Hi everyone. Im working on a on-premises application and i need help with clarify what these URLs are used for. I know we need them all for provision profile procedure but need to know more specific in like 1 sentence on each URL. developerservices2.apple.com developer.apple.com appstoreconnect.apple.com idmsa.apple.com Thanks in advanced <3

SIP: enable Release systemExtension update version faild , errorCode: OSSystemExtensionErrorCodeSignatureInvalid

We know that BSM Audit was deprecated in macOS 11 Big Sur. Does Apple mention anywhere when will it be completely removed from macOS? Do we expect it to be removed in the next macOS release in 2022?

file auth_demo.c in sample code as following: static void handle_open_worker(es_client_t *x, const es_message_t *msg) { static const char *ro_prefix = "/usr/local/bin/"; //ro_prefix_length will always equal 7,since sizeof(char*)=8 static const size_t ro_prefix_length = sizeof(ro_prefix) - 1; ...... }

file auth_demo.c in sample code as following: static void handle_open_worker(es_client_t *x, const es_message_t *msg) { static const char *ro_prefix = "/usr/local/bin/"; //ro_prefix_length will always equal 7,since sizeof(char*)=8 static const size_t ro_prefix_length = sizeof(ro_prefix) - 1; ...... }

I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)

When users tries to edit file on Local drive, my application denies that action in OPEN AUTH event. I do not see any change in file access time. But when users tries to edit file on Pen drive, my application denies that action in OPEN AUTH event. I do see change in access time. Why there is such a difference ?

I was under the impression that a security endpoint required a system extension, but that does not appear to be the case. Apparently daemons can create endpoint extensions without needed a system extension. Why would I use an endpoint in a system extension rather than a daemon, or vice versa? I'm not understanding the value of a system extension with regards to a security endpoint. Someone please enlighten me.

Hello, I'm requesting the Endpoint Security entitlement from Apple with an enterprise developer account. It's been 12 months since the request was submitted. I did not get any response from Apple. That's really a sad story. I even don't know how to check whether I'm granted with the entitlement or not. I tried to create a provisioning profile from the developer site, but I did not find any options related to this entitlement, nor did I find com.apple.developer.endpoint-security.client in the provisioning profile. security cms -D -i path_to_provisionprofile According to https://developer.apple.com/forums/thread/125048, will the entitlement be automatically added when it was granted by Apple? Fourth, the above is only relevant for testing. When you go to deploy, you must be granted the EndpointSecurity entitlement com.apple.developer.endpoint-security.client by Apple. That will whitelist the entitlement in your provisioning profile, at which point you’ll be able to run on standard user machines, those with SIP enabled. Thanks very much.

Scenario: Copy file operation via Finder to an external device like USB Expected behavior: Endpoint Security Client should receive ES_EVENT_TYPE_NOTIFY_CLOSE event Current behavior: ES_EVENT_TYPE_NOTIFY_CLOSE is not been for the file being copied with Monterey 12.3 Beta. If you copy same file via cp command, ES_EVENT_TYPE_NOTIFY_CLOSE is seen Is this a bug?

I'm beating my head against Apple here and it hurts. We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all. Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)

My company has a product that is a kind of Endpoint Security Application. We haven't had its entitlement. So we submit a request to register Endpoint Security Extension entitlement on the Apple website. After submitting the request, we received an automatic email from Apple, they said that they will review our request and they will send us an email when they evaluate our information. But after a few weeks, I haven't received any email from Apple and I don't know whether my request is accepted or not? In the case my request is rejected, will I get an answer email from Apple? And how long to get their answer? Currently, our product is finished with development but we don't have the entitlement to publicize it. Thanks, Phu Luu

Hi, I have an endpoint security app and I was wondering what is the best way to check if a process was signed by a specific Developer ID certificate. Lets say im subscribed to auth_exec events and wanted to deny execution of processes signed with Developer ID Application: Adobe Inc. Would obtaining the common names of the certificate with SecCertificateCopyCommonName and then comparing strings be the right way or am I missing something?

If I run this application from my home developer directory, it doesn't have a problem. When, however, I copy it to /Library/Application Support/Fidelis..., then I immediately get "killed -9" ./protect_am Killed: 9 I have this code structure: ProtectOnAccess.app/ ProtectOnAccess.app//Contents ProtectOnAccess.app//Contents/_CodeSignature ProtectOnAccess.app//Contents/_CodeSignature/CodeResources ProtectOnAccess.app//Contents/_CodeSignature/CodeDirectory ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements-1 ProtectOnAccess.app//Contents/_CodeSignature/CodeSignature ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements ProtectOnAccess.app//Contents/MacOS ProtectOnAccess.app//Contents/MacOS/protect_am ProtectOnAccess.app//Contents/Resources ProtectOnAccess.app//Contents/Resources/Info.plist ProtectOnAccess.app//Contents/embedded.provisionprofile ProtectOnAccess.app//Contents/Info.plist ProtectOnAccess.app//Contents/PkgInfo and ./protect_am is a symbolic link as follows: lrwxr-xr-x 1 root wheel 45B Apr 27 14:52 protect_am -> ProtectOnAccess.app/Contents/MacOS/protect_am The thing is, I have had this work at times. No idea what the problem is. Log stream isn't helping codesign -vvvv protect_am protect_am: valid on disk protect_am: satisfies its Designated Requirement codesign -vvvv ProtectOnAccess.app/ --prepared:/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/ProtectOnAccess.app/Contents/MacOS/protect_am --validated:/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/ProtectOnAccess.app/Contents/MacOS/protect_am ProtectOnAccess.app/: valid on disk ProtectOnAccess.app/: satisfies its Designated Requirement Now, I do have entitlements added only to the executable, not to the .app. codesign -d --entitlements :- ProtectOnAccess.app/Contents/MacOS/protect_am Executable=/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/ProtectOnAccess.app/Contents/MacOS/protect_am <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>AMLU******.Fidelis.protect-am</string> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.team-identifier</key> <string>AMLU******</string> <key>com.apple.security.cs.allow-jit</key> <true/> </dict> </plist> I would like to know what I'm doing wrong, and what I have accidentally done right from time to time to have it work.

We'd prefer our security application not be worked around by the complex task of typing sudo launchctl unload /Library/LaunchDaemons/foo.plist 😄. Is there a way to prevent that? (We're not using ServiceManagement because we need ot control some of the plist entries, sadly.)

I have verified that the extension is loaded: systemextensionsctl list 1 extension(s) --- com.apple.system_extension.endpoint_security enabled active teamID bundleID (version) name [state] * * AMLU8***** com.example.apple-samplecode.SampleEndpointAppAMLU8*****.Extension (1.0/1) Extension [activated enabled] But it is not running/launched: sudo launchctl list AMLU8*****.com.example.apple-samplecode.SampleEndpointApp.Extension Could not find service "AMLU8*****.com.example.apple-samplecode.SampleEndpointApp.Extension" in domain for system What am I missing?