EndpointSecurity

RSS for tag

Develop system extensions that enhance user security using EndpointSecurity.

EndpointSecurity Documentation

Posts under EndpointSecurity tag

74 results found
Sort by:
Post not yet marked as solved
82 Views

Having trouble getting the endpoint-security entitlement working

I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)
Asked
by kithrup.
Last updated
.
Post not yet marked as solved
51 Views

little bug in Monitoring System Events with Endpoint Security sample code

file auth_demo.c in sample code as following: static void handle_open_worker(es_client_t *x, const es_message_t *msg) { static const char *ro_prefix = "/usr/local/bin/"; //ro_prefix_length will always equal 7,since sizeof(char*)=8 static const size_t ro_prefix_length = sizeof(ro_prefix) - 1; ...... }
Asked
by ytf.
Last updated
.
Post not yet marked as solved
53 Views

little bug in Monitoring System Events with Endpoint Security sample code

file auth_demo.c in sample code as following: static void handle_open_worker(es_client_t *x, const es_message_t *msg) { static const char *ro_prefix = "/usr/local/bin/"; //ro_prefix_length will always equal 7,since sizeof(char*)=8 static const size_t ro_prefix_length = sizeof(ro_prefix) - 1; ...... }
Asked
by ytf.
Last updated
.
Post not yet marked as solved
209 Views

Missing file read auth event in Endpoint Security Framework

The Endpoint Security framework provides open auth event. However certain application may just open a file to check size, access, but not read the content. Our use case is geared toward apply security when the application actually reads the content. Could Apple engineer confirm if there is any plan to support this? Had raised enhancement request long time back (Feedback FB6484629). Just thought of checking if there any update on the same. Any suggestions/comments?
Asked
by rupesh.
Last updated
.
Post not yet marked as solved
62 Views

When will BSM Audit going to be removed

We know that BSM Audit was deprecated in macOS 11 Big Sur. Does Apple mention anywhere when will it be completely removed from macOS? Do we expect it to be removed in the next macOS release in 2022?
Asked
by btsmarco.
Last updated
.
Post marked as solved
103 Views

How does TCC rely on the bundle ID esp. with multiple targets?

We distribute an macOS app bundle with a main executable, a helper executable, a nested app bundle and an XPCService. myApp.app └── Contents ├── _CodeSignature │ └── CodeResources ├── embedded.provisionprofile ├── Info.plist ├── MacOS │ ├── myHelperApp.app │ │ └── Contents... │ ├── mainExecutable │ └── helperExecutable ├── PkgInfo └── XPCServices └── myXPCService.xpc └── Contents... Our mainExecutable requires FullDiskAccess and the helperExecutable requires Accessibility Access. Since this a product for enterprise customers, the TCC permissions usually get granted via a PPPC profile. What would be a good bundle identifier naming scheme for such a structure? com.example.myApp for the main app bundle/executable and com.example.myApp.helperExecutable etc. for all additional targets? When creating the PPPC profile, do I only refer to the bundle identifier of the main bundle com.example.myApp? If so, does that mean that every executable in that bundle has these privileges? At least this is what the manual approach would suggest, where the user can drag an entire app bundle to the privacy settings. The helperExecutable gets copied into the bundle during the build process. But when it is run from its Xcode scheme, it is run from the build directory, outside the final bundle. This requires the helper binary to be extra granted Accessibility permissions, at least during development. Is there a better way? Thanks (Quinn)!
Asked
by wriker.
Last updated
.
Post not yet marked as solved
342 Views

How to set environment variables for system extension

Hi Experts, I knew there is LSEnvironment for defining environment variables to be set before launching. e.g. <key>LSEnvironment</key> <dict> <key>PATH</key> <string>/Users/flori/.rvm/gems/ruby-1.9.3-p362/bin:/Users/flori/.rvm/gems/ruby-1.9.3-p362@global/bin:/Users/flori/.rvm/rubies/ruby-1.9.3-p326/bin:/Users/flori/.rvm/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:</string> </dict> How about system extension? Thanks a lot.
Asked Last updated
.
Post marked as solved
139 Views

es_process_t cdhash to String in Swift

Hi, could someone help me convert the cdhash property from es_process_t to a String in Swift. Thanks. var cdhash: (UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8)
Asked Last updated
.
Post not yet marked as solved
227 Views

Multiple "ES_EVENT_TYPE_AUTH_CLONE" are created.

In case we copy file to finder using ctrl+c -&gt; ctrl+v we get "ES_EVENT_TYPE_AUTH_CLONE" event. In case we block that event, we get 2-3 times 'ES_EVENT_TYPE_AUTH_CLONE' event with same destination file name. Any idea how to avoid those extra 2-3 events of 'ES_EVENT_TYPE_AUTH_CLONE'?
Asked Last updated
.
Post not yet marked as solved
143 Views

Need help with URL Endpoints clarification

Hi everyone. Im working on a on-premises application and i need help with clarify what these URLs are used for. I know we need them all for provision profile procedure but need to know more specific in like 1 sentence on each URL. developerservices2.apple.com developer.apple.com appstoreconnect.apple.com idmsa.apple.com Thanks in advanced <3
Asked
by PierreD83.
Last updated
.
Post marked as solved
123 Views

How to find out the type of a file system object when handling ES_EVENT_TYPE_AUTH_CREATE?

The ES_EVENT_TYPE_AUTH_CREATE event can be fired either for a regular file or for a directory. Currently there is no such kind of information in the event structure. Is there any way to find out what exactly the kind of the object is being created right in the ES_EVENT_TYPE_AUTH_CREATE handler? Thanks in advance, Aleksandr Skobelev
Asked
by ilowry.
Last updated
.
Post not yet marked as solved
1.6k Views

Disable library validation entitlements makes app fail GateKeeper

Hello! I need to load dylib signed by another developer (using dlopen). For that, I added following entitlement to hardened runtime: com.apple.security.cs.disable-library-validation However, after adding this entitlement, the app fails to start, generating a crash report indicating codesigning fail. This happens even without any code for loading the library in the app. I tried it in a blank project, and it worked just fine. The app also has Endpoint security entitlement (in provisioning profile), so I am suspecting that might be the cause, however, I was not able to find anything about this in the documentation. Thank you for any help.
Asked
by Bambam1.
Last updated
.
Post marked as solved
231 Views

Endpoint Security Extension + SandBox + App Distribution

Hi All, I'm developing a security application that uses an endpoint security extension. The application has two parts main and extension. I have an entitlements for Security Extension Client from Apple. I'd like to distribute apps through the Apple Store. Locally the app runs without problems on enabled machines, but when I try to get it through Testfligt to the appstore I get two errors: ITMS-90285 - Invalid Code Signing Etitlements. Your application bundle’s signature contains code signing etitlements that are not supported on MacOs. Specifically, key ‚com.apple.developer.endpoint-security.client‘ ITMS-90296 - App sandbox not enabled on extension When I turn on sandbox for extension, the extension fails to register endpoint security client let res = es_new_client(&client) { _, event in self.eventDispatcher(msg: event) Without sandbox it runs without any problem. Thank you very much for your help I don't know how to proceed. Martin
Asked Last updated
.