Hello all, I am trying to submit a request for endpoint security entitlement. I keep getting this error for weeks: This page isn’t working developer.apple.com is currently unable to handle this request. HTTP ERROR 500

I am learning about endpoint security and other system extensions, while I was handling ES_EVENT_TYPE_AUTH_IOKIT_OPEN event I realized that I cannot auth deny any bluetooth events. I tried to deny any open or execute events related to com.apple.bluetoothd but it did not work. I searched google and found out that I can use CoreBluetooth to control bluetooth. But when I get connected to bluetooth keyboard or mouse, didConnectPeripheral dose not get called or when I call [central cancelPeripheralConnection:peripheral] disconnection never happens. Is there any recommendation for handling or controlling events related to bluetooth connection?

[Q] When is the kTCCServiceEndpointSecurityClient set by macOS and in which conditions? From what I'm gathering, the kTCCServiceEndpointSecurityClient can not be set by a configuration profile and the end user can only grant full disk access. I searched for documentation on Apple's develop website (with the "kTCCServiceEndpointSecurityClient" search) and did not get any useful result. Using a more complete search engine, or the forum search engine, only points to the old annoying big bug in macOS Ventura. The problem I'm investigating is showing a process being listed as getting granted kTCCServiceEndpointSecurityClient permissions in the TCC database when: it's not an Endpoint Security client. it does not have the ES Client entitlement. the bundle of the process includes another process that is an ES Client and is spawn-ed by this process but I don't see why this should have an impact. This process is supposed to have been granted kTCCServiceSystemPolicyAllFiles via end user interaction or configuration profile. AFAIK, the kTCCServiceEndpointSecurityClient permission can only be set by macOS itself. So this looks like to be either a bug in macOS, an undocumented behavior or I'm missing something. Hence the initial question. macOS 15.7.3 / Apple Silicon

