Hi everyone! I'd like to create an application for system monitoring using the Endpoint Security framework. I already have a working prototype and now I am trying to expand its capabilities to capture more event types. Started looking at filesystem-related events as one of the most important ones for my use case. These seem to be supported fairly well by the framework (ES_EVENT_TYPE_NOTIFY_OPEN/CLOSE/CREATE/WRITE etc.) However, the "READ FILE" event seems to be absent… Am I missing something here, or Endpoint Security framework does not provide this kind of information? If it doesn't, what is the reason behind this? Capturing this type of events seems quite relevant for security-related software. Thanks & Best regards, Roman

Hello. When testing with the Endpoint Security Framework for the AUTH_OPEN event, I found that the deadline was 15 seconds, but the actual process termination occurred at 5 or 6 seconds. Is this intended?

Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks

Hello, Starting with macOS 26 beta 4, I’ve noticed that the fflag field in es_event_open_t sometimes contains O_SEARCH instead of the expected FREAD or FWRITE values. According to the documentation, fflag should represent the kernel-applied flags (e.g., FREAD, FWRITE), not the open(2) oflag values. However, in my tests, when intercepting ES_EVENT_TYPE_AUTH_OPEN events, the value appears to match O_SEARCH in certain cases. Is this an intentional change in macOS 26, or could it be a bug in the current beta? If this is expected behavior, could you clarify under what conditions O_SEARCH or some oflag are returned? Environment: macOS 26 beta 4 Endpoint Security Framework Thanks in advance for any clarification!

I recently upgraded a line of code in my Endpoint-Security client, to remove a deprecation warning: for (NSString *mutePath in ignoredBinaryPaths) { //(old) res = es_mute_path_literal(self.esClient, [mutePath UTF8String]); res = es_mute_path(self.esClient, [mutePath UTF8String], ES_MUTE_PATH_TYPE_TARGET_LITERAL); if (res!=ES_RETURN_SUCCESS) os_log_error(setupLog, "Failed to white-list binary:%{public}@ error:%{errno}d", mutePath, errno); } However, after this change, I started receiving tons of ES event messages, for AUTH_OPEN and AUTH_CREATE and many others, from processes/executables I explicitly and successfully muted! Since ES is so performance sensitive - I got worried. Inspecting better the new API I found incoherent documentation and even misleading and contradicting definitions. But the ES headers say differently!!! /** * @brief Suppress all events matching a path. * * @param client The es_client_t for which the path will be muted. * @param path The path to mute. * @param type Describes the type of the `path` parameter. * * @return es_return_t A value indicating whether or not the path was successfully muted. * * @note Path-based muting applies to the real and potentially firmlinked path * of a file as seen by VFS, and as available from fcntl(2) F_GETPATH. * No special provisions are made for files with multiple ("hard") links, * or for symbolic links. * In particular, when using inverted target path muting to monitor a * particular path for writing, you will need to check if the file(s) of * interest are also reachable via additional hard links outside of the * paths you are observing. * * @see es_mute_path_events * @discussion When using the path types ES_MUTE_PATH_TYPE_TARGET_PREFIX and ES_MUTE_PATH_TYPE_TARGET_LITERAL Not all events are * supported. Furthermore the interpretation of target path is contextual. For events with more than one target path (such as * exchangedata) the behavior depends on the mute inversion state Under normal muting the event is suppressed only if ALL paths * are muted When target path muting is inverted the event is selected if ANY target path is muted For example a rename will be * suppressed if and only if both the source path and destination path are muted. Supported events are listed below. For each * event the target path is defined as: * * EXEC: The file being executed * OPEN: The file being opened * MMAP: The file being memory mapped * RENAME: Both the source and destination path. * SIGNAL: The path of the process being signalled * UNLINK: The file being unlinked * CLOSE: The file being closed * CREATE: The path to the file that will be created or replaced * GET_TASK: The path of the process for which the task port is being retrieved * LINK: Both the source and destination path * SETATTRLIST: The file for which the attributes are being set * SETEXTATTR: The file for which the extended attributes are being set * SETFLAGS: The file for which flags are being set * SETMODE: The file for which the mode is being set * SETOWNER: The file for which the owner is being set * WRITE: The file being written to * READLINK: The symbolic link being resolved * TRUNCATE: The file being truncated * CHDIR: The new working directory * GETATTRLIST: The file for which the attribute list is being retrieved * STAT: The file for which the stat is being retrieved * ACCESS: The file for which access is being tested * CHROOT: The file which will become the new root * UTIMES: The file for which times are being set * CLONE: Both the source file and target path * FCNTL: The file under file control * GETEXTATTR The file for which extended attributes are being retrieved * LISTEXTATTR The file for which extended attributes are being listed * READDIR The directory for whose contents will be read * DELETEEXTATTR The file for which extended attribues will be deleted * DUP: The file being duplicated * UIPC_BIND: The path to the unix socket that will be created * UIPC_CONNECT: The file that the unix socket being connected is bound to * EXCHANGEDATA: The path of both file1 and file2 * SETACL: The file for which ACLs are being set * PROC_CHECK: The path of the process against which access is being checked * SEARCHFS: The path of the volume which will be searched * PROC_SUSPEND_RESUME: The path of the process being suspended or resumed * GET_TASK_NAME: The path of the process for which the task name port will be retrieved * TRACE: The path of the process that will be attached to * REMOTE_THREAD_CREATE: The path of the process in which the new thread is created * GET_TASK_READ: The path of the process for which the task read port will be retrieved * GET_TASK_INSPECT: The path of the process for which the task inspect port will be retrieved * COPYFILE: The path to the source file and the path to either the new file to be created or the existing file to be overwritten */ So the behavior completely changed, you can no longer specify executables (via their binary path) from which you do NOT want any events Muting effectively became reactive, not proactive. Why this change is not documented with the deprecation? Why no alternative is suggested? why find this only because it broke my software tool behavior and performance? And last: For how long can I rely on the old, deprecated APIs, should I choose to revert my change instead of devising a whole new mechanism for muting un-interesting

