If I run this application from my home developer directory, it doesn't have a problem. When, however, I copy it to /Library/Application Support/Fidelis..., then I immediately get "killed -9" ./protect_am Killed: 9 I have this code structure: ProtectOnAccess.app/ ProtectOnAccess.app//Contents ProtectOnAccess.app//Contents/_CodeSignature ProtectOnAccess.app//Contents/_CodeSignature/CodeResources ProtectOnAccess.app//Contents/_CodeSignature/CodeDirectory ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements-1 ProtectOnAccess.app//Contents/_CodeSignature/CodeSignature ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements ProtectOnAccess.app//Contents/MacOS ProtectOnAccess.app//Contents/MacOS/protect_am ProtectOnAccess.app//Contents/Resources ProtectOnAccess.app//Contents/Resources/Info.plist ProtectOnAccess.app//Contents/embedded.provisionprofile ProtectOnAccess.app//Contents/Info.plist ProtectOnAccess.app//Contents/PkgInfo and ./protect_am is a symbolic link as follows: lrwxr-xr-x 1 root wheel 45B Apr 27 14:52 protect_am -> ProtectOnAccess.app/Contents/MacOS/protect_am The thing is, I have had this work at times. No idea what the problem is. Log stream isn't helping codesign -vvvv protect_am protect_am: valid on disk protect_am: satisfies its Designated Requirement codesign -vvvv ProtectOnAccess.app/ --prepared:/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/ProtectOnAccess.app/Contents/MacOS/protect_am --validated:/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/ProtectOnAccess.app/Contents/MacOS/protect_am ProtectOnAccess.app/: valid on disk ProtectOnAccess.app/: satisfies its Designated Requirement Now, I do have entitlements added only to the executable, not to the .app. codesign -d --entitlements :- ProtectOnAccess.app/Contents/MacOS/protect_am Executable=/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/ProtectOnAccess.app/Contents/MacOS/protect_am <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>AMLU******.Fidelis.protect-am</string> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.team-identifier</key> <string>AMLU******</string> <key>com.apple.security.cs.allow-jit</key> <true/> </dict> </plist> I would like to know what I'm doing wrong, and what I have accidentally done right from time to time to have it work.

Hi, I have an endpoint security app and I was wondering what is the best way to check if a process was signed by a specific Developer ID certificate. Lets say im subscribed to auth_exec events and wanted to deny execution of processes signed with Developer ID Application: Adobe Inc. Would obtaining the common names of the certificate with SecCertificateCopyCommonName and then comparing strings be the right way or am I missing something?

My company has a product that is a kind of Endpoint Security Application. We haven't had its entitlement. So we submit a request to register Endpoint Security Extension entitlement on the Apple website. After submitting the request, we received an automatic email from Apple, they said that they will review our request and they will send us an email when they evaluate our information. But after a few weeks, I haven't received any email from Apple and I don't know whether my request is accepted or not? In the case my request is rejected, will I get an answer email from Apple? And how long to get their answer? Currently, our product is finished with development but we don't have the entitlement to publicize it. Thanks, Phu Luu

I'm beating my head against Apple here and it hurts. We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all. Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)

I have logged in as an active directory domain user. When i lock the mac and unlock with Touch ID the following event is logged. <subject audit-uid="-1" uid="root" gid="wheel" ruid="root" rgid="wheel" pid="318" sid="100000" tid="0 0.0.0.0" /> <text>Touch ID authentication</text> <return errval="success" retval="0" /> <identity signer-type="1" signing-id="com.apple.biometrickitd" signing-id-truncated="no" team-id="" team-id-truncated="no" cdhash="0x8b061a4cd6a37b9228d5b894cc269aaa32ef8051" /> </record> This logs the subject as root rather than as the domain user through which i have logged in through. This is not the case when i use password log in.

Hello, I'm requesting the Endpoint Security entitlement from Apple with an enterprise developer account. It's been 12 months since the request was submitted. I did not get any response from Apple. That's really a sad story. I even don't know how to check whether I'm granted with the entitlement or not. I tried to create a provisioning profile from the developer site, but I did not find any options related to this entitlement, nor did I find com.apple.developer.endpoint-security.client in the provisioning profile. security cms -D -i path_to_provisionprofile According to https://developer.apple.com/forums/thread/125048, will the entitlement be automatically added when it was granted by Apple? Fourth, the above is only relevant for testing. When you go to deploy, you must be granted the EndpointSecurity entitlement com.apple.developer.endpoint-security.client by Apple. That will whitelist the entitlement in your provisioning profile, at which point you’ll be able to run on standard user machines, those with SIP enabled. Thanks very much.

Scenario: Copy file operation via Finder to an external device like USB Expected behavior: Endpoint Security Client should receive ES_EVENT_TYPE_NOTIFY_CLOSE event Current behavior: ES_EVENT_TYPE_NOTIFY_CLOSE is not been for the file being copied with Monterey 12.3 Beta. If you copy same file via cp command, ES_EVENT_TYPE_NOTIFY_CLOSE is seen Is this a bug?

I was under the impression that a security endpoint required a system extension, but that does not appear to be the case. Apparently daemons can create endpoint extensions without needed a system extension. Why would I use an endpoint in a system extension rather than a daemon, or vice versa? I'm not understanding the value of a system extension with regards to a security endpoint. Someone please enlighten me.

When users tries to edit file on Local drive, my application denies that action in OPEN AUTH event. I do not see any change in file access time. But when users tries to edit file on Pen drive, my application denies that action in OPEN AUTH event. I do see change in access time. Why there is such a difference ?

I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)

file auth_demo.c in sample code as following: static void handle_open_worker(es_client_t *x, const es_message_t *msg) { static const char *ro_prefix = "/usr/local/bin/"; //ro_prefix_length will always equal 7,since sizeof(char*)=8 static const size_t ro_prefix_length = sizeof(ro_prefix) - 1; ...... }

file auth_demo.c in sample code as following: static void handle_open_worker(es_client_t *x, const es_message_t *msg) { static const char *ro_prefix = "/usr/local/bin/"; //ro_prefix_length will always equal 7,since sizeof(char*)=8 static const size_t ro_prefix_length = sizeof(ro_prefix) - 1; ...... }

The Endpoint Security framework provides open auth event. However certain application may just open a file to check size, access, but not read the content. Our use case is geared toward apply security when the application actually reads the content. Could Apple engineer confirm if there is any plan to support this? Had raised enhancement request long time back (Feedback FB6484629). Just thought of checking if there any update on the same. Any suggestions/comments?

I requested the entitlement of Endpoint Security two months ago, but there is no feedback yet. Please, let me know how long it usually takes. Follow-up:754428619

Hi Experts, I knew there is LSEnvironment for defining environment variables to be set before launching. e.g. <key>LSEnvironment</key> <dict> <key>PATH</key> <string>/Users/flori/.rvm/gems/ruby-1.9.3-p362/bin:/Users/flori/.rvm/gems/ruby-1.9.3-p362@global/bin:/Users/flori/.rvm/rubies/ruby-1.9.3-p326/bin:/Users/flori/.rvm/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:</string> </dict> How about system extension? Thanks a lot.

SIP: enable Release systemExtension update version faild , errorCode: OSSystemExtensionErrorCodeSignatureInvalid

In case we copy file to finder using ctrl+c -&gt; ctrl+v we get "ES_EVENT_TYPE_AUTH_CLONE" event. In case we block that event, we get 2-3 times 'ES_EVENT_TYPE_AUTH_CLONE' event with same destination file name. Any idea how to avoid those extra 2-3 events of 'ES_EVENT_TYPE_AUTH_CLONE'?