Post not yet marked as solved
I was under the impression that a security endpoint required a system extension, but that does not appear to be the case. Apparently daemons can create endpoint extensions without needed a system extension.
Why would I use an endpoint in a system extension rather than a daemon, or vice versa? I'm not understanding the value of a system extension with regards to a security endpoint. Someone please enlighten me.
Post not yet marked as solved
When users tries to edit file on Local drive, my application denies that action in OPEN AUTH event. I do not see any change in file access time.
But when users tries to edit file on Pen drive, my application denies that action in OPEN AUTH event. I do see change in access time.
Why there is such a difference ?
Post not yet marked as solved
I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)
Post not yet marked as solved
file auth_demo.c in sample code as following:
static void
handle_open_worker(es_client_t *x, const es_message_t *msg)
{
static const char *ro_prefix = "/usr/local/bin/";
//ro_prefix_length will always equal 7,since sizeof(char*)=8
static const size_t ro_prefix_length = sizeof(ro_prefix) - 1;
......
}
Post not yet marked as solved
file auth_demo.c in sample code as following:
static void
handle_open_worker(es_client_t *x, const es_message_t *msg)
{
static const char *ro_prefix = "/usr/local/bin/";
//ro_prefix_length will always equal 7,since sizeof(char*)=8
static const size_t ro_prefix_length = sizeof(ro_prefix) - 1;
......
}
Post not yet marked as solved
We know that BSM Audit was deprecated in macOS 11 Big Sur.
Does Apple mention anywhere when will it be completely removed from macOS?
Do we expect it to be removed in the next macOS release in 2022?
We distribute an macOS app bundle with a main executable, a helper executable, a nested app bundle and an XPCService.
myApp.app
└── Contents
├── _CodeSignature
│ └── CodeResources
├── embedded.provisionprofile
├── Info.plist
├── MacOS
│ ├── myHelperApp.app
│ │ └── Contents...
│ ├── mainExecutable
│ └── helperExecutable
├── PkgInfo
└── XPCServices
└── myXPCService.xpc
└── Contents...
Our mainExecutable requires FullDiskAccess and the helperExecutable requires Accessibility Access. Since this a product for enterprise customers, the TCC permissions usually get granted via a PPPC profile.
What would be a good bundle identifier naming scheme for such a structure? com.example.myApp for the main app bundle/executable and com.example.myApp.helperExecutable etc. for all additional targets?
When creating the PPPC profile, do I only refer to the bundle identifier of the main bundle com.example.myApp? If so, does that mean that every executable in that bundle has these privileges? At least this is what the manual approach would suggest, where the user can drag an entire app bundle to the privacy settings.
The helperExecutable gets copied into the bundle during the build process. But when it is run from its Xcode scheme, it is run from the build directory, outside the final bundle. This requires the helper binary to be extra granted Accessibility permissions, at least during development. Is there a better way?
Thanks (Quinn)!
Post not yet marked as solved
SIP: enable
Release
systemExtension update version faild ,
errorCode: OSSystemExtensionErrorCodeSignatureInvalid
Hi, could someone help me convert the cdhash property from es_process_t to a String in Swift.
Thanks.
var cdhash: (UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8)
Post not yet marked as solved
Hi everyone.
Im working on a on-premises application and i need help with clarify what these URLs are used for. I know we need them all for provision profile procedure but need to know more specific in like 1 sentence on each URL.
developerservices2.apple.com
developer.apple.com
appstoreconnect.apple.com
idmsa.apple.com
Thanks in advanced <3
The ES_EVENT_TYPE_AUTH_CREATE event can be fired either for a regular file or for a directory. Currently there is no such kind of information in the event structure. Is there any way to find out what exactly the kind of the object is being created right in the ES_EVENT_TYPE_AUTH_CREATE handler?
Thanks in advance,
Aleksandr Skobelev
Hi All,
I'm developing a security application that uses an endpoint security extension. The application has two parts main and extension. I have an entitlements for Security Extension Client from Apple.
I'd like to distribute apps through the Apple Store. Locally the app runs without problems on enabled machines, but when I try to get it through Testfligt to the appstore I get two errors:
ITMS-90285 - Invalid Code Signing Etitlements. Your application bundle’s signature contains code signing etitlements that are not supported on MacOs. Specifically, key ‚com.apple.developer.endpoint-security.client‘
ITMS-90296 - App sandbox not enabled on extension
When I turn on sandbox for extension, the extension fails to register endpoint security client
let res = es_new_client(&client) { _, event in
self.eventDispatcher(msg: event)
Without sandbox it runs without any problem.
Thank you very much for your help I don't know how to proceed.
Martin
Post not yet marked as solved
In case we copy file to finder using ctrl+c -> ctrl+v we get "ES_EVENT_TYPE_AUTH_CLONE" event.
In case we block that event, we get 2-3 times 'ES_EVENT_TYPE_AUTH_CLONE' event with same destination file name.
Any idea how to avoid those extra 2-3 events of 'ES_EVENT_TYPE_AUTH_CLONE'?
Hello everybody!
I'm working on EndpointSequirity client and noticed that when I copy a file to an external flash card with FAT16 or exFAT file systems the ES_EVENT_TYPE_NOTIFY_CREATE event and the very first ES_EVENT_TYPE_NOTIFY_WRITE one have some fake value for st_ino field in their stat structures. For FAT it is 999999999, and for exFAT it is 1. Starting from the second write notification the stat structure gets a real inode number. It does not happen for APFS file system.
Could someone please tell me this known behavior, and point me to a place where it is documented? For which other file systems can this also happen?
Thanks in advance,
Aleksandr Skobelev
Hi, in my ES application I am trying to ignore execution events of apple processes. I think the way to do this is to check for the is_platform_binary attribute of es_message_t but i found that when executing Xcode this attribute is false, is it because I downloaded it from the app store?
Also would checking for the "com.apple" prefix of the signing id be a good way to identify apple signed processes?
Post not yet marked as solved
Hi,
I have a ES Sysex working properly in BigSur. I run upgrade to Monterey.
I check the behavior of the sysex in Monterey and I notice that is receiving events from processes that I have muted with "es_mute_path_prefix".
It is as if the system upgrade process has affected the Sysex startup and some configurations, forced on start by calling "es_mute_path_prefix" are not taking into account.
Should I take some special steps on SO upgrade scenarios, like reinforcing restart of my sysex ? Stop it before SO upgrade and restart it after upgrade ?
Any known best practices on SO upgrades in general ?
Thanks.
Post not yet marked as solved
Hi,
I see these new ES event types
, ES_EVENT_TYPE_AUTH_REMOUNT
, ES_EVENT_TYPE_NOTIFY_REMOUNT
I assuming it refers to a volume re-mount. I'm trying to make them trigger by doing:
$ mount -o rdonly update force -t hfs -d /Volumes/MyDiskVol
But the "mount" command is not successful. How/when are those ES events generated ?
Thanks.
How would
Post not yet marked as solved
hello :)
i tried to es_mute_process our company's all applications.
check application to use team_id or signing_id in es_process_t.
is this a good way?
and can team_id and signing_id be forged?
Hi Experts,
Looks like es_mute_path_*** are deprecated, so does anyone know if there has some new APIs? Thanks!
https://developer.apple.com/documentation/endpointsecurity/3366123-es_mute_path_prefix
Post not yet marked as solved
Hi, I am developing an Endpoint Security extension and I would like to get the full list of processes that ended up calling the process I receive in an event.
For example if I receive a es_process_t I have this process audit token, I would like to get the parents audit token and then the parent's parent token and so on till I get the full list of processes. I hope i made myself clear :)
