Getting started with System Extensions - Endpoint Security

Question

Created Nov ’20

Replies 1

Boosts 0

Views 1.5k

Participants 2

I am new to programming on a mac, so I am having a hard time getting started with System Extensions.

I understand that there is a developer mode which ignores some checks (SIP, Notarization - what is this? - etc...)

I am trying to build the sample for building an Endpoint Security app here, and I get the error:

Signing for "SampleEndpointApp" requires a development team. Select a development team in the Signing & Capabilities editor.

The sample has a few instructions in the beginning:

Generate your Developer ID certificate. Refer to Developer ID for instructions.
Request the Endpoint Security entitlement; see System Extensions and DriverKit.
In Xcode, build and sign both the app and the extension with your Developer provisioning profile.

I understand that these can be ignored in developer mode. Another thing I found to get around entitlement and signing (I think) is to set

Code Block <dict>
 <key>com.apple.developer.endpoint-security.client</key>
 <true/>
</dict>

in the <AppName>.entitlements file, and disable SIP. I haven't managed to disable SIP but I applied

Code Block DevToolsSecurity -enable

without effect on building the project. I also tried

Code Block systemextensionsctl developer on

with a message that SIP needs to be disabled to apply this.

The reason I don't have SIP disabled yet is that the mac is a remote machine and I can't seem to get it into recovery mode to disable it. I suppose my question is, is there any way to disable SIP or get this developer mode without recovery mode?

In general though what's the proper set of steps to start developing system extensions without requiring signing and other deployment criteria?

Moreover, there are more things I don't get. The presentation here (related to the same code above) says a few confusing things to me:

If your application is bundled as a system extension, there is an additional entitlement required for the containing app bundle in order to install the extension.

What does "application is bundled as a system extension"? In a different presentation I understood that the extension is supposed to be a separate target, so what's this about bundling? Can you have a "standalone" system extension app?

Also:

If you deploy as a system extension, on installation, we pre-populate your extension in this dialogue to make it easier on users to enable these permissions.
If your product is being deployed on managed devices, there are two MDM payloads available to aid distribution.

What is this saying? Deploying a system extension seems to suggest you can have a standalone system extension.

Please excuse the confusion, I am new to all the tech and the mac environment, any pointer is of help.

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’20

Notarization - what is this?

See Notarizing macOS Software Before Distribution or, if you prefer video, WWDC 2019 Session 703 All About Notarization.

is there any way to disable SIP or get this developer mode without
recovery mode?

No. That’s kinda the point of SIP really. SIP enables security features that prevents folks from completely nobbling your Mac, so it can only be disabled if you have physical control of the Mac.

Oh, last I checked disabling SIP was not sufficient to get an ES sysex running in the absence of Apple granting you the ES entitlement. See this thread for the details.

In general though what's the proper set of steps to start developing
system extensions without requiring signing and other deployment
criteria?

OK, step 1 is to set up a Mac-on-Mac VM. That has a number of key advantages:

You can disable SIP without disabling it on your main machine (disabling SIP on anything except a ‘victim’ machine is a really bad idea).
You’re not completely hoarked if you sysex fails horribly and prevents the system from booting.
You can use snapshots to test and test again from a known good state.

What does "application is bundled as a system extension"?

I think Matt got that backwards )-: It’s meant to be “If your system extension is bundled within an application.” Furthermore, the “if” is a bit redundant because a sysex is always embedded within an app. I think a better way to say this would be “If you ship your Endpoint Security client as a system extension embedded in a container app”. Remember that ES clients can also be deployed as a launchd daemon (although that presents its own challenges).

In a different presentation I understood that the extension is
supposed to be a separate target, so what's this about bundling?

A sysex is always deployed within a container app. So a sysex project usually has two targets:

The container app, which is a normal app target
The sysex, which you should create from the macOS > Endpoint Security Extension template

When you create the sysex target one of the options is Embed in Application, and that’s where you select the target that builds the container app.

Deploying a system extension seems to suggest you can have a
standalone system extension.

I think that’s just the presenter taking a shortcut. A sysex is always embedded within a container app, so deploying a sysex means deploying its container ap.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0