I have an Electron Application which is hosting Endpoint Security System Extension. Usually I'm uninstalling it by deleting host application from /Applications/ folder. However, after updating multiple of my machines to Sonoma 15.3.2, this uninstallation flow doesn't work anymore. When I delete host app, it shows promt (approximately) "This application is hosting SysEx which will be removed..." After that, application is moved to .trash, however System Extension remains active and visible in System Settings. Host application name is changed to file name (Some Application -> Some Applciation.app) and this entry has no icon for Host App. I would appreciate any assistance on how to fix that or maybe create a bug report.

I am encountering an issue with my application, BloxOneEndpoint.pkg, which includes two services: rc_service_infoblox – Runs as the root user. Controller Application – Runs as a normal user. Although a thread within rc_service_infoblox is running fine and performing its expected tasks, I notice that the service appears as "Not Responding" in Activity Monitor. Despite normal functionality, this status is concerning, as it may indicate some issue to customer. I would appreciate any insights into why this might be happening and how to resolve it. Is there a specific API or mechanism I should use to ensure the service remains in a "Running" state in Activity Monitor? Thank you for your guidance.

I have a launch daemon that's using the Endpoint Security framework which also is causing high memory usage (in Activity Monitor memory column shows for example 2GB and Real Memory 11MB) when building a big project in Xcode. Is it some kind of memory caching by the system? leaks -forkCorpse seems to not show any leaks. How can I attach with heap or Instruments without the process being killed with "ENDPOINTSECURITY, Code 2 EndpointSecurity client terminated because it failed to respond to a message before its deadline"?

I am using es_new_client and es_subscribe in SystemExtension and EndpointSecurity. I tested it on M3, and it is working. It also works on M1 versions 12, 13, and 14. Additionally, ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD is functioning correctly. However, there is a bug on M1 Big Sur where es_new_client's es_handler_block_t cannot receive ES_EVENT_TYPE_NOTIFY_KEXTLOAD. The tested command is: sudo kextload /System/Library/Extensions/msdosfs.kext sudo kextload /System/Library/Extensions/*.kext Is this intended behavior or a bug? Are there any plans to fix it?

We have an application that integrates with the sharingd driver to monitor data transfers via AirDrop. Additionally, we utilize the Endpoint Security API to track file access and application activities. Prior to the Sequoia update, our solution was effectively detecting and blocking sensitive files sent via AirDrop. However, following the update, our drivers are no longer detecting these file transfers. Could you confirm if there have been any changes to the Endpoint Security API, sharingd, or any other relevant system components that might be affecting this behavior? Any insights or documentation on recent modifications would be greatly appreciated. Thanks.

When I'm using Endpoint Security to monitor the file creation behavior of Keynote, I've noticed that when I choose to export a Keynote file as an HTML file, ES only triggers the ES_EVENT_TYPE_NOTIFY_CREATE notification for the index.html file, and the ES_EVENT_TYPE_AUTH_CREATE is not triggered. I've double - checked my code many times, and I'm pretty sure there's no error in it. Does ES only call the notification event without calling the authorization event under certain circumstances? Or is this a bug in ES?

I am having difficulty getting my container app with an embedded endpoint security extension to work on a virtual Mac. My virtual Mac has system integrity protection turned off. I have used spctl and System Settings to allow applications from anywhere. I am using the development entitlement profile to sign my container app. When I run my app, it crashes with Termination Reason: COODESIGNING 1 Taskgated Invalid Signature. I assume this has to do with the app being signed with my developer profile that contains a list of Macs that can run the software. How can test my endpoint security extension on a virtual Mac?

My question is: Do I need two App IDs? One for my launch daemon in order to sign it properly, allowing it to use the Endpoint Security framework. One for the container app. My understanding is that my existing launch daemon can perform the endpoint security requirements I need. So far, I have had just one App ID for my container app that lives in /Applications. I have applied for the endpoint security restricted entitlement and have this for development now. Do endpoint security items have go in Library/SystemExtension? Can my launch daemon live in Library/LaunchDaemons and still use the Endpoint Security framework?

Hello, es_event_mount_t includes statfs structure. This structure has the field 'f_type' which defines type of filesystem. However, man page says nothing about possible values of this field. What is the best way to define file system type? Can I use 'f_type' or 'f_fstypename'? If so, are there any constants in header files which can be used? Thank you for your help!

Hey, our app is host for system extension and since macOS 15.3 there is an error when user tries delete an app pop with missing permission appears Is it intentional? Is it a bug? if not how in correct way should we handle removing of SE when app is being to removed?