Feedback ticket ID: FB21797397 Summary When using posix_spawn() with posix_spawnattr_set_uid_np() to spawn a child process with a different UID, the eslogger incorrectly reports a setuid event as an event originating from the parent process instead of the child process. Steps to Reproduce Create a binary that do the following: Configure posix_spawnattr_t that set the process UIDs to some other user ID (I'll use 501 in this example). Uses posix_spawn() to spawn a child process Run eslogger with the event types setuid, fork, exec Execute the binary as root process using sudo or from root owned shell Terminate the launched eslogger Observe the process field in the setuid event Expected behavior The eslogger will report events indicating a process launch and uid changes so the child process is set to 501. i.e.: fork setuid - Done by child process exec Actual behavior The process field in the setuid event is reported as the parent process (that called posix_spawn) - indicating UID change to the parent process. Attachments I'm attaching source code for a small project with a 2 binaries: I'll add the source code for the project at the end of the file + attach filtered eslogger JSONs One that runs the descirbed posix_spawn flow One that produces the exact same sequence of events by doing different operation and reaching a different process state: Parent calls fork() Parent process calls setuid(501) Child process calls exec() Why this is problematic Both binaries in my attachment do different operations, achieving different process state (1 is parent with UID=0 and child with UID=501 while the other is parent UID=501 and child UID=0), but report the same sequence of events. Code #include <cstdio> #include <spawn.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/wait.h> #include <string.h> // environ contains the current environment variables extern char **environ; extern "C" { int posix_spawnattr_set_uid_np(posix_spawnattr_t *attr, uid_t uid); int posix_spawnattr_set_gid_np(posix_spawnattr_t *attr, gid_t gid); } int main() { pid_t pid; int status; posix_spawnattr_t attr; // 1. Define the executable path and arguments const char *path = "/bin/sleep"; char *const argv[] = {(char *)"sleep", (char *)"1", NULL}; // 2. Initialize spawn attributes if ((status = posix_spawnattr_init(&attr)) != 0) { fprintf(stderr, "posix_spawnattr_init: %s\n", strerror(status)); return EXIT_FAILURE; } // 3. Set the UID for the child process (e.g., UID 501) // Note: Parent must be root to change to a different user uid_t target_uid = 501; if ((status = posix_spawnattr_set_uid_np(&attr, target_uid)) != 0) { fprintf(stderr, "posix_spawnattr_set_uid_np: %s\n", strerror(status)); posix_spawnattr_destroy(&attr); return EXIT_FAILURE; } // 4. Spawn the process printf("Spawning /bin/sleep 1 as UID %d...\n", target_uid); status = posix_spawn(&pid, path, NULL, &attr, argv, environ); if (status == 0) { printf("Successfully spawned child with PID: %d\n", pid); // Wait for the child to finish (will take 63 seconds) if (waitpid(pid, &status, 0) != -1) { printf("Child process exited with status %d\n", WEXITSTATUS(status)); } else { perror("waitpid"); } } else { fprintf(stderr, "posix_spawn: %s\n", strerror(status)); } // 5. Clean up posix_spawnattr_destroy(&attr); return (status == 0) ? EXIT_SUCCESS : EXIT_FAILURE; } #include <cstdio> #include <cstdlib> #include <unistd.h> #include <sys/wait.h> #include <errno.h> #include <string.h> // This program demonstrates fork + setuid + exec behavior for ES framework bug report // 1. Parent forks // 2. Parent does setuid(501) // 3. Child waits with sleep syscall // 4. Child performs exec int main() { printf("Parent PID: %d, UID: %d, EUID: %d\n", getpid(), getuid(), geteuid()); pid_t pid = fork(); if (pid < 0) { // Fork failed perror("fork"); return EXIT_FAILURE; } if (pid == 0) { // Child process printf("Child PID: %d, UID: %d, EUID: %d\n", getpid(), getuid(), geteuid()); // Child waits for a bit with sleep syscall printf("Child sleeping for 2 seconds...\n"); sleep(2); // Child performs exec printf("Child executing child_exec...\n"); // Get the path to child_exec (same directory as this executable) char *const argv[] = {(char *)"/bin/sleep", (char *)"2", NULL}; // Try to exec child_exec from current directory first execv("/bin/sleep", argv); // If exec fails perror("execv"); return EXIT_FAILURE; } else { // Parent process printf("Parent forked child with PID: %d\n", pid); // Parent does setuid(501) printf("Parent calling setuid(501)...\n"); if (setuid(501) != 0) { perror("setuid"); // Continue anyway to observe behavior } printf("Parent after setuid - UID: %d, EUID: %d\n", getuid(), geteuid()); // Wait for child to finish int status; if (waitpid(pid, &status, 0) != -1) { if (WIFEXITED(status)) { printf("Child exited with status %d\n", WEXITSTATUS(status)); } else if (WIFSIGNALED(status)) { printf("Child killed by signal %d\n", WTERMSIG(status)); } } else { perror("waitpid"); } } return EXIT_SUCCESS; } posix_spawn.json fork_exec.json

