Post not yet marked as solved
Thanks for quick response, I have filed FB7621320 or https://feedbackassistant.apple.com/feedback/7621320Screenshot from the bug report https://imgur.com/a/WhZwtej
Thank you for you answer, we are trying to swich it.
Post not yet marked as solved
Hi eskimo,
Really appreciate your time for troubleshooting. I tested my Objective-C code in Content Filter (Packet Filter) and your Swift example in Packet Tunnel, both of them worked without sandbox, but broke if I enabled the sandbox for network extension.
I think there might be a misconfiguration in the Xcode project or the test environment needs a reset. I will post an update if I find the root cause.
Post not yet marked as solved
Hi eskimo,Thank you for your answer.I forgot to mention that I tested on 10.15.2 (19C57) and 10.15.3 Beta (19D49f), the snippet didn't work on either of them (with sandbox enabled).
Post marked as Apple Recommended
Hi Eskimo,we found another problem when we use the endpoint security system extension mach service for the XPC between ES system extension and its containing app.The machService named as “$teamid.$es_bundle_id.xpc” which is reference “from https://forums.developer.apple.com/thread/118211 “.We can create the connection in the client successfully. But when we try to use “remoteObjectProxyWithErrorHandler” get remote interface, it failed with the error message “Couldn’t communicate with a helper application.”Even we add the same app group capabilities for the containing app and system extension, it report the same error message.Till now, we found the only way to avoid the error: Remove the sandbox capabilities of the Containing App, the XPC will work well between Containing App and ES system extension.==> If Apple support ES client distributed in Mac App Store, we may not avoid the issue by remove sandbox capabilities(when we try distribute in app store). Whether Apple will provide some solution about the XPC issue to some sandbox Conatining Apps?
Post marked as Apple Recommended
Hi eskimo,Get it.Thank you for your nice response.I will montior the developer web site to get the latest status.Thank you very much!
Post marked as Apple Recommended
Hi eskimoThank you for your nice explain to make it clear.But I also want to confirm about this:For example, right now NetworkExtension system extensions have the opposite problem, where you can’t deploy them via Developer ID (although we’re hoping to fix that sooner rather than later) (r. 54882466).Does it mean we must deploy NetworkExtension via Mac App Store now?If so, may I get the detail or fix plan or fix process for r. 54882466?(I didn't find that r. 54882466 on web site)That may impact how we deploy our new product.Thank you very much!
Post marked as Apple Recommended
Hi eskimoAfter some testing, I find if I enable sandbox for Endpoint Security in System Extension, the es_new_client API return failed with ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED.Need I do something else?Or if I don't enalbe sandbox for Endpoint Security in System Extesnion, can the App with none sandbox System Extension be submitted to App Store?
Post marked as Apple Recommended
Thank you Eskimo for your kindly help!
Hi Eskimo,I am sorry, but I found whtat is the problom for not filtering WebKit traffic.For Webkit traffic, socketFlow.localEndpoint is nil, so the sample code just ignore it.I have closed the bug : FB7315246.Sorry for troubling you so much, and thank you very much for your greate help!
Hi Eskimo,Thank you very much!I get started with :https://forums.developer.apple.com/thread/118225And you also replied me in that thread.Thank you very much!
Post not yet marked as solved
Sorry, it is my fault, I get the wrong entitlements.When I set the right entitlements, it can work!
Post not yet marked as solved
Hi Ondra k,I tried this sample code in beta 9(SIP disabled)When I run it with normal user, I can run it but get the ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED error.When I run it with root user, the demo is crashed with Illegal instruction: 4Application Specific Information:dyld: launch, running initializers/usr/lib/libSystem.B.dylibIncoming message euid:0 does not match secinitd uid:501.Is there any idea?
Hi Eskimo,Is there any guide or sample code just like network extension for EndpointSecurity?Need I add any new capability for EndpointSecurity?Thank you very much!
Hi Eskimo,I filed a bug : FB7315246I will try your suggestion for modifing the traffic.Thank you very much!
