When I'm using Endpoint Security to monitor the file creation behavior of Keynote, I've noticed that when I choose to export a Keynote file as an HTML file, ES only triggers the ES_EVENT_TYPE_NOTIFY_CREATE notification for the index.html file, and the ES_EVENT_TYPE_AUTH_CREATE is not triggered. I've double - checked my code many times, and I'm pretty sure there's no error in it. Does ES only call the notification event without calling the authorization event under certain circumstances? Or is this a bug in ES?
Endpoint Security
RSS for tagDevelop system extensions that enhance user security using Endpoint Security.
Posts under Endpoint Security tag
83 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I am having difficulty getting my container app with an embedded endpoint security extension to work on a virtual Mac.
My virtual Mac has system integrity protection turned off. I have used spctl and System Settings to allow applications from anywhere.
I am using the development entitlement profile to sign my container app.
When I run my app, it crashes with Termination Reason: COODESIGNING 1 Taskgated Invalid Signature. I assume this has to do with the app being signed with my developer profile that contains a list of Macs that can run the software.
How can test my endpoint security extension on a virtual Mac?
My question is: Do I need two App IDs? One for my launch daemon in order to sign it properly, allowing it to use the Endpoint Security framework. One for the container app.
My understanding is that my existing launch daemon can perform the endpoint security requirements I need. So far, I have had just one App ID for my container app that lives in /Applications.
I have applied for the endpoint security restricted entitlement and have this for development now.
Do endpoint security items have go in Library/SystemExtension? Can my launch daemon live in Library/LaunchDaemons and still use the Endpoint Security framework?
Hello,
es_event_mount_t includes statfs structure. This structure has the field 'f_type' which defines type of filesystem. However, man page says nothing about possible values of this field.
What is the best way to define file system type?
Can I use 'f_type' or 'f_fstypename'? If so, are there any constants in header files which can be used?
Thank you for your help!
Hey, our app is host for system extension and since macOS 15.3 there is an error when user tries delete an app pop with missing permission appears
Is it intentional? Is it a bug? if not how in correct way should we handle removing of SE when app is being to removed?
I have a weird issue with our Endpoint Security extension.
A couple of the checks we do require calling into Apple frameworks (Security, Disk Arbitration) and these checks can happen early in the boot process. On macOS 13 (and possibly earlier), sometimes these calls get stuck and never return. When this happens, the kernel will kill the extension and this generates a crash log. This adds significant time to the boot, enough that people notice. In every case, the thread where the call into the Apple framework occurred shows that the thread is stuck in mach_msg2_trap(), which I now understand means it's likely waiting on an event or message.
Now here's where things get weird. I discovered that if I shunt the check off onto a Thread subclass and put it in a DispatchGroup (perhaps the wrong primitive), then wait() on that group with my own timeout, the thread will get unstuck within a couple hundred milliseconds of the timeout. The timeout can be a couple of seconds or longer. In every case, the thread unblocks, returns from mach_msg2_trap() and the original call finishes as expected.
Is there a rational explanation for this behavior? Am I crazy to even consider shipping this workaround?
Hi! I am trying to run the demo app(SampleEndpointApp) from the WWDC2020 presentation(link).
Here are the steps I followed in order to run the app:
I submitted a request for the Endpoint Security entitlement and got the approval from the Apple Support team.
Created an identifier and assigned Endpoint Security capability.
Updated the Bundle Identifier in ViewController.m and in the Extension target.
Built and copied the app bundle to /Application folder.
Ran the app, clicked "Install Extension" and got the confirmation message that everything went well.
Looking into the logs, I see the following :
(libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access
I keep getting the same message even after granting SampleEndpointApp Full Disk Access in Privacy & Security.
System : macOS Sequoia 15.1.1
Could you please assist me with this issue?
Andrei
Is this always possible using systemextensionsctl by root?
Is there a way to prevent root from removing an Endpoint Security Extension?
The use case is for a Mac managed by AirWatch.
I am currently working on ways my application which would monitor the dlopen() and dlsym() calls made on macOS.
In the current list of events endpoint security framework provides, I don't see a relevant event which would give me this information.
Are there any alternate ways we can get these events on macOS?
Hi,
I’m able to view the activity log using the macOS application integrated with Endpoint Security Entitlement in Xcode by setting Debug Process As: root.
However, after archiving the application into a .app using a Developer ID Application certificate and sending it to my friend, they encountered the error ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED during client initialization when running the application.
Could you please guide me on how to resolve this issue? Specifically, what is the correct technical approach to make the application run as root?
Thanks
Hello,
My app needs to report whether a file, which is located on usb volume, is modified by specific application.
I use Endpoint Security framework and I know about "Inferring High-Level Semantics from Low-Level Operations" problem.
However, in spite of this limitation, I need to implement app which reports as much info as possible.