Hello, As part of developing a DLP system, the microphone and speakers should be blocked. My solution involves muting devices by changing the property kAudioDevicePropertyMute. However, this solution allows the user to unmute the device, and the app must implement a property listener to mute the device again. The problem is that muting takes some time and the device is temporarily unmuted. Admittedly, it takes less than a second, but nevertheless, it appears insecure. Is there an Apple-recommended approach to implement such blocking more securely? Maybe some solution which is based on IOKit. Thank you in advance, Pavel

Note: This failure occurs even when running on the same machine that performed the build, signing, and notarization steps. We are developing a command-line Endpoint Security (ES) client for macOS, distributed to customers as part of an enterprise security suite. We have a valid Apple Developer Team ID (redacted for privacy) and have requested and received the Endpoint Security entitlement for our account. What We’ve Done Built a universal (x86_64/arm64) CLI ES client using Xcode on macOS Sonoma. Signed with a Developer ID Application certificate (matching our Team ID). Applied the entitlement: com.apple.developer.endpoint-security.client. Notarized the binary via notarytool after receiving Apple’s confirmation that the entitlement was “assigned to our account.” Distributed and unzipped the notarized ZIP (with com.apple.quarantine xattr intact). What Happens: When we run the binary (as root, via sudo) on any test Mac—including the original build/notarization machine—the process is killed immediately at launch. Kernel log (log stream --predicate 'eventMessage CONTAINS "AMFI"' --info) shows: AMFI: code signature validation failed. AMFI: bailing out because of restricted entitlements. AMFI: When validating /path/to/fidelisevents: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: What We’ve Verified: codesign -dvvv --entitlements :- ./fidelisevents shows the correct entitlement, team identifier, and certificate. xattr ./fidelisevents shows both com.apple.provenance and com.apple.quarantine. spctl -a -vv ./fidelisevents returns: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: [REDACTED] The process is killed even if run on the same Mac where build/sign/notarization occurred. Other Details The entitlement approval email from Apple simply says it is “assigned to your account” and does not mention “production” or “distribution.” We have rebuilt, re-signed, and re-notarized after receiving the email. This occurs on both Apple Silicon and Intel Macs, with recent macOS versions (Sonoma, Ventura). Question Is it possible that Apple only assigned the development Endpoint Security entitlement, and not the production entitlement required for distributing/running notarized ES clients outside of development? Is there any way to verify the level of entitlement (dev vs. production) associated with our Team ID? What additional steps, if any, are needed to enable the production entitlement so that our binaries can run on customer endpoints without being killed by AMFI? Any advice, experience, or official documentation about production ES entitlement rollout, approval, or troubleshooting would be greatly appreciated! Thanks in advance!

