Running an endpoint security daemon

Question

Created Dec ’19

Replies 1

Boosts 0

Participants 2

Hello,

Upon reading several discussions on the matter here, it seems that making our endpoint security daemon a system extension would be the way to go. However this would require an interactive application which we don't have as a business security product, we are therefore looking for another way.

While we got things working to a certain degree by moving our daemon into a `.bundle` structure, we're running into OS problems that prevent us from shipping (FB7414130).

Is there any known recommended way to achieve this?

Boost

Answer 1

THeberlein OP

Dec ’19

Eskimo will give a mor definitive answer, but this is my development experience so far (and knowledge from other posts):

A sensor using netflow/web data streams from Apple's network extension provider must be an XPC service bundled in a GUI-based app and must be distributed through the Mac App Store.

A sensor using packet data is the same.

A sensor using system call data should be built like a command-line tool and *cannot* be distributed through the Mac App Store.

Those are the only data sources I've worked with so far.

0