Did someone figure out how to trigger it or could someone from Apple give a comment? We'd usually ask such question via DTS ticket but it's about beta software so we decided to start her on the forum. Thanks. Best regards, Arthur

Hello! We rely on applications launch date information provided by NSWorkspace. Our main applications of interest are browsers (Safari, Chrome, Firefox). We've noticed that NSWorkspace on Big Sur returns "nil" for all running applications including those that we are primarily interested in. This can be easily reproduced with the code sample below [[[NSWorkspace sharedWorkspace] runningApplications] enumerateObjectsUsingBlock:^(NSRunningApplication * _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) { NSLog(@"App %@ launched at %@", obj.bundleIdentifier, obj.launchDate); }]; The issue is observed in all released beta builds of Big Sur including the latest beta 4. Submitted the same report in feedback assistant: FB8098936 Will this be fixed? Or we should start thinking of alternative approaches for getting the launch date? Thanks. Best regards, Arthur