Notarized Endpoint app, full disk access, Ventura Intel

I have an app that installs an endpoint system extension, and I have the app notarized.

I can install the endpoint system extension and enable Full Disk Access fine on

  • Ventura, Apple Silicon
  • Sonoma, Apple Silicon

But I cannot enable Full Disk Access on

  • Ventura, Intel

In System Settings, when I try to slide toggle switch on to enable full disk access, the toggle slides right back to off.

In previous development versions, I could enable Full Disk Access on the Intel machine.

Any idea why I cannot enable Full Disk Access on Ventura/Intel for my endpoint system extension in my notarized app?

One additional observation, the name displayed in the Full Disk Access section is different between the Apple Silicon and Intel Macs.

On Apple Silicon, only the final part of the Bundle ID is shown in Full Disk Access:

  • endpointagent

On Intel, the full Bundle ID is shown:

  • com.MyCompany.MyApp.endpointagent

Don't know if it matters, but I thought I'd point that out.

Up vote post of Todd_at_Ennetix Down vote post of Todd_at_Ennetix
509 views
Posted by
Todd_at_Ennetix
Reply
Add a Comment

Replies

Can you reproduce this on a fresh machine? That is, a machine that’s never see your product before?

I usually a VM for this sort of testing, restoring to a fresh snapshot between each test.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I still need to write up a detailed report, but a quick interim report:

I compiled and notarized the app on my iMac Pro (Intel) running Ventura, I can now enable Full Disk Access on my iMac Pro.

Also, the name in the Full Disk Access section is no longer to full Bundle ID but just the last component of the Bundle ID.

(Previously I had compiled and notarized the app on a Mac Book Pro (M1 Pro) running Ventura)

Posted by
Todd_at_Ennetix
Up vote reply of Todd_at_Ennetix Down vote reply of Todd_at_Ennetix
Add a Comment

Just a brief update: my iMac Pro running Ventura 13.6.1 didn't require the app to have a provisioning profile to install an endpoint system extension. That was unexpected (to me).

I created a clean sheet project making it as simple as I can. I have both the main app and the endpoint system extension built using "Automatically manage signing". I have not created any provisioning profiles for for the main app or endpoint system yet. I did a quick test with where the endpoint system extension could be run and enable Full Disk Access.

Status

  • MacBook Pro (M1 Pro, Ventura 13.6.1) where I built in - everything ran fine (not surprised)
  • Mac Studio (M1 Max, Sonoma 14.1) - I could install the endpoint system extension but not grant Full Disk Access (not surprised)
  • iMac Pro (Intel, Ventura 13.6.1) - I could install the endpoint system extension and enable Full Fisk Access (surprised)

I was surprised I could install endpoint system extension and grant Full Disk Access on a different Mac without needing any provisioning profiles.

Next, I'll build with a testing profile to see if I can get it running on the Mac Studio (Sonoma 14.1). The Mac Studio with Sonoma is where I've been having problems granting Full Disk Access lately.

Posted by
Todd_at_Ennetix
Up vote reply of Todd_at_Ennetix Down vote reply of Todd_at_Ennetix

  • PS. I'll be spinning up VMs today for additional testing on clean machines.

    Todd_at_Ennetix
Add a Comment

I think I verified Quinn's suspicions: I needed to test with clean machines.

I created two VMs in UTM running Ventura 13.6.1 and Sonoma 14.1 and creates an account that was not associated with my developer account. I then tried to run the automatically signed code (i.e., no provisioning profile) that worked strangely on my iMac Pro 13.6.1 and Mac Studio 14.1, and both VMs blocked the app from running. This is what I expected.

Next step: checking with provisioning profiles...

Posted by
Todd_at_Ennetix
Up vote reply of Todd_at_Ennetix Down vote reply of Todd_at_Ennetix
Add a Comment