For context, my company develops a data loss prevention (DLP) product. Part of our functionality is the ability to detect sensitive data being pasted into a web browser or cloud-based app. The AppKit release notes for April 2025 document an upcoming “macOS pasteboard privacy” feature, which will presumably ship in macOS 26. Using the user default setting “EnablePasteboardPrivacyDeveloperPreview” documented in the release notes, I tested our agent under macOS 15.5, and encountered a modal alert reading " is trying to access the pasteboard" almost immediately, when the program reads the General pasteboard to scan its contents. Since our product is aimed at enterprise customers (and not individual Mac users), I believed Apple would implement a privacy control setting for this new feature. This would allow our customers to push a configuration profile via MDM, with the “Paste from Other Apps” setting for our application preset to “Allow”, so that they can install our product on their endpoints without manual intervention. Unfortunately, as of macOS 26 beta 4 (25A5316i), there does not seem to be any such setting documented under Device Management — for example in PrivacyPreferencesPolicyControl.Services, which lists a number of similar settings. Without such a setting available, a valuable function of our product will be effectively crippled when macOS 26 is released. Is there such a setting (that I've overlooked)? If not, allow me to urge Apple to find the resources to implement one, so that our customers can preset “Paste from Other Apps” to “Allow” for our application.

I am trying to disable certain paths from Endpoint Security Events using es_mute_path, but this seems to be returning with ES_RETURN_ERROR. I am currently not having 'com.apple.developer.endpoint-security.client' but is disabling SIP to check the same. What is the reason for this behavior ?

I have tried a few different approaches but none of them were 100% reliable. I tried subscribing to the ES_EVENT_TYPE_NOTIFY_SETEXTATTR event to detect when a process sets the kMDItemWhereFroms attribute on a file, but the problem is that any process can set that attribute on any file. For example, I can use the xattr -w com.apple.metadata:kMDItemWhereFroms "https://example.com" SampleFile.txt command into the terminal and that would trigger an ES event. I also tried to listen for the com.apple.quarantine attribute but for some reason my ES client never receives an event for it, also, as with any attribute, this attriubte can be set manually by any process. Is there a recommended/reliable way to have an ES client that detects a file has been downloaded from the internet (.i.e. a remote network)?

Hello, I am having some issues with running an XPC server on an endpoint security and connecting to it from the sandboxed host application. I tried doing the following: setting xpc server in endpoint security extension entitlements: <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.security.xpc.server</key> <true/> Adding the mach service with the plist: <dict> <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.system-extension-endpoint-security</string> <key>NSExtensionPrincipalClass</key> <string>$(PRODUCT_MODULE_NAME).ESFExtension</string> </dict> <key>NSEndpointSecurityMachServiceName</key> <string>[TEAMID]com.[UNIQUE_ID]</string> </dict> </plist> Putting a mach-lookup in sandboxed host application entitlements <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.exception.mach-lookup.global-name</key> <array> <string>[TEAMID]com.[UNIQUE_ID]</string> </array> </dict> Creating the server in the system extension using xpc_connection_create_mach_service(_service_name.c_str(), dispatch_get_main_queue(), XPC_CONNECTION_MACH_SERVICE_LISTENER); with _service_name being the same as in the mach-lookup entitlement. And connecting to it in the host app with: xpc_connection_create_mach_service([self.serviceName UTF8String], dispatch_get_main_queue(), 0); My problem is I get an xpc error 159 (sandbox restriction) in the lookup (libxpc.dylib) [com.apple.xpc:connection] [0x600001a7db30] failed to do a bootstrap look-up: xpc_error=[159: Unknown error: 159] I tried putting the sysex and the host app in the same app group, and it didn't help and I also read this is bad practice to have an app group between a sandboxed app and a system extension so I removed it. I tried adding a temporary-exception and with it, the code works properly. I tried with the XPC_CONNECTION_MACH_SERVICE_PRIVILEGED flag but it still didn't work. Is it possible to have an XPC connection between a ES sysex and it's host app? Should the service name have a prefix of the bundle name or does it must have a certain pattern? Do I need to add some capability in the Certificates, Identifiers & Profiles? Thanks for helping.