I have a weird issue with our Endpoint Security extension. A couple of the checks we do require calling into Apple frameworks (Security, Disk Arbitration) and these checks can happen early in the boot process. On macOS 13 (and possibly earlier), sometimes these calls get stuck and never return. When this happens, the kernel will kill the extension and this generates a crash log. This adds significant time to the boot, enough that people notice. In every case, the thread where the call into the Apple framework occurred shows that the thread is stuck in mach_msg2_trap(), which I now understand means it's likely waiting on an event or message. Now here's where things get weird. I discovered that if I shunt the check off onto a Thread subclass and put it in a DispatchGroup (perhaps the wrong primitive), then wait() on that group with my own timeout, the thread will get unstuck within a couple hundred milliseconds of the timeout. The timeout can be a couple of seconds or longer. In every case, the thread unblocks, returns from mach_msg2_trap() and the original call finishes as expected. Is there a rational explanation for this behavior? Am I crazy to even consider shipping this workaround?

Hi! I am trying to run the demo app(SampleEndpointApp) from the WWDC2020 presentation(link). Here are the steps I followed in order to run the app: I submitted a request for the Endpoint Security entitlement and got the approval from the Apple Support team. Created an identifier and assigned Endpoint Security capability. Updated the Bundle Identifier in ViewController.m and in the Extension target. Built and copied the app bundle to /Application folder. Ran the app, clicked "Install Extension" and got the confirmation message that everything went well. Looking into the logs, I see the following : (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access I keep getting the same message even after granting SampleEndpointApp Full Disk Access in Privacy & Security. System : macOS Sequoia 15.1.1 Could you please assist me with this issue? Andrei

Is this always possible using systemextensionsctl by root? Is there a way to prevent root from removing an Endpoint Security Extension? The use case is for a Mac managed by AirWatch.

I am currently working on ways my application which would monitor the dlopen() and dlsym() calls made on macOS. In the current list of events endpoint security framework provides, I don't see a relevant event which would give me this information. Are there any alternate ways we can get these events on macOS?

Hi, I’m able to view the activity log using the macOS application integrated with Endpoint Security Entitlement in Xcode by setting Debug Process As: root. However, after archiving the application into a .app using a Developer ID Application certificate and sending it to my friend, they encountered the error ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED during client initialization when running the application. Could you please guide me on how to resolve this issue? Specifically, what is the correct technical approach to make the application run as root? Thanks

Hello, My app needs to report whether a file, which is located on usb volume, is modified by specific application. I use Endpoint Security framework and I know about "Inferring High-Level Semantics from Low-Level Operations" problem. However, in spite of this limitation, I need to implement app which reports as much info as possible. I faced with some unclear behaviour of TestEdit. The scenario is: Open a file, which is located on usb volume, by TextEdit /dev/disk4s2 on /Volumes/USBVol (msdos, local, nodev, nosuid, noowners, noatime, fskit) Modify and save it Endpoint Security reports open and close events only (modified flag is false) ES_EVENT_TYPE_AUTH_COPYFILE, ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_NOTIFY_UTIMES and ES_EVENT_TYPE_NOTIFY_WRITE are not reported by Endpoint Security (monitored all processes in system). (Looks like the same behaviour for Xcode) I am stuck in this moment. Are there any way to monitor file modification if user do it by TextEdit? Thank you in advance!

Hello, My app is handling ES_EVENT_TYPE_AUTH_OPEN. Which character encoding is used in Endpoint Security events? (es_file_t) Thank you in advance, Pavel

Hello. When testing with the Endpoint Security Framework for the AUTH_OPEN event, I found that the deadline was 15 seconds, but the actual process termination occurred at 5 or 6 seconds. Is this intended?

I'm try to monitor all processes by ES client. But I found the process name is different from the Activity Monitor displayed. As shown in the picture below, there are ShareSheetUI(Pages) and ShareSheetUI(Finder) processes in Activity Monitor, but I can only get the same name ShareSheetUI, I thought of many ways to display the name in parentheses, but nothing worked, so there is a way to display the process name like Activity Monitor?

Hello, My application monitors ES_EVENT_TYPE_NOTIFY_CLOSE. If a file is dragged to another location in Finder, the Endpoint Security reports the event ES_EVENT_TYPE_NOTIFY_CLOSE was performed by '/usr/libexec/xpcproxy'. So, xpcproxy is the process that performed ES_EVENT_TYPE_NOTIFY_CLOSE. Looks like the dragged file is copied by some XPC service. I have found the audit user id is equal to user who dragged a file. Can audit user id be used to identify a user who triggers copy file action in this case? If no, are there any way to define such info? Thank you in advance!