Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks

Hello! After submitting two OSSystemExtensionRequest (let's say Endpoint and Network extensions), when the user allows only one (endpoint) extension, we receive request: didFinishWithResult callback for both manager delegates. This leads us to falsely believe that both our extensions are allowed. We tried to prevent this by using propertiesRequestForExtension where our (network) delegate will ask for properties, check if the given extension is enabled and then finish if it's ok. If it's not enabled, however, we receive no second callback when the user allows the other extension. We thought that we would need to submit another OSSystemExtensionRequest for the extension that wasn't allowed to receive a callback when it finally is. However, the second and all other consecutive requests immediately finish and we receive request: didFinishWithResult even when the user does not allow the second extension. Example: Endpoint and Network managers submit OSSystemExtensionRequest User only allows Endpoint extension Endpoint manager checks the properties, finds out it's enabled and finishes Network manager checks the properties, finds out it's disabled Network manager sends another OSSystemExtensionRequest Network manager immediately receives request: didFinishWithResult Network manager checks the properties, finds out it's disabled .... This loop ends when the user finally allows the network extension, when the manager finds out that it's enabled. Is there something we are missing? Shouldn't another OSSystemExtensionRequest finish with requestNeedsUserApproval. How should we go about this issue? Many thanks, Denis

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?

Hello there. We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM. However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC. Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension. It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?

Guys I'm the account holder of my company and we are working on a new EPP solution. Approx two months go I requested an Endoint Security entitlement so we can develop our product and then requested it again about a month ago. Is there a way to see what is the status of the request and whether this time frame is indeed the one we should expect? Thanks a lot!

I ran into a strange problem during development this morning. When trying to install my Endpoint and Network System Extensions (something I was able to do yesterday, and many times before), my Mac is prompting me to enable Kernel Extensions. Right before this happened, I had problems deleting the previous version of the apps from the /Applications folder (it took many tries). This too was unusual. After agreeing to allow the installation of my Endpoint System Extension, I was greeted with this previously unseen message and button: When I click "Enable System Extensions...", and I am greeted with this alert: I also ran into this problem when trying to install my Network System Extension. Anyone have any idea how I screwed up my system? Anyone know how to return it to normal behavior? System: Mac Studio 2022 OS: Ventura 13.4.1 (I'm thinking of re-instaling Ventura this evening; would prefer not to)

I'm working on a System Extension that uses the EndpointSecurity framework to monitor various events. For some events, we're using ES_EVENT_TYPE_AUTH_* events, and actively preventing certain changes. All this works fine, while the extension is running. This is not an anti-virus product, but is similar enough that it might help to think of it that way for purposes of this discussion. Much like any anti-malware tool, we'd like for the System Extension to be resilient to malicious processes, even processes running as root. If any random process that gets root can do the equivalent of kill -9 <my extension>, or systemextensionsctl uninstall <my extension>, then it's easy enough for them to kill the extension, then do something we would otherwise prevent. It's also possible for an end user to drag-uninstall the app, which disables the extension immediately, before we even have a chance to respond to any changes. I know that various anti-virus software for Macs address this, and prevent a user from, for example, using sudo kill -9 <pid> to disable them. How is that typically done? Some possible approaches could be: Have two processes that watch each other, and restart each other if killed. There's a timing issue there that I'm not sure is easy to resolve, and I haven't tried launching a detached process from a system extension - that might not even work. I could have a separate launchdaemon which periodically checks to see if the extension (and app) are installed, and reinstalls them if they're missing. That leaves plenty of time for mischief to occur, but at least I'd have a window to detect it. It sounds like the NSEndpointSecurityRebootRequired Info.plist key might have some effect here, in that it prevents an extension from being replaced until a reboot. I should check and see what effect if any this has on removing the app or killing the extension. Maybe there's a System Profile setting that could be set through an MDM to prevent the application from getting uninstalled? I don't know my way around profiles very well, and I doubt this would address the "kill" issue, in any case. Probably there's some lower-level BSD or Mach API that could prevent attempts to kill the process. I could make a kernel extension for just this one thing, maybe using kauth(), but that seems overkill, and kernel extensions are not the Apple-suggested way to do anything these days. If EndpointSecurity is intended to replace using kexts for anti-malware and detection uses, there must be a way to do this inside a system extension, right? So, yeah - preventing the user from doing something is going against the spirit of "do what you like with your own computer, especially if you have admin powers", but this software is typically going to be installed by corporate IT, not end users, and some end users "need" admin permissions (e.g. software developers)... Any suggestions would be appreciated.

