The Endpoint Security framework is meant to be a replacement for:
Using the Endpoint Security framework to build ES system extensions is what developers should be doing now.
Several types of system extensions are supported:
Network - used for VPNs, content filters, etc.
DriverKit - Controlling hardware
EndpointSecurity - targeted at endpoint detection and response products
Benefits of using EndpointSecurity:
Runtime requirements:
Entitlement: com.apple.developer.endpoint-security.client
Docs: https://developer.apple.com/system-extensions
System Extensions require an additional requirement for the containing app bundle. For more details, see the documentation linked above.
System extensions also require approval from the user to complete installation, unless whitelisted by a system extension whitelist profile from an MDM server.
Privacy - in order to increase user privacy, applications must obtain user consent for Full Disk Access, unless Full Disk Access permission is granted by a Privacy Preferences Policy Control profile from an MDM server.
Network Events
The EndpointSecurity framework does not provide events related to networking operations. This is intentional, as these events are better covered by the NetworkExtension framework.
There is a minor exception which is related to Unix domain sockets. The EndpointSecurity framework does provide events for this exception.
It is possible to combine the EndpointSecurity and NetworkExtension frameworks into a single unified System Extension. For this use, the system extension APIs and install flow should be used for system extensions which are of a single extension type.
macOS Big Sur includes improvements for efficiency and speed over macOS Catalina and Endpoint Security framework
Most requested data access points will be added by Apple as appropriate.
Kauth API
Unsupported Mac kernel framework
OpenBSM audit trail
Using the Endpoint Security framework to build ES system extensions is what developers should be doing now.
Several types of system extensions are supported:
Network - used for VPNs, content filters, etc.
DriverKit - Controlling hardware
EndpointSecurity - targeted at endpoint detection and response products
Benefits of using EndpointSecurity:
Protected by System Integrity Protection (SIP)
LaunchD job protection
Launch before third party applications
Runtime requirements:
Entitlement: com.apple.developer.endpoint-security.client
Docs: https://developer.apple.com/system-extensions
System Extensions require an additional requirement for the containing app bundle. For more details, see the documentation linked above.
System extensions also require approval from the user to complete installation, unless whitelisted by a system extension whitelist profile from an MDM server.
Privacy - in order to increase user privacy, applications must obtain user consent for Full Disk Access, unless Full Disk Access permission is granted by a Privacy Preferences Policy Control profile from an MDM server.
Network Events
The EndpointSecurity framework does not provide events related to networking operations. This is intentional, as these events are better covered by the NetworkExtension framework.
There is a minor exception which is related to Unix domain sockets. The EndpointSecurity framework does provide events for this exception.
It is possible to combine the EndpointSecurity and NetworkExtension frameworks into a single unified System Extension. For this use, the system extension APIs and install flow should be used for system extensions which are of a single extension type.
macOS Big Sur includes improvements for efficiency and speed over macOS Catalina and Endpoint Security framework
Most requested data access points will be added by Apple as appropriate.