I faced with some unclear behaviour of TestEdit. The scenario is:
Open a file, which is located on usb volume, by TextEdit
/dev/disk4s2 on /Volumes/USBVol (msdos, local, nodev, nosuid, noowners, noatime, fskit)
Modify and save it
Endpoint Security reports open and close events only (modified flag is false)
ES_EVENT_TYPE_AUTH_COPYFILE, ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_NOTIFY_UTIMES and ES_EVENT_TYPE_NOTIFY_WRITE are not reported by Endpoint Security (monitored all processes in system). (Looks like the same behaviour for Xcode)
I am stuck in this moment. Are there any way to monitor file modification if user do it by TextEdit?
Thank you in advance!
Hello,
My app is handling ES_EVENT_TYPE_AUTH_OPEN.
Which character encoding is used in Endpoint Security events? (es_file_t)
Thank you in advance,
Pavel
Hello.
When testing with the Endpoint Security Framework for the AUTH_OPEN event, I found that the deadline was 15 seconds, but the actual process termination occurred at 5 or 6 seconds. Is this intended?
I'm try to monitor all processes by ES client. But I found the process name is different from the Activity Monitor displayed. As shown in the picture below, there are ShareSheetUI(Pages) and ShareSheetUI(Finder) processes in Activity Monitor, but I can only get the same name ShareSheetUI, I thought of many ways to display the name in parentheses, but nothing worked, so there is a way to display the process name like Activity Monitor?
Hello,
My application monitors ES_EVENT_TYPE_NOTIFY_CLOSE. If a file is dragged to another location in Finder, the Endpoint Security reports the event ES_EVENT_TYPE_NOTIFY_CLOSE was performed by '/usr/libexec/xpcproxy'. So, xpcproxy is the process that performed ES_EVENT_TYPE_NOTIFY_CLOSE.
Looks like the dragged file is copied by some XPC service.
I have found the audit user id is equal to user who dragged a file.
Can audit user id be used to identify a user who triggers copy file action in this case? If no, are there any way to define such info?
Thank you in advance!
I'm developing a file access control system. In order to protect the file content copied out, I'm finding a way to deny user copy file content to other files.
I know there are data transmission between the copied application and pboard service by XPC. But I don't know how to interrupt the data transmission. Or I can do something to stop the copied data send to the Clipboard.
So is there any way to prevent the contents of a file being copied?
I added ES_EVENT_TYPE_AUTH_SIGNAL to the event list, and added logging:
os_log_debug(esfLogger, "antitampering signal %d from process %{public}s to process %{public}s", esm.signal, signing.UTF8String, targetSigning.UTF8String);
I get some logs, such as
2024-12-09 10:21:47.668034+0000 0xc2c562 Debug 0x0 29448 0 DopeMonitorService: [security.dope:anti-tamper] antitampering signal 0 from process com.apple.spindump to process com.apple.mds_stores
But when I do sudo kill -9 ${ourappprocess}, the proess dies with no log generated. (This is a different process than the one using ESF; the goal is, obviously, to keep our processes from being killed, but I'm only at the logging stage so far.)
sudo kill -INFO ${ourappprocess} works:
2024-12-09 10:21:38.410851+0000 0xc2c562 Debug 0x0 29448 0 Monitor: [debug:anti-tamper] antitampering signal 29 from process com.apple.csh to process Worker
So it is getting through to the monitoring process. But kill -9 ... isn't. Am I missing something obvious again?
I try to do unit test for an ES system extension's code using Unit Testing Bundle.
the code tries to get NSEndpointSecurityMachServiceName in info.plist by [bundle objectForInfoDictionaryKey:] but failed.
I have added NSEndpointSecurityMachService to info.plist of Test Bundle, and I did check info.plist file in bundle, NSEndpointSecurityMachServiceName was listed there.
Hello,
Let's say I have several opened user sessions in parallel.
Endpoint Security notify about executing a process (ES_EVENT_TYPE_NOTIFY_EXEC) and provide audit token.
The goal is to find relationship between logged-in users and new process.
Can I use audit user ID for this?
Thank you in advance.
Hi, i'm working on an endpoint security extension loader and implement several callbacks from delegate object
OSSystemExtensionRequestDelegate
the callback i'm interested in is :
public func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result);
public func requestNeedsUserApproval(_ request: OSSystemExtensionRequest);
I've noticed that if I manually approve the extension long time after it was activated, the extension process goes up, but the callback isn't being called. The requestNeedUserApproval callback always gets called.
I see in the unified logs that when the extension goes from
activated_waiting_for_user -> activated_enabling -> activated_enabled
Than the request callback doesn't get called.
But whenever the extension goes
activated_waiting_for_user -> activated_disabled
The request callback gets called. (this is counter intuitive since we expected the state activated_disabled may hint that the extension failed to be activated somehow)
Any Idea why my callback doesn't gets called if the extension gets approved long after it was activated ?