questions about EndpointSecurity & System Extension

Question

weichao119 OP

Created Nov ’19

Replies 46

Boosts 0

Views 15k

Participants 12

Hi,

We have some questions about the EndpointSecurity Frameworks.

1. Whether the EndpointSecurity Client must be a system extension?

We use the es-client entitlements making a develop provisonprofile with its EndpointSecurity-client capabilities. Then, build a simple app(no system extension) with EndpointSecurity.Framework and the provisonprofile. It works well on other machine which SIP is enabled. (Root permission & approved by TCC )

So, whether it means that we can distribute the EndpointSecurity-Client as a simple app(without system extension)?

2. If we must package Endpoint Security as a system extension, and be contained in an app. Whether the containing app can be distributed in Mac App Store?

Answered by DTS Engineer in 402187022

right now NetworkExtension system extensions have the opposite problem, where you can’t deploy them via Developer ID

I have some good news on that front. It should now be possible to ship Developer ID signed NetworkExtension system extensions. Yay!

To get this working, you have to use a new set of NE entitlement values. For example, a Mac App Store transparent proxy uses the

app-proxy-provider

value, while a Developer ID product should use

app-proxy-provider-systemextension

. The full list of these is documented on the

com.apple.developer.networking.networkextension

entitlement page.

Note These entitlement values are understood by macOS 10.15 and later.

If you have an existing development signed NE sysex project, here’s how to change it over:

On the developer web site, create two new App IDs, one for the container app and one for the system extension embedded within that container.
Add the Network Extension capability to both App IDs.
Add the System Extension capability to the app’s App ID.
Add any other capabilities you need.
Create Developer ID profiles for both of these.
Download and import those profiles into Xcode.
In Xcode, configure your app and sysex targets to use manual code signing.
Then select the appropriate profile for each target.
Change the bundle IDs to match your new App IDs. This will require additional changes in your code, for example:
- The product name of your system extension
- Your code that sets the
```
providerBundleIdentifier
```
  property.
It’s best to do a search for the old bundle ID in order to make sure you got everything.
For both the app and the sysex, change your
```
.entitlements
```
file to use the new sysex variant of the entitlement. For example, if you’re creating a transparent proxy, you’d change
```
app-proxy-provider
```
to
```
app-proxy-provider-systemextension
```
.
Note Xcode has not yet been updated to display a nice string for these (r. 58567937).
Build your app.
Install and test on a macOS 10.15 with SIP disabled.
Note You only need to have SIP disabled if your app isn’t notarised. When you deploy to users, you notarise your app and that lifts the SIP requirement.

I just went through this process here in my office and it seems to work.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

dknecht OP

Jan ’20

We are still seeing this and we tried everything. There was a post removed that seemed to show why this wold never work. Did you test with packet-tunnel or just app-proxy?

neagent Rejecting app extension provider BUNDLE because it is signed with a Developer ID certificate

0

Answer 2

futuremind OP

Jan ’20

I did everything as described by eskimo one more time, from scratch.

I've been trying with the previously existing app and sysex IDs we had by just regenerating the provisioning profiles after modifying app entitlements and it didn't work. Now I tried using freshly generated ones, still seeing the same issue.

"neagent Rejecting app extension provider REDACTED.macos2.worker because it is signed with a Developer ID certificate"

So what I have now is this:

1. App

The code signature contains entitlements.

Sandbox entitlements:

User-selected files, read access: YES.

Allow outgoing network connections: YES.

Team identifier: “[TEAM]”.

Application groups: “group.[ID]”.

Application identifier: “[TEAM].[ID].macos2”.

Other entitlements:

keychain-access-groups: “[TEAM].keychain.[ID]”.

com.apple.developer.system-extension.install: YES.

com.apple.developer.networking.networkextension: “packet-tunnel-provider-systemextension”.

2. Sysex

The code signature contains entitlements.

Sandbox entitlements:

Allow outgoing network connections: YES.

Team identifier: “[TEAM]”.

Allow incoming network connections: YES.

Application groups: “group.[ID]”.

Application identifier: “[TEAM].[ID].macos2.worker”.

Other entitlements:

keychain-access-groups: “[TEAM].keychain.[ID]”.

com.apple.developer.networking.networkextension: “packet-tunnel-provider-systemextension”.

