My question is: Do I need two App IDs? One for my launch daemon in order to sign it properly, allowing it to use the Endpoint Security framework. One for the container app. My understanding is that my existing launch daemon can perform the endpoint security requirements I need. So far, I have had just one App ID for my container app that lives in /Applications. I have applied for the endpoint security restricted entitlement and have this for development now. Do endpoint security items have go in Library/SystemExtension? Can my launch daemon live in Library/LaunchDaemons and still use the Endpoint Security framework?

Hello, es_event_mount_t includes statfs structure. This structure has the field 'f_type' which defines type of filesystem. However, man page says nothing about possible values of this field. What is the best way to define file system type? Can I use 'f_type' or 'f_fstypename'? If so, are there any constants in header files which can be used? Thank you for your help!

Hey, our app is host for system extension and since macOS 15.3 there is an error when user tries delete an app pop with missing permission appears Is it intentional? Is it a bug? if not how in correct way should we handle removing of SE when app is being to removed?

Hi! I am trying to run the demo app(SampleEndpointApp) from the WWDC2020 presentation(link). Here are the steps I followed in order to run the app: I submitted a request for the Endpoint Security entitlement and got the approval from the Apple Support team. Created an identifier and assigned Endpoint Security capability. Updated the Bundle Identifier in ViewController.m and in the Extension target. Built and copied the app bundle to /Application folder. Ran the app, clicked "Install Extension" and got the confirmation message that everything went well. Looking into the logs, I see the following : (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access I keep getting the same message even after granting SampleEndpointApp Full Disk Access in Privacy & Security. System : macOS Sequoia 15.1.1 Could you please assist me with this issue? Andrei

I added ES_EVENT_TYPE_AUTH_SIGNAL to the event list, and added logging: os_log_debug(esfLogger, "antitampering signal %d from process %{public}s to process %{public}s", esm.signal, signing.UTF8String, targetSigning.UTF8String); I get some logs, such as 2024-12-09 10:21:47.668034+0000 0xc2c562 Debug 0x0 29448 0 DopeMonitorService: [security.dope:anti-tamper] antitampering signal 0 from process com.apple.spindump to process com.apple.mds_stores But when I do sudo kill -9 ${ourappprocess}, the proess dies with no log generated. (This is a different process than the one using ESF; the goal is, obviously, to keep our processes from being killed, but I'm only at the logging stage so far.) sudo kill -INFO ${ourappprocess} works: 2024-12-09 10:21:38.410851+0000 0xc2c562 Debug 0x0 29448 0 Monitor: [debug:anti-tamper] antitampering signal 29 from process com.apple.csh to process Worker So it is getting through to the monitoring process. But kill -9 ... isn't. Am I missing something obvious again?

Is this always possible using systemextensionsctl by root? Is there a way to prevent root from removing an Endpoint Security Extension? The use case is for a Mac managed by AirWatch.