My team requested com.apple.developer.endpoint-security.client entitlement 4 months ago and receive no response from Apple. What will we do to claim our entitlement in Developer ID Certificate.

Hi all, I am trying to build endpoint security demo app, so far, I have been granted access to, the ES entitlement, and I enabled it, the app runs without error, when I run the app, it says "Successfully installed the extension" I granted full disk access to the extension and the app, but when I use "sudo launchctl list 3FB5******.com.example.apple-samplecode.SampleEndpointApp.Extension" Could not find service "3FB5******.com.example.apple-samplecode.SampleEndpointApp.Extension" in domain for system even though app runs without error, "auth_demo" function such as prevent opening textedit does not work. can I get any help from here? thanks!

In the online documentation for es_event_mount_t, there are 3 fields listed for the es_event_mount_t structure: statts es_statfs_t reserved I only see 2 fields in Xcode 14 and 14+1 SDKs. [Q] Is this a typo? If it is, I can file a feedback report. In the documentation for es_event_mount_t, the documentation describes the statfs field as "The statistics of the mounted file system". [Q] As the file system is not mounted yet in the context of an AUTH event, is it to be read as the "The future/request statistics of the mounted file system". It's worth noting that the header documentation says: The file system stats for the file system being mounted. So it looks like the online documentation describes the field for the NOTIFY event and the header one for the AUTH event. This is a bit confusing. In the documentation for es_event_remount_t, the documentation describes the statfs field as "The statistics of the remounted file system.". [Q] As the file system is not remounted yet in the context of an AUTH event, is it to be read the "The future/request statistics of the remounted file system"? [Q] In the case of a mount update, the statistics look more like the current statistics of the file system not the requested updated ones. What are these statistics supposed to be in this case? The header documentation says: The file system stats for the file system being remounted which in the case of an update does not really clearly say whether this is the current or future stats.

I have an app that uses Apple's Endpoint Security system extension to collect a number of events including authentication events. I've noticed AKD (Apple Keychain Daemon?) generates fail authentication events when I unlock my Mac with either Touch ID or password. I don't think I've ever seen it succeed. Does anyone know what AKD is trying to authenticate and why it is failing? Should I mask these out from being shown, or are there cases where AKD authentication will matter? Hardware: MacBook Pro with M1 OS: macOS 13.5.2 Device is configured stand-alone (not a managed device)

Hello there, Today, after five months I have received an email from Developer Relations that "The entitlement for Endpoint Security has been assigned to your account". As you can see on the attached images, this supposed to be the Production Entitlement (I got the dev entitlement a while ago). As far as I understand, I should be able to assign the entitlement in the "Identifiers>App IDs>App>Additional Capabilities". As you can see on my second screenshot, the UI only mentions "Development Developer ID" Distribution support. Furthermore, when creating a "Developer ID" (or event Mac App Store) provision profile, I should eventually see an "Additional Entitlements" section to be able to choose the production Entitlement. I can't find the "Additional Entitlements" UI in any Cert / identifier / Profile combinations. I tried Xcode 15's Automatic code signing as well, but it doesn't seem to do the trick. It totally seem as If I have never received the production entitlement. I saw Quinn's advice in an old thread, that presumably the entitlement was misaligned to the wrong profiles(?), and in this case: "To correct this, you’ll need to get back in touch with the folks who granted you the entitlement." I am devastated as I can be, I waited for this day like it was christmas. I was pinging the "endpoint-review . at . apple.com" email address for months with no success. Then why would they answer to my n+1th email? Anybody has any advice what to do? Which other email addresses should I try to ping? I still have 2 TSIs, but read earlier that they have no use in this regard. Thank you in advance for everyone

I started a daemon app with esf function through launchctl. I wanted to get the sample information of the daemon app through sample, but the program would restart, which was not a crash. // shell command sample pid -file ~/Downloads/test.txt

Apple's Endpoint security framework seems to have ways to prevent deleting of file. If we write an app that has a system extension that uses this framework, will the same app be able to prevent deletion if its own .app file ? If yes, when a user attempts to delete the app from /Applications folder, can we ask the user to enter a 'master password' before user is able to delete the app ? The app is sandbox, signed by develope id, and for MacOS.