Are these entitlements OK?

I also verified that the profile has all com.apple.developer.networking.networkextension entitlements listed for both App and Sysex:

Profile:

<key>Entitlements</key>

<dict>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider-systemextension</string>

<string>app-proxy-provider-systemextension</string>

<string>content-filter-provider-systemextension</string>

<string>dns-proxy-systemextension</string>

</array>

Code signature claimed entitlements:

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider-systemextension</string>

</array>

0

Answer 3

DTS Engineer OP

Apple

Jan ’20

Did you test with packet-tunnel or just app-proxy?

I tested with transparent proxy. I’d be quite surprised if there were broken for other provider types, but anything is possible. At this point I’m going to recommend that you open a DTS tech support incident so I can look at this in detail. Or, if you’re sure you’ve got it right, simple file a bug (in which case, please post your bug number, just for the record).

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

DTS Engineer OP

Apple

Feb ’20

I had a chat with the system extension team about this. It seems that the
<TeamID>.<BundleID>.xpc
Mach service was specifically added to allow your clients to communicate with an XPC service vended by your system extension.

As a follow-up to this, check out the discussion of 57244148 in the macOS Catalina 10.15.4 Beta Release Notes.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

mdolan OP

Feb ’20

Hi Quinn,

The man page that this leads you to says for NSEndpointSecurityMachServiceName, "If set, this string will be the name of the MachService which can be used for XPC between the ES extension and its app." Since this is no longer a LaunchDaemon app with a plist that has mach services, will this work the same and let any application connect to the ES extension via XPC? We have multiple apps that need to connect to our driver and if it's only the enclosing app that this allows, well, that'll not be good.

This is on my plate to work on again next week, and it'd be nice to know before I head down a dead end.

Thanks

0

Answer 6

DTS Engineer OP

Apple

Feb ’20

As this is brand new, the short answer here is that I don’t know )-: It should be pretty easy to test though.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 7

mdolan OP

Feb ’20

I will share what I find when I get to that point.

Thanks, Quinn

0

Answer 8

Todd2 OP

Feb ’20

I'm still trying to launch my command-line endpoint agent via launchd from an XPC request from the GUI application.

Everything works fine with SIP turned off, but once SIP is turned back on, the endpoint agent exits with a status of -9.

The console error message is:

removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /usr/local/netsqllc/libexec/netsq_endpoint_agent:
   Code has restricted entitlements, but the validation of its code signature failed.

The code has been signed with my "Developer ID Application" certificate

The package built with my "Developer ID Installer" certificate

The package has been notarized.

And the application installed via the notarized package installer.

My "request to use Endpoint Security was approved", but I had some problems with the instructions in the email. They seemed to indicate that this would be a GUI app and not a command-line app.

For example, I cannot set the "Provisional Profile" for a command-line application.

Any suggestions or Tech Notes for configuring the command-line application for Endpoint Security with SIP activated?

Thanks,

0

Answer 9

DTS Engineer OP

Apple

Feb ’20

For example, I cannot set the "Provisional Profile" for a command-line application.

This is likely to be the problem. Amongst other things, a provisioning profile whitelists the entitlements you use [1]. Thus, your ES daemon will definitely need this profile. Unfortunately there’s no way to package a daemon along with a profile, which is why Xcode won’t let you do this for your current command-line tool target.

For the system to pick up the profile, you have to package your daemon in an app-like structure. The easiest way to do this is to create an app target, strip out all the app stuff (apart from the

Info.plist

), and replace the

main

function with your daemon’s main.

Or use a system extension, which already has this app-like structure and thus avoids this problem completely.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Some entitlements, like the App Sandbox entitlements, can be used without being whitelisted, but the ES entitlement definitely needs it.

0

Answer 10

mdolan OP

Feb ’20

Hi Quinn and others,

I tested this and yes, an external app can talk to my ES extension using XPC as if the extension was a launchd service.

Looking at the man page more carefully (man EndpointSecurity), I see that at the bottom, the date is "27 November, 2018" (is it really that old?) and probably hasn't been updated for the change the release note is referencing. But that is speculation on my part.