Platforms: macOS 15.x (Sequoia), Intel-Based App type: Endpoint Security (ES) client, notarized Developer ID app + LaunchDaemon Goal: Boot-time ES client that runs on any Mac (managed or unmanaged) Summary Our ES client launches and functions when started manually (terminal), but when loaded as a LaunchDaemon it fails to initialize the ES connection with: (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access We can’t find a supported way to grant Full Disk Access (SystemPolicyAllFiles) to a system daemon on unmanaged Macs (no MDM). Local installation of a PPPC (TCC) profile is rejected as “must originate from a user-approved MDM server.” We’re seeking confirmation: Is MDM now the only supported path for a boot-time ES daemon that requires FDA? If so, what’s Apple’s recommended approach for unmanaged Macs? Environment & Artifacts Binary (path placeholder): /Library/Application Support///App/.app/Contents/MacOS/ Universal (x86_64 + arm64) Notarized, hardened runtime; Developer ID Team <TEAM_ID> Entitlements include: com.apple.developer.endpoint-security.client (present) Daemon plist (simplified; placeholders used): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"><dict> <key>Label</key> <string>com.example.esd</string> <key>Program</key> <string>/Library/Application Support/<VENDOR>/<PRODUCT>/Platform/<daemon-exec></string> <key>WorkingDirectory</key> <string>/Library/Application Support/<VENDOR>/<PRODUCT>/Platform</string> <key>RunAtLoad</key><true/> <key>KeepAlive</key><true/> </dict></plist> Designated requirement (abridged & masked): identifier "<BUNDLE_ID>" and anchor apple generic and certificate 1[...] and certificate leaf[...] and certificate leaf[subject.OU] = "<TEAM_ID>" What works Launching the ES client manually (interactive shell) succeeds; ES events flow. Signature, notarization, entitlements, Gatekeeper: all OK. What fails (daemon) launchctl print system/ shows it starts, but Console logs: (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8:Caller lacks TCC authorization for Full Disk Access System TCC DB shows ES consent rows but no allow for TCCServiceSystemPolicyAllFiles for the daemon binary. Installing a PPPC mobileconfig locally (system scope) is blocked as “must originate from a user-approved MDM server.” Repro (minimal) Install app bundle + LaunchDaemon plist above (placeholders). Verify entitlements & notarization: codesign -dvvv --entitlements :- "" spctl --assess --type execute -vv "" Start daemon & watch logs: sudo launchctl bootstrap system "/Library/LaunchDaemons/.plist" log stream --style compact --predicate 'process == "" OR subsystem == "com.apple.TCC"' --info Observe FDA denial message only in daemon context. Attempt to add FDA via PPPC profile (system scope) → rejected unless installed by user-approved MDM. Questions for Apple On macOS 14/15, is Full Disk Access for system daemons strictly MDM-only via PPPC (i.e., not installable locally)? Under what conditions would libEndpointSecurity report a Full Disk Access denial at client initialization, given ES consent is distinct from FDA? For unmanaged Macs needing boot-time ES processing, does Apple recommend a split: root LaunchDaemon (ES subscription; no protected file I/O) + per-user LaunchAgent (user-granted FDA) via XPC for on-demand disk access? Would moving ES connection code into a System Extension change FDA requirements for unmanaged devices, or is FDA still governed by PPPC/MDM? If behavior changed across releases, can Apple confirm the intended policy so vendors can document MDM requirements vs. unmanaged install paths? What we’ve tried Verified signature, notarization, hardened runtime, ES entitlement present. Confirmed context difference: manual run OK; daemon fails. Inspected system TCC: ES consent rows present; no FDA allow for daemon. Tried installing system-scoped PPPC locally → blocked as “must originate from a user-approved MDM server.” Considered LaunchAgent-only, but ES needs root; evaluating daemon+agent split to keep ES in root and put FDA-gated work in user space. What we need A definitive statement on the supported way to grant FDA to a system daemon on macOS 14/15. If MDM PPPC is required, we’ll ship “daemon mode requires MDM” and provide a daemon+agent fallback for unmanaged devices. If a compliant non-MDM path exists for daemon FDA on unmanaged Macs, please share exact steps. Thanks! Happy to provide additional logs privately if helpful.

On macOS Tahoe, our application using the Endpoint Security Framework (ESF) observes that during file copies through finder application, DesktopServicesHelper unlinks the source file if the ESF authorization response is delayed for ~5 seconds, even though the authorization event deadline remains 15 seconds, indicating that the process does not wait for the full ESF deadline before deleting the file. Before Tahoe, we didnt see this behaviour.

