EndpointSecurity SystemExtension vs EndpointSecurity Framework

Privacy & Security General
Cicero OP
Created Feb ’23
Replies 5
Boosts 0
Views 855
Participants 2

Hi,

According to wwdc20-10159 there are two approaches in utilizing the Endpoint Security framework in macOS application:

  1. Packaged as a system extension.
  2. Embedded inside a daemon that is packaged into an application bundle.

WWDC 2020 Session 10159 (wwdc20-10159) - Build an EndpointSecurity app - also mentions:

"While it's possible to distribute your ES application as a stand-alone product, we believe there are a lot of benefits to delivering your product as an EndpointSecurity based system extension".

"Also, there are some EndpointSecurity features that products can only use if they are a system extension"

After performing quite deep research including rereading the transcriptions of all EndpointSecurity related wwdc sessions - the following questions arise:

  1. I couldn't find any source that will list all those features. Does such exist?

  2. What are the limitations of the non system extension approach comparing to EndpointSecurity based system extension?

Replies  5
Boosts  0
Views  855
Participants  2
Cicero OP
Feb ’23

I will be more precise - despite the advantages mentioned in EndpointSecurity man page (e.g. NSEndpointSecurityEarlyBoot, NSEndpointSecurityRebootRequired, NSEndpointSecurityMachServiceName) and the additional SIP protection (see post) are there others?

0
Cicero OP
Feb ’23

For some reason my last comment disappeared from the flow - I will submit it again: Despite the advantages mentioned in EndpointSecurity man page (e.g. NSEndpointSecurityEarlyBoot, NSEndpointSecurityRebootRequired, NSEndpointSecurityMachServiceName) and the additional SIP protection (see post), are there others?

0
DTS Engineer OP
Apple
Feb ’23

Hmmm, I’m pretty sure I’ve answered this before. Oh yeah, here it is.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Cicero OP
Feb ’23

Hi Eskimo, Thanks for your reply. For some reason my last comment disappeared from the flow - I will submit it again: Despite the advantages mentioned in EndpointSecurity man page (e.g. NSEndpointSecurityEarlyBoot, NSEndpointSecurityRebootRequired, NSEndpointSecurityMachServiceName) and the additional SIP protection (see post), are there others?

0
DTS Engineer OP
Apple
Feb ’23

are there others?

Not that I can think of.

Although your question reminds me of this…

https://www.youtube.com/watch?v=uvPbj9NX0zc

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
EndpointSecurity SystemExtension vs EndpointSecurity Framework
First post date Last post date
 
 
Q