Endpoint Security Event: ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is ...broken?

The Endpoint Security Event ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD notification appears to be broken in two ways.

Issue has also been submitted via Feedback Assistant: FB11812980


Background

The ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD Endpoint Security (ES) event is declared in the header file, ESTypes.h In ESMessage.h one find more info about its ES message type: es_event_btm_launch_item_add_t ...and a comment that says it is a:

"notification for launch item being made known to background task management. This includes launch agents and daemons as well as login items added by the user, via MDM or by an app"

This seem to be an ideal notification to detect persistence events (e.g. the installation of a launch or login item). Unfortunately at this time (on macOS 13.0.1 (22A400)) it appears to be broken.


Issues

1️⃣ First issue is that an ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is delivered for every installed launch agent/daemon whenever a new launch agent/daemon is added (not just for the new launch item)

Steps to reproduce:

  • From terminal run (via root/sudo): eslogger btm_launch_item_add
  • Install a launch agent/daemon ...either run an installer creates a launch item or just manually copy an launch item plist: % cp ~/Desktop/com.test.plist ~/LaunchAgents/com.test.plist
  • This will trigger a deluge of ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD notifications - one for every installed launch agent/daemon ...not just the one that was added 😅

2️⃣ The second issue is that an ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is not delivered for login items.

Steps to reproduce:

  • From terminal run (via root/sudo): eslogger btm_launch_item_add
  • Install a login item ...for example run an installer that installs a login item
  • Note that no ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD notification is delivered even though the ESMessage header file notes that a notification should be delivered for "...login items added by the user, via MDM or by an app"

Note macOS will detect the login item installation and generate an alert to the user. 🤷🏻‍♂️

Thanks for filing FB11812980.

BTW, is there any plan to provide documentation for this event and the new Ventura events? This could be interesting to know whether there is a bug or this is the "designed" behavior.

The online documentation for the new event types is currently:

  • not helpful as there is not the beginning of basic Discussion section.
  • buggy: the new event types are listed separately as constants.

Ref. https://developer.apple.com/documentation/endpointsecurity/es_event_type_t/es_event_type_notify_btm_launch_item_add

is there any plan to provide documentation for this event and the new Ventura events?

Apple folks can’t discuss The Future™. I recommend that you put your specific complaints about the docs into a bug report. And, as before, please post your bug number.

Oh, and I took a look at the state of FB11812980. It seems that your first issue is a limitation of the current implementation and our advice is that you write your code to account for that. The second issue is something we’d like to fix and we’re using your bug report to track that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hooray this is now fixed in macOS 13.3 🙏🏽

Endpoint Security Event: ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is ...broken?
 
 
Q