System Version: 26.1 Device: M1 Mac Mini Steps to Reproduce: Create a UNIX socket file at /tmp/a.sock Execute the command: ln /tmp/a.sock /tmp/b.sock Execute the command: rm /tmp/b.sock Bug Description: At this point, a bug occurs in the ES_EVENT_TYPE_AUTH_UNLINK event of the system extension. The value returned for message->event.unlink.target->path is /tmp/a.sock, while it is expected to be /tmp/b.sock Reproducibility: 100%

I am facing a persistent issue with an Endpoint Security (ES) extension that is crashing only when processing the ES_EVENT_TYPE_AUTH_OPEN event. Other event types, including ES_EVENT_TYPE_NOTIFY_OPEN and ES_EVENT_TYPE_NOTIFY_MMAP, work without any problems. func startMonitoring() { guard !isMonitoring else { return } let result = es_new_client(&gClient) { (client, message) in guard message.pointee.action_type == ES_ACTION_TYPE_AUTH else { return } let pid = audit_token_to_pid(message.pointee.process.pointee.audit_token) if pid == gSelfPID { es_respond_flags_result(client, message, 0x7FFFFFFF, true) var token = message.pointee.process.pointee.audit_token es_mute_process(client, &token) return } guard message.pointee.event_type == ES_EVENT_TYPE_AUTH_OPEN else { es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true) return } let pathData = message.pointee.event.open.file.pointee.path guard let pathPtr = pathData.data else { es_respond_flags_result(client, message, 0x7FFFFFFF, true) return } if shouldSkipPath(pathPtr, length: pathData.length) { es_respond_flags_result(client, message, 0x7FFFFFFF, true) return } if !hasBlockedExtension(pathPtr, length: pathData.length) { es_respond_flags_result(client, message, 0x7FFFFFFF, true) return } guard let execPathPtr = message.pointee.process.pointee.executable.pointee.path.data else { es_respond_flags_result(client, message, 0x7FFFFFFF, true) return } if isGoogleChrome(execPathPtr) { es_respond_auth_result(client, message, ES_AUTH_RESULT_DENY, true) } else { es_respond_flags_result(client, message, 0x7FFFFFFF, true) var token = message.pointee.process.pointee.audit_token es_mute_process(client, &token) } } guard result == ES_NEW_CLIENT_RESULT_SUCCESS, let client = gClient else { return } es_clear_cache(client) muteNoisyPaths(client: client) let events: [es_event_type_t] = [ES_EVENT_TYPE_AUTH_OPEN] let subResult = es_subscribe(client, events, UInt32(events.count)) guard subResult == ES_RETURN_SUCCESS else { es_delete_client(client) gClient = nil return } isMonitoring = true }

According to Apple's development documentation, if I want to install an Endpoint Security system extension, I need to develop a host app that must be installed in the Applications directory. Now, I want to create an ES extension to protect users from accessing certain folders. However, I don't want a custom app to pop up asking the user to allow the installation of the ES extension. (To clarify, it's fine if the system authorization request dialog pops up, but I don't want the host app's UI to appear.) Is there any way to do this?

Anyone know how long it takes to get Apple to respond to a request for provisioning for endpoint security?

Hey team, received Entitlement for Endpoint security frameworks from Apple Developer Program for mac os application, SDK is missing from local XCODE 15.2 , trying to find out on internet but nothing works. Is we are missing something for getting download the SDK for this framework integration with our softwares.

I'm seeing some odd behavior which may be a bug. I've broken it down to a least common denominator to reproduce it. But maybe I'm doing something wrong. I am opening a file read-write. I'm then mapping the file read-only and private: void* pointer = mmap(NULL, 17, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0); I then unmap the memory and close the file. After the close, eslogger shows me this: {"close":{"modified":false,[...],"was_mapped_writable":false}} Which makes sense. I then change the mmap statement to: void* pointer = mmap(NULL, 17, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0); I run the new code and and the close looks like: {"close":{"modified":false, [....], "was_mapped_writable":true}} Which also makes sense. I then run the original again (ie, with MAP_PRIVATE vs. MAP_SHARED) and the close looks like: {"close":{"modified":false,"was_mapped_writable":true,[...]} Which doesn't appear to be correct. Now if I just open and close the file (again, read-write) and don't mmap anything the close still shows: {"close":{ [...], "was_mapped_writable":true,"modified":false}} And the same is true if I open the file read-only. It will remain that way until I delete the file. If I recreate the file and try again, everything is good until I map it MAP_SHARED. I tried this with macOS 13.6.7 and macOS 15.0.1.