Hello, As part of developing a DLP system, I need to block input devices upon detection of data leakage. Could you advise if it's possible to temporarily disable the built-in keyboard and camera? Thank you in advance, Pavel

We have a Network Extension system extension implementing NEFilterPacketProvider to inspect all incoming and outgoing network traffic. We also want to monitor socket-level events such as connect(), bind(), and similar, by leveraging the Endpoint Security framework. Does this require developing a separate system extension for Endpoint Security? Additionally, what is the recommended approach for sharing context and data between the Network Extension and the Endpoint Security extensions?

Hello, I am working on app which must prevent attaching any USB devices to Mac due to security. Unfortunately I have not found any direct way to implement such blocking: Looks like IOKit does not allow to block USB (at least in user space) ES_EVENT_TYPE_AUTH_IOKIT_OPEN (Endpoint Security) does not prevent using USB device if I send response ES_AUTH_RESULT_DENY for "AppleUSBHostDeviceUserClient" I have found several similar problems on forum but no any solution: https://developer.apple.com/forums/thread/671193 (https://developer.apple.com/forums/thread/756573 https://developer.apple.com/forums/thread/741051 What is the easiest way to implement such blocking? Thank you in advance!

I download SampleEndpointApp, and config signing&capabilities->team as my developer Id. Xcode created a profile of bundle identifier automatically. However the project build still failed for sign. What's the reason for that? How can I resolve it?

I'm working on a system extension leveraging endpoint security entitlement. However, while in development, is there a way to continue working and testing locally without having the endpoint security entitlement approved or needing the extension signed. I got these errors running a build: Provisioning profile "Mac Team Provisioning Profile: "com.xxxxx.extension" doesn't include the com.apple.developer.endpoint-security.client entitlement.

Will the ES_EVENT_TYPE_NOTIFY_OPEN event be called back when the user has already returned es_respond_flags_result(client, msg, 0, false) in ES_EVENT_TYPE_AUTH_OPEN? I believe the ES_EVENT_TYPE_NOTIFY_OPEN event should not be triggered if the user has already denied the open operation in the ES_EVENT_TYPE_AUTH_OPEN response handler. However, during my testing, ES_EVENT_TYPE_NOTIFY_OPEN was still being called even after I blocked the open process. Is this behavior correct?

We have a launch daemon which can check for team identifier and some other signing information of any application on machine and match it with provided information to confirm the validity of the application/binary. We use SecStaticCodeCreateWithPath to read the signing information of the app/binary which works in most cases. However, for some third party daemon processes, the static code creation fails with error "Operation not permitted". We are having difficult time identifying why static code creation would fail specially when our process is running with root privileges. Can you please help us understand in what scenario can this API fail with this error? Can there be any process or rule which can deny creating static code of a process like endpoint security extensions/daemon? We are using default flags in SecStaticCodeCreateWithPath.

I wrote a simple program to hide the build-in camera by entitlement restriction as DTS suggested in the post: https://developer.apple.com/forums//thread/784511?answerId=839753022#839753022 But the program failed as the error message: Fail to open service: 0xe00002e6: Caller is not entitled to connect to EndpointSecurity. How can I apply for the entitlement to run the program? Is there any other solution to resolve hide build-in camera?

I have written the Transparent App Proxy and can capture the network flow and send it to my local server. I want to avoid any processing on the traffic outgoing from my server and establish a connection with a remote server, but instead of connecting to the remote server, it again gets captured and sent back to my local server. I am not getting any clue on how to ignore these flows originating from my server. Any pointers, API, or mechanisms that will help me?