I implemented a multithreaded app, but there was a thread-related crash in the app, I don't understand why this happened, the corresponding stack trace is as follows. Thread 15 Crashed:: Dispatch queue: com.apple.root.default-qos 0 libsystem_kernel.dylib 0x1a849ad98 __pthread_kill + 8 1 libsystem_pthread.dylib 0x1a84cfee0 pthread_kill + 288 2 libsystem_c.dylib 0x1a840a340 abort + 168 3 libc++abi.dylib 0x1a848ab08 abort_message + 132 4 libc++abi.dylib 0x1a847a950 demangling_terminate_handler() + 336 5 libobjc.A.dylib 0x1a8370320 _objc_terminate() + 144 6 libc++abi.dylib 0x1a8489ea4 std::__terminate(void (*)()) + 20 7 libc++abi.dylib 0x1a8489e40 std::terminate() + 64 8 libdispatch.dylib 0x1a830c1c8 _dispatch_client_callout + 40 9 libdispatch.dylib 0x1a831da04 _dispatch_root_queue_drain + 680 10 libdispatch.dylib 0x1a831e104 _dispatch_worker_thread2 + 164 11 libsystem_pthread.dylib 0x1a84cc324 _pthread_wqthread + 228 12 libsystem_pthread.dylib 0x1a84cb080 start_wqthread + 8

I am trying to build Endpoint Security demo app on xcode, when I run sudo launchctl list 3xxxxxxxx6.com.example.apple-samplecode.SampleEndpointApp.Extension i get { "LimitLoadToSessionType" = "System"; "MachServices" = { "3FB5H67G96.com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension.xpc" = mach-port-object; }; "Label" = "3FB5H67G96.com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension"; "OnDemand" = false; "LastExitStatus" = 9; "Program" = "/Library/SystemExtensions/24197CF7-F318-4968-87D5-B869AAF544F5/com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp3FB5H67G96.Extension"; }; when I run the app i get Successfully installed the extension ✅ but noting happens. what should I do from here? plz halp

Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events. Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming). This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events. When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended. Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

I am playing around with Endpoint Security using demo code. I tried to handle AUTH open event on specific folder in my Desktop,set to deny all, but whenever I set this extension, I successfully get deny all on the folder as well as all other files and documents in the Users space. static void handle_open_worker(es_client_t *client, const es_message_t *msg) { static const char *test_nnn = "/Users/myname/Desktop/endpoint_test/block_this_folder/"; static const size_t nnn_length = sizeof(test_nnn) - 1; if (strncmp(msg->event.open.file->path.data, test_nnn, nnn_length) == 0) { es_respond_flags_result(client, msg, 0, true); } else { // Allow everything else... es_respond_flags_result(client, msg, 0xffffffff, true); } } why the code applies to all other files rather than only deny open on /Users/myname/Desktop/endpoint_test/block_this_folder/

Hi all, I'm developing an app that can disallow read and/or write access to selected files. I'm doing this with es_respond_flags_result: es_respond_result_t es_result; if (blockingState) { // Don't allow any operations on path... es_result = es_respond_flags_result(client, msg, 0, false); // Deny writing to path... // es_respond_flags_result(client, msg, 0xffffffff & ~FWRITE, true); // Deny reading of path... // es_respond_flags_result(client, msg, 0xffffffff & ~FREAD, true); } else { // Allow everything else... es_result = es_respond_flags_result(client, msg, 0xffffffff, false); } While everything works correctly for files on the desktop, blocking fails for files in the "/System/Library/" path. Everything worked great under macOS Ventura. Now on macOS Sonoma it does not work anymore. On macOS Sonoma I still get ES_RESPOND_RESULT_SUCCESS as the result from es_respond_flags_result but the files can still be read/written. What has changed in macOS Sonoma? I cannot find anything about this in the change logs. Are more adjustments needed for macOS Sonoma? Thanks for any advice! nm196

I have an endpoint system extension that monitors exec system calls. It works fine, but I have to follow a very specific order when installing it. When I (the user) click to install, I get the option to open System Settings. There, I am presented with an option to "Allow" the endpoint application. If I: (1) click "Allow" and then (2) enable full disk access The application runs but doesn't get exec events. Console shows the error message Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access Even after enabling full disk access (after allowing the extension to be installed), I do not get the exec events. To resolve this, I have to uninstall the endpoint system extension and reinstall it. (Note: If I first grant full disk access and then allow the endpoint system extension to be installed, everything works fine, but I suspect most users will now follow this happy path.) Is there a way to smooth this out, so that once full disk access is granted, the endpoint system extension gets events without needing to uninstall and reinstall the endpoint agent?