Hi, I’m expecting the demo from Apple, but I think I’m seeing different behavior on my end. Here are the steps I followed: Run the SampleEndpointApp example. Copy SampleEndpointApp to the /Applications folder. Run and enable the Extension and Full Disk Access → Everything works properly. I modify something in the example and start again from step #1, but nothing gets updated as shown in the demo video. The only way I can make it work is by going into Settings, manually removing the ES extension, and then running the app again. My concern is: if I deliver the application to clients, how can I properly update the extension without requiring them to manually remove it first? Thanks,

Hey, we also opened a bug regarding this behavior on April, back when you introduce the new event on MacOs 15.4 The bug ticket is: FB17139326 Starting macOs 15.4 you added a new event for the system extension framework named: tcc_modify The event should be triggered every-time there is a change regarding the tcc db (granted / revoked using various ways). One of the ways you can grant / revoke tcc db permission is by changing the user sqlite with root permissions. You can change various permissions regarding the user for example the apps that allowed to use microphone permissions. It is expected that when granted / revoked permissions using sqlite for microphone we will get notify from the system extension for tcc modify event. but the actual result is that the permission is added without any tcc modify event. We wanted to know if this is intentional that changing the user tcc db with root permissions, using sqlite and not conventional methods (user popup / settings), suppose to not initiate an event, and we should monitor them using other methods. Thank you, Idan

Hi everyone! I'd like to create an application for system monitoring using the Endpoint Security framework. I already have a working prototype and now I am trying to expand its capabilities to capture more event types. Started looking at filesystem-related events as one of the most important ones for my use case. These seem to be supported fairly well by the framework (ES_EVENT_TYPE_NOTIFY_OPEN/CLOSE/CREATE/WRITE etc.) However, the "READ FILE" event seems to be absent… Am I missing something here, or Endpoint Security framework does not provide this kind of information? If it doesn't, what is the reason behind this? Capturing this type of events seems quite relevant for security-related software. Thanks & Best regards, Roman

Hello. When testing with the Endpoint Security Framework for the AUTH_OPEN event, I found that the deadline was 15 seconds, but the actual process termination occurred at 5 or 6 seconds. Is this intended?

Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks

Hello, Starting with macOS 26 beta 4, I’ve noticed that the fflag field in es_event_open_t sometimes contains O_SEARCH instead of the expected FREAD or FWRITE values. According to the documentation, fflag should represent the kernel-applied flags (e.g., FREAD, FWRITE), not the open(2) oflag values. However, in my tests, when intercepting ES_EVENT_TYPE_AUTH_OPEN events, the value appears to match O_SEARCH in certain cases. Is this an intentional change in macOS 26, or could it be a bug in the current beta? If this is expected behavior, could you clarify under what conditions O_SEARCH or some oflag are returned? Environment: macOS 26 beta 4 Endpoint Security Framework Thanks in advance for any clarification!