0

Answer 11

Todd2 OP

Feb ’20

'The man page that this leads you to says for NSEndpointSecurityMachServiceName, "If set, this string will be the name of the MachService which can be used for XPC between the ES extension and its app."'

I have not been able to find any refernce to "NSEndpointSecurityMachServiceName".

Is this the equivalent of the

NetworkExtension > NEMachServiceName

in the Info.plist file created for Network Extensions?

Anyone have pointers to documentation for this?

I am thinking this might be associated with the problem I raised in this post where I am trying to figure out how additional apps can connect to the EndpointSecurity extension: Secondary app connecting to endpoint extension

Thanks,

0

Answer 12

mdolan OP

Feb ’20

Todd2,

It's on my 10.15.4 Beta (19E234g) VM, not on my host 10.15.3 version. Didn't realize it until just now. But I found it through the 10.15.4 release notes originally.

0

Answer 13

Todd2 OP

Feb ’20

Thanks.

I should really create a second disk for running the latest Betas. I don't want to get bit in the **** by a change that catches me off guard.

0

Answer 14

DTS Engineer OP

Apple

Feb ’20

I should really create a second disk for running the latest Betas.

Like mdolan, I use a VM for this. It’s way more pleasant than booting to a second partition.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 15

Todd2 OP

Feb ’20

When I used a VM before (parallels) I was not seeing the raw network packets (which I also use). Back then I was only processing IPv4, so maybe all the traffic was IPv6 at the VM and then bridged to IPv4 before going out on the physical network. One of these days I'll go back and check.

Has anyone processed raw packets via NEFilterPacketProvider in a VM? If so, which system VM system were you using?

0

Answer 16

DTS Engineer OP

Apple

Feb ’20

Has anyone processed raw packets via
NEFilterPacketProvider
in a VM?

Yes.

If so, which system VM system were you using?

I use VMware Fusion. I chose back in the day because I knew folks on the team, so I can’t offer any insight as to whether it’s better or worse then any of its competitors.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 17

lmxml OP

Apr ’20

Hello, I download SimpleFirewall Demo. and I build it with my Developer ID Certificate. but when I open the app

it tells me:

LSOpenURLsWithRole() failed with error -10810 for the file /Users/fa11ing1eaf/Library/Developer/Xcode/DerivedData/MEDR-cffdnlrhzmbcxmhgxgewmtfsfzqs/Build/Products/Debug/SimpleFirewall.app

I Don't know why.

Please help me.

waiting your reply

email: zhanghongbo05@meituan.com

1

Answer 18

mikeKane OP

Aug ’20

I am seeing this fail after notarizing my Packet Tunnel Provider.

I see

Code Block error	16:49:08.750262-0400	NEVPNTunnelPlugin([476]): Validation of the extension failed	nesessionmanager
default	16:49:08.750966-0400	NESMVPNSession[Primary Tunnel::7BB4FF26-2EAD-47AF-85F7-880749561AD0:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin([476]) started with PID 0 error (null)	nesessionmanager
error	16:49:08.750013-0400	Rejecting app extension provider PacketTunnel because it is signed with a Developer ID certificate	neagent

I've checked my embedded profile

Code Block security cms -D -i  /Applications/MYAPP.app/Contents/embedded.provisionprofile

Code Block <key>Entitlements</key>
	<dict>
				
				<key>com.apple.developer.system-extension.install</key>
		<true/>
				
				<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
		</array>
				
				<key>com.apple.application-identifier</key>
		<string>BUNDLEID</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>TEAM.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>TEAM</string>
				
				<key>com.apple.developer.associated-domains</key>
		<string>*</string>
	</dict>

Notarization was approved with it's .dmg.

Any idea's?

0

Answer 19

DTS Engineer OP

Apple

Aug ’20

I’m going to recommend that you start a new thread here because this one is way too long already. Feel free to reference thread for context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 20

EoinN OP

Aug ’21

@eskimo is it possible to make that post with the developer ID details the accepted answer? I actually gave up on developerID for a day or two until I eventually came back here and scrolled to the bottom.

0

Answer 21

DTS Engineer OP

Apple

Aug ’21

is it possible to make that post with the developer ID details the accepted answer?

No. Only the thread originator can change the accepted answer.

What I can do is mark it as Apple Recommended (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1