Hi everyone. Im working on a on-premises application and i need help with clarify what these URLs are used for. I know we need them all for provision profile procedure but need to know more specific in like 1 sentence on each URL. developerservices2.apple.com developer.apple.com appstoreconnect.apple.com idmsa.apple.com Thanks in advanced <3

Hello! I need to load dylib signed by another developer (using dlopen). For that, I added following entitlement to hardened runtime: com.apple.security.cs.disable-library-validation However, after adding this entitlement, the app fails to start, generating a crash report indicating codesigning fail. This happens even without any code for loading the library in the app. I tried it in a blank project, and it worked just fine. The app also has Endpoint security entitlement (in provisioning profile), so I am suspecting that might be the cause, however, I was not able to find anything about this in the documentation. Thank you for any help.

So I'm having issues communicating with a endpoint security system extension via XPC. Both the application and the extension are signed, notarized, and members of the same group ID. I've confirmed that the extension is running with systemextensionsctl list and launchctl list. I've also confirmed that the xpc end is available with launchctl procinfo <extension_pid>. The mach service name is correct according to this post - https://developer.apple.com/forums/thread/118211?answerId=366391022#366391022 (TEAMID.bundleID.xpc). I also use the NSXPCConnection NSXPCConnection.Options.privileged option when creating the connection. When I use connection.remoteObjectProxyWithErrorHandler , I received an error "Couldn't communicate with a helper application". This error message is very vague and does not help me further troubleshoot. Are there any other logs that I should be looking at in the console app?

Hi, I have a ES Sysex working properly in BigSur. I run upgrade to Monterey. I check the behavior of the sysex in Monterey and I notice that is receiving events from processes that I have muted with "es_mute_path_prefix". It is as if the system upgrade process has affected the Sysex startup and some configurations, forced on start by calling "es_mute_path_prefix" are not taking into account. Should I take some special steps on SO upgrade scenarios, like reinforcing restart of my sysex ? Stop it before SO upgrade and restart it after upgrade ? Any known best practices on SO upgrades in general ? Thanks.

Hi, I see these new ES event types   , ES_EVENT_TYPE_AUTH_REMOUNT   , ES_EVENT_TYPE_NOTIFY_REMOUNT I assuming it refers to a volume re-mount. I'm trying to make them trigger by doing: $ mount -o rdonly update force -t hfs -d /Volumes/MyDiskVol But the "mount" command is not successful. How/when are those ES events generated ? Thanks. How would

hello :) i tried to es_mute_process our company's all applications. check application to use team_id or signing_id in es_process_t. is this a good way? and can team_id and signing_id be forged?

Hi, I am developing an Endpoint Security extension and I would like to get the full list of processes that ended up calling the process I receive in an event. For example if I receive a es_process_t I have this process audit token, I would like to get the parents audit token and then the parent's parent token and so on till I get the full list of processes. I hope i made myself clear :)

Can we rely on an order of precedence for muting and unmute paths? For example, if I mute "/", then unmute "/tmp/testdir", can I reliably believe I'll get events for "/tmp/testdir"? I can test this, obviously, but it'd be great to be able to rely on a certain behavior here.

The system extension is loaded as it is already allowed as follows. 1309: 0x413c 17:21:14.310843+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.310843+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.311095+0900 taskgated-helper allowing entitlement(s) for com.ahnlab.V3FltES due to provisioning profile (isUPP: 1)1309: 0x413c 17:21:14.322742+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.322999+0900 taskgated-helper com.ahnlab.V3FltES: Unsatisfied entitlements: com.apple.security.application-groups1309: 0x413c 17:21:14.323045+0900 taskgated-helper Disallowing: com.ahnlab.V3FltES However, an unacceptable log is output as a warning message. Can you explain why?

Under macOS (and especially when using MDM), is it the case that a system extension (in particular, a Transparent Proxy Provider or Endpoint Security extension) must be embedded in an application bundle in /Applications? Or can they be located in some other location, or even directly installed into /Library/SystemExtensions and then activated via a LaunchDaemon? Does it matter whether it's distributed via the App Store or part of enterprise distribution? (Yes, my next step is to look into MDM, about which I know very little. 😄) This is a case of me being confused by the documentation, and looking at some existing products.