I recently upgraded a line of code in my Endpoint-Security client, to remove a deprecation warning: for (NSString *mutePath in ignoredBinaryPaths) { //(old) res = es_mute_path_literal(self.esClient, [mutePath UTF8String]); res = es_mute_path(self.esClient, [mutePath UTF8String], ES_MUTE_PATH_TYPE_TARGET_LITERAL); if (res!=ES_RETURN_SUCCESS) os_log_error(setupLog, "Failed to white-list binary:%{public}@ error:%{errno}d", mutePath, errno); } However, after this change, I started receiving tons of ES event messages, for AUTH_OPEN and AUTH_CREATE and many others, from processes/executables I explicitly and successfully muted! Since ES is so performance sensitive - I got worried. Inspecting better the new API I found incoherent documentation and even misleading and contradicting definitions. But the ES headers say differently!!! /** * @brief Suppress all events matching a path. * * @param client The es_client_t for which the path will be muted. * @param path The path to mute. * @param type Describes the type of the `path` parameter. * * @return es_return_t A value indicating whether or not the path was successfully muted. * * @note Path-based muting applies to the real and potentially firmlinked path * of a file as seen by VFS, and as available from fcntl(2) F_GETPATH. * No special provisions are made for files with multiple ("hard") links, * or for symbolic links. * In particular, when using inverted target path muting to monitor a * particular path for writing, you will need to check if the file(s) of * interest are also reachable via additional hard links outside of the * paths you are observing. * * @see es_mute_path_events * @discussion When using the path types ES_MUTE_PATH_TYPE_TARGET_PREFIX and ES_MUTE_PATH_TYPE_TARGET_LITERAL Not all events are * supported. Furthermore the interpretation of target path is contextual. For events with more than one target path (such as * exchangedata) the behavior depends on the mute inversion state Under normal muting the event is suppressed only if ALL paths * are muted When target path muting is inverted the event is selected if ANY target path is muted For example a rename will be * suppressed if and only if both the source path and destination path are muted. Supported events are listed below. For each * event the target path is defined as: * * EXEC: The file being executed * OPEN: The file being opened * MMAP: The file being memory mapped * RENAME: Both the source and destination path. * SIGNAL: The path of the process being signalled * UNLINK: The file being unlinked * CLOSE: The file being closed * CREATE: The path to the file that will be created or replaced * GET_TASK: The path of the process for which the task port is being retrieved * LINK: Both the source and destination path * SETATTRLIST: The file for which the attributes are being set * SETEXTATTR: The file for which the extended attributes are being set * SETFLAGS: The file for which flags are being set * SETMODE: The file for which the mode is being set * SETOWNER: The file for which the owner is being set * WRITE: The file being written to * READLINK: The symbolic link being resolved * TRUNCATE: The file being truncated * CHDIR: The new working directory * GETATTRLIST: The file for which the attribute list is being retrieved * STAT: The file for which the stat is being retrieved * ACCESS: The file for which access is being tested * CHROOT: The file which will become the new root * UTIMES: The file for which times are being set * CLONE: Both the source file and target path * FCNTL: The file under file control * GETEXTATTR The file for which extended attributes are being retrieved * LISTEXTATTR The file for which extended attributes are being listed * READDIR The directory for whose contents will be read * DELETEEXTATTR The file for which extended attribues will be deleted * DUP: The file being duplicated * UIPC_BIND: The path to the unix socket that will be created * UIPC_CONNECT: The file that the unix socket being connected is bound to * EXCHANGEDATA: The path of both file1 and file2 * SETACL: The file for which ACLs are being set * PROC_CHECK: The path of the process against which access is being checked * SEARCHFS: The path of the volume which will be searched * PROC_SUSPEND_RESUME: The path of the process being suspended or resumed * GET_TASK_NAME: The path of the process for which the task name port will be retrieved * TRACE: The path of the process that will be attached to * REMOTE_THREAD_CREATE: The path of the process in which the new thread is created * GET_TASK_READ: The path of the process for which the task read port will be retrieved * GET_TASK_INSPECT: The path of the process for which the task inspect port will be retrieved * COPYFILE: The path to the source file and the path to either the new file to be created or the existing file to be overwritten */ So the behavior completely changed, you can no longer specify executables (via their binary path) from which you do NOT want any events Muting effectively became reactive, not proactive. Why this change is not documented with the deprecation? Why no alternative is suggested? why find this only because it broke my software tool behavior and performance? And last: For how long can I rely on the old, deprecated APIs, should I choose to revert my change instead of devising a whole new mechanism for muting un-interesting

Hello, As part of developing a DLP system, the microphone and speakers should be blocked. My solution involves muting devices by changing the property kAudioDevicePropertyMute. However, this solution allows the user to unmute the device, and the app must implement a property listener to mute the device again. The problem is that muting takes some time and the device is temporarily unmuted. Admittedly, it takes less than a second, but nevertheless, it appears insecure. Is there an Apple-recommended approach to implement such blocking more securely? Maybe some solution which is based on IOKit. Thank you in advance, Pavel