Hi! I am trying to run the demo app(SampleEndpointApp) from the WWDC2020 presentation(link). Here are the steps I followed in order to run the app: I submitted a request for the Endpoint Security entitlement and got the approval from the Apple Support team. Created an identifier and assigned Endpoint Security capability. Updated the Bundle Identifier in ViewController.m and in the Extension target. Built and copied the app bundle to /Application folder. Ran the app, clicked "Install Extension" and got the confirmation message that everything went well. Looking into the logs, I see the following : (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access I keep getting the same message even after granting SampleEndpointApp Full Disk Access in Privacy & Security. System : macOS Sequoia 15.1.1 Could you please assist me with this issue? Andrei

I added ES_EVENT_TYPE_AUTH_SIGNAL to the event list, and added logging: os_log_debug(esfLogger, "antitampering signal %d from process %{public}s to process %{public}s", esm.signal, signing.UTF8String, targetSigning.UTF8String); I get some logs, such as 2024-12-09 10:21:47.668034+0000 0xc2c562 Debug 0x0 29448 0 DopeMonitorService: [security.dope:anti-tamper] antitampering signal 0 from process com.apple.spindump to process com.apple.mds_stores But when I do sudo kill -9 ${ourappprocess}, the proess dies with no log generated. (This is a different process than the one using ESF; the goal is, obviously, to keep our processes from being killed, but I'm only at the logging stage so far.) sudo kill -INFO ${ourappprocess} works: 2024-12-09 10:21:38.410851+0000 0xc2c562 Debug 0x0 29448 0 Monitor: [debug:anti-tamper] antitampering signal 29 from process com.apple.csh to process Worker So it is getting through to the monitoring process. But kill -9 ... isn't. Am I missing something obvious again?

Is this always possible using systemextensionsctl by root? Is there a way to prevent root from removing an Endpoint Security Extension? The use case is for a Mac managed by AirWatch.

I am currently working on ways my application which would monitor the dlopen() and dlsym() calls made on macOS. In the current list of events endpoint security framework provides, I don't see a relevant event which would give me this information. Are there any alternate ways we can get these events on macOS?

Hi, I’m able to view the activity log using the macOS application integrated with Endpoint Security Entitlement in Xcode by setting Debug Process As: root. However, after archiving the application into a .app using a Developer ID Application certificate and sending it to my friend, they encountered the error ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED during client initialization when running the application. Could you please guide me on how to resolve this issue? Specifically, what is the correct technical approach to make the application run as root? Thanks

Hello, My app needs to report whether a file, which is located on usb volume, is modified by specific application. I use Endpoint Security framework and I know about "Inferring High-Level Semantics from Low-Level Operations" problem. However, in spite of this limitation, I need to implement app which reports as much info as possible. I faced with some unclear behaviour of TestEdit. The scenario is: Open a file, which is located on usb volume, by TextEdit /dev/disk4s2 on /Volumes/USBVol (msdos, local, nodev, nosuid, noowners, noatime, fskit) Modify and save it Endpoint Security reports open and close events only (modified flag is false) ES_EVENT_TYPE_AUTH_COPYFILE, ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_NOTIFY_UTIMES and ES_EVENT_TYPE_NOTIFY_WRITE are not reported by Endpoint Security (monitored all processes in system). (Looks like the same behaviour for Xcode) I am stuck in this moment. Are there any way to monitor file modification if user do it by TextEdit? Thank you in advance!

Hello, My app is handling ES_EVENT_TYPE_AUTH_OPEN. Which character encoding is used in Endpoint Security events? (es_file_t) Thank you in advance, Pavel

I'm try to monitor all processes by ES client. But I found the process name is different from the Activity Monitor displayed. As shown in the picture below, there are ShareSheetUI(Pages) and ShareSheetUI(Finder) processes in Activity Monitor, but I can only get the same name ShareSheetUI, I thought of many ways to display the name in parentheses, but nothing worked, so there is a way to display the process name like Activity Monitor?