Hi all, I have been using the endpoint system extension for some months now. Recently when I had checked the crash logs, I found that within an hour there were a lot crashes reported. I am not able to make sense from the log. Here is the crash report Process: com.test.xyz.EndpointSecurityExtension [2851] Path: /Library/SystemExtensions/*/com.test.xyz.EndpointSecurityExtension Identifier: com.test.xyz.EndpointSecurityExtension Version: 1.1.0 (4) Code Type: X86-64 (Native) Parent Process: launchd [1] Responsible: com.test.xyz.EndpointSecurityExtension [2851] User ID: 0 Date/Time: 2021-09-01 11:50:57.698 +0530 OS Version: macOS 11.5.2 (20G95) Report Version: 12 Anonymous UUID: 0F843683-C812-EEE7-668E-2DCAADAE35B6 Sleep/Wake UUID: C67D7ECA-22E6-451F-8766-CB2DCA3FC287 Time Awake Since Boot: 42000 seconds Time Since Wake: 5500 seconds System Integrity Protection: disabled Crashed Thread: 1 Dispatch queue: BBReaderQueue Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [2851] Thread 0: 0 libsystem_kernel.dylib 0x00007fff20381b0a __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x00007fff202184e1 _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x00007fff202184bd _dispatch_sig_thread + 53 Thread 1 Crashed:: Dispatch queue: BBReaderQueue 0 com.test.xyz.EndpointSecurityExtension 0x00000001006b836e closure #1 in + 8270 1 com.test.xyz.EndpointSecurityExtension 0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23 2 libEndpointSecurity.dylib 0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43 3 libEndpointSecurity.dylib 0x00007fff2fe2ff92 BBReader<ESMessageReaderConfig>::handleItems() + 130 4 libEndpointSecurity.dylib 0x00007fff2fe2fe41 BBReader<ESMessageReaderConfig>::woke(void*) + 17 5 libdispatch.dylib 0x00007fff20207806 _dispatch_client_callout + 8 6 libdispatch.dylib 0x00007fff2020a1b0 _dispatch_continuation_pop + 423 7 libdispatch.dylib 0x00007fff2021a564 _dispatch_source_invoke + 2061 8 libdispatch.dylib 0x00007fff2020d493 _dispatch_lane_serial_drain + 263 9 libdispatch.dylib 0x00007fff2020e0e0 _dispatch_lane_invoke + 417 10 libdispatch.dylib 0x00007fff2020f318 _dispatch_workloop_invoke + 1784 11 libdispatch.dylib 0x00007fff20217c0d _dispatch_workloop_worker_thread + 811 12 libsystem_pthread.dylib 0x00007fff203ae45d _pthread_wqthread + 314 13 libsystem_pthread.dylib 0x00007fff203ad42f start_wqthread + 15 Thread 1 crashed with X86 Thread State (64-bit): rax: 0x0000000100743108 rbx: 0x0000000100743028 rcx: 0x0000000000000000 rdx: 0x00007fc6c07091c0 rdi: 0x0000000000000000 rsi: 0x0000000100743370 rbp: 0x000070000cee8690 rsp: 0x000070000cee7ed0 r8: 0x0000000000000515 r9: 0x0000000000000519 r10: 0x00000000fe1fffff r11: 0x00007fc5bffc5e90 r12: 0x000000020236c1a1 r13: 0x00000000000001f6 r14: 0x00000000000041ed r15: 0x0000000000000026 rip: 0x00000001006b836e rfl: 0x0000000000010246 cr2: 0x0000000110b5492e Logical CPU: 0 Error Code: 0x00000000 Trap Number: 6 Thread 1 instruction stream: 8b 70 10 31 ff 31 d2 e8-d6 08 00 00 e9 45 fd ff .p.1.1.......E.. ff 4c 8d 2d ca 71 00 00-48 8b 05 c3 71 00 00 48 .L.-.q..H...q..H 8b 70 10 48 ff c6 31 ff-ba 01 00 00 00 e8 b0 08 .p.H..1......... 00 00 e9 af e7 ff ff 4c-8d 2d a4 71 00 00 bf 01 .......L.-.q.... 00 00 00 4c 89 fe ba 01-00 00 00 e8 92 08 00 00 ...L............ 48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b H...q........... [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f ....f........... <== 40 00 55 48 89 e5 41 57-41 56 41 55 41 54 53 48 @.UH..AWAVAUATSH 83 ec 28 49 bc 13 00 00-00 00 00 00 d0 48 89 7d ..(I.........H.} b0 48 89 75 b8 48 c7 45-c0 2f 25 40 00 48 b8 00 .H.u.H.E./%@.H.. 00 00 00 00 00 00 e3 48-89 45 c8 48 8d 3d 30 70 .......H.E.H.=0p 00 00 e8 1b db ff ff 49-89 c7 be 48 00 00 00 ba .......I...H.... Thread 1 last branch register state not available. It restarts again, sometimes it crashes again and sometimes it starts working normally. Any idea on where I might have made a mistake? Because when i usually get crash reports it has the line, the function name and the file(eg main.swift) where I had made a mistake, but this is a bit confusing. Thanks in advanced

Invoking the es_delete_client causes intermittent crashes. I called es_delete_client in thread 1. By the way, a crash is occurring at thread 0. Is there a way to find out the cause? com.ahnlab.V3FltES_2021-09-07-145842_ahnlabui-MacBookPro-2.crash

I found a big problem. In Monterey, it does not wait for user acceptance requests. In Monterey, the user appears to fail by requesting deactivation before it is approved. Why are you requesting deactivation without waiting for a user approval request? As a result, deactivation fails. Our app is requesting deactivation based on GUI. I already asked through the feedback number below. (Follow-up: 774983090) However, I do not receive the appropriate response and post it to the Developer Forum. I'll compare it with a BigSur. First, it's BigSur. Step 1. The log pops up as shown below, and the user approval request is activated. 19:45:39.665971+0900 sysextd upgrading connection to nsxpc Step 2. If you approve the user, the log as below comes out. 19:45:43.298319+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [1303] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [3986] (0,0) (engine 243) Step 3. Once approved, a log appears requesting deactivation as shown below and success. 19:45:43.288928+0900 sysextd deactivation request received from: /Applications/AhnLab ... 19:45:44.349972+0900 sysextd deactivation succeeded for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp 19:45:44.350649+0900 sysextd client connection (pid 3986) invalidated However, within Monterey, a deactivation request is made prior to user approval. In other words, the user appears to fail by requesting deactivation before it is approved. 20:05:54.735224+0900 sysextd upgrading connection to nsxpc 20:05:54.741167+0900 sysextd deactivation request received from: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp ... 20:05:54.756362+0900 sysextd deactivation request for com.ahnlab.V3FltES failed authorization check, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" 20:05:54.760648+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" ... Even if you subsequently allow a user approval request, the deactivation request has already failed. 20:06:25.244287+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [308] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [2573] (0,0) (engine 39) 20:06:25.250832+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"