I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal? If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature." I have tried with automatic and manual signing but nothing seems to work.

Description says this event will be raised when "An identifier for a process that notifies endpoint security that it is updating a file." What does this mean ? Similarly when will ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE event be raised ? Do these events get raised if any cloud provider sync app like Google Drive/Dropbox/OneDrive that usages fileprovider framework to sync the data ? In my endpoint secutiry app, I have registered for these events but i didnt receive any event *i do receive other endpoint secutiry events like ES_EVENT_TYPE_NOTIFY_CLONE etc.

I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client. I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call. If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?

I have submitted an application for the Endpoint Security entitlement, however, I have yet to receive any feedback regarding its progress. Could someone kindly advise on the proper procedure to track the current status of my permission request?

Is there an API to query for SIP Protected Paths or someway that this information can be deciphered ? Intent is to mute those paths or a subset for an ES client ?

We have a huge project. Until today we didn't use an .app but now we must in order to use Endpoint security and other stuff. Until today our binary sat in /opt/XYZ/binary.bin Now because of the .app, looks like it will have to be /opt/XYZ/Cool.app/Content/MacOs/binary.bin This change really breaks our code and will cause a massive code change. If I extract the binary from the app and place it in /opt/XYZ/binary.bin and run it, the process is killed. Is there a way to extract it from the app and run it from /opt/XYZ ? any tool, command, resource, etc' will be great.

As enterprise endpoint security/data loss prevention application, we need to detect data which is being transferred out of the enterprise context from their MacOS filesystem through applications like Cloud Sync or Email. Depending on the file content, type and size, we require some time for scanning the content being sent. This can range from milli seconds to few minutes for very large contents. But the Endpoint Security message has to be responded within the provided message deadline else application will be killed. This deadline is reducing with every macos release and its now only 15 seconds on macos sonoma which is blocking our use case of completing the scan before responding. We may scan it before but it imposes challenges of the data being modified before actual sent. So, we have to scan it on the fly and cant rely solely on the previous scans. Is there any way an Enterprise can customize this deadline value depending on the ES message and scanning application may be through MDM setting?

I am developing an app that uses the Endpoint Security API. I need to mute a few processes like: my own process, xcode, etc' ... However, if the muted processes create child processes, I want these processes to be muted as well. The full process tree under muted processes should be muted. How can that be done? Cant see in docs and can't find an example. If it can't be done, whats the closest thing to that I can implement. Thanks!

I have an app that uses Endpoint security. I have 1 client that registered many AUTH and NOTIFY event types. When I I recive an Endpoint Security message (event) and my handler is called. Which thread does it use? If I have 1 client will it always just use the same 1 thread? If not, can it ever happen that I register 1 client, and he will handle more then 1 event in the same time? regardless of the event type or any thing else

I use sample code from [https://developer.apple.com/documentation/endpointsecurity/client?language=objc] but replace ES_EVENT_TYPE_AUTH_EXEC to ES_EVENT_TYPE_AUTH_OPEN, this is the full code: int main(int argc, const char** argv) { @autoreleasepool { es_client_t *client = NULL; es_new_client_result_t newClientResult = es_new_client(&client, ^(es_client_t * client, const es_message_t * message) { switch (message->event_type) { case ES_EVENT_TYPE_AUTH_OPEN: printf("auth open\n"); es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); break; default: panic("Found unexpected event type: %i", message->event_type); break; } }); // Handle any errors encountered while creating the client. switch (newClientResult) { case ES_NEW_CLIENT_RESULT_SUCCESS: // Client created successfully; continue. break; case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED: panic("Extension is missing entitlement."); break; case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED: panic ("Extension is not running as root."); break; case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED: // Prompt user to perform Transparency, Consent, // and Control (TCC) approval. // This error is recoverable; the user can try again after // approving the TCC prompt. // return YOUR_NEW_CLIENT_ERROR_CODE_PROMPT_TCC; break; case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT: panic ("Invalid argument to es_new_client(); client or handler was null."); break; case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS: panic ("Exceeded maximum number of simultaneously-connected ES clients."); break; case ES_NEW_CLIENT_RESULT_ERR_INTERNAL: panic ("Failed to connect to the Endpoint Security subsystem."); break; } // Subscribe the client to the ES_EVENT_TYPE_AUTH_EXEC event. // When the client receives a message with this event type, it must authorize // (allow or deny) the event. es_event_type_t eventTypes[1] = { ES_EVENT_TYPE_AUTH_OPEN }; es_return_t subscribeResult = es_subscribe(client, eventTypes, sizeof(eventTypes)); if (subscribeResult != ES_RETURN_SUCCESS) { panic ("Client failed to subscribe to event."); } NSRunLoop *runLoop = [NSRunLoop currentRunLoop]; [runLoop run]; } } I run this code in xcode, then mouse cursor be a colorful circle and rotating, application exited after about 10 seconds, xcode print: Message from debugger: Terminated due to signal 9 Program ended with exit code: 9 if I subscribe ES_EVENT_TYPE_NOTIFY_OPEN ES_EVENT_TYPE_NOTIFY_CLOSE, it works. What can I do for fix this?

Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events. Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming). This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events. When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended. Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

I have an Endpoint system extension that, in theory, receives XProtect alerts. I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac. I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI. Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.