Hello, My application monitors ES_EVENT_TYPE_NOTIFY_CLOSE. If a file is dragged to another location in Finder, the Endpoint Security reports the event ES_EVENT_TYPE_NOTIFY_CLOSE was performed by '/usr/libexec/xpcproxy'. So, xpcproxy is the process that performed ES_EVENT_TYPE_NOTIFY_CLOSE. Looks like the dragged file is copied by some XPC service. I have found the audit user id is equal to user who dragged a file. Can audit user id be used to identify a user who triggers copy file action in this case? If no, are there any way to define such info? Thank you in advance!

I'm developing a file access control system. In order to protect the file content copied out, I'm finding a way to deny user copy file content to other files. I know there are data transmission between the copied application and pboard service by XPC. But I don't know how to interrupt the data transmission. Or I can do something to stop the copied data send to the Clipboard. So is there any way to prevent the contents of a file being copied?

Hi, i'm working on an endpoint security extension loader and implement several callbacks from delegate object OSSystemExtensionRequestDelegate the callback i'm interested in is : public func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result); public func requestNeedsUserApproval(_ request: OSSystemExtensionRequest); I've noticed that if I manually approve the extension long time after it was activated, the extension process goes up, but the callback isn't being called. The requestNeedUserApproval callback always gets called. I see in the unified logs that when the extension goes from activated_waiting_for_user -> activated_enabling -> activated_enabled Than the request callback doesn't get called. But whenever the extension goes activated_waiting_for_user -> activated_disabled The request callback gets called. (this is counter intuitive since we expected the state activated_disabled may hint that the extension failed to be activated somehow) Any Idea why my callback doesn't gets called if the extension gets approved long after it was activated ?

I try to do unit test for an ES system extension's code using Unit Testing Bundle.  the code tries to get NSEndpointSecurityMachServiceName in info.plist by [bundle objectForInfoDictionaryKey:] but failed.  I have added NSEndpointSecurityMachService to info.plist of Test Bundle, and I did check info.plist file in bundle, NSEndpointSecurityMachServiceName was listed there.

Hello, Let's say I have several opened user sessions in parallel. Endpoint Security notify about executing a process (ES_EVENT_TYPE_NOTIFY_EXEC) and provide audit token. The goal is to find relationship between logged-in users and new process. Can I use audit user ID for this? Thank you in advance.

I have a process [command line cpp application] which i want to run always such as it should relaunch after a crash, after device startup etc. I created a launchd Property List File with KeepAlive true and placed under /Library/LaunchDaemons. Problem Statements: I have a bash script to start and stop this process. start using: launchctl bootstrap. stop involve these two steps: send SIGTERM signal and wait untill process stops after doing some cleanups launchctl bootout [It doesn't sends SIGTERM] during steps 1 - Process is getting stop, but also getting immediate relaunch by launchctl during step 2 - it getting stop again. is there a proper way so that we can disable KeepAlive temporarily so that process will not launch during step 1? or suggest other ways to handle this?

Firstly, I want to keep my GUI app available for download on the Mac App Store, which means I need to provide the Endpoint Security functionality in some other executable, such as a daemon. I'm going to use a User Agent for user-aware background processing. Instead of the typical use of adding an Endpoint Security system extension to a macOS app, could I instead add the sysex to my User Agent bundle? I like the benefits of coupling the sysex to the client that will interact with it, and this would also allow me to not have to worry about managing a daemon. I could simply provide the User Agent in a downloadable installer signed with my Developer ID certificate.

Trying to flesh out an idea for an application which would rely on Endpoint Security Framework and Network Extension Framework, where intend the application to: Forward certain ESF events to a backend (on a separate server) Forward certain Unified logs to a backend (on a separate server) Forwarding various DNS queries and responses (on a separate server) Retrieve configuration from the backend to set Network Extension Filters Are there any limitations and/or reasons not to bundle all this functionality into a single system extension? I know of other applications where system extension is very thin and main application (daemon) communicates over xpc with the system extension, would this be considered best practice?