Hooks with mandatory access control framework

Hello,

I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions.

It seems that endpoint software should now function with MACF by implementing hooks from userland.

Does this mean the Endpoint Security Framework will soon become deprecated?

I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation.

Thanks

MAC has never been a supported KPI on macOS. Sadly, there was some confusion about this back in the day, hence QA1574 Kernel’s MAC framework.

The path forward here is Endpoint Security. I’m not how you got the impression that it might soon be deprecated. No announcements have been made along those lines. Moreover, we’ve still in the process of moving folks to ES from various unsupported, and barely supported, techniques. All our recent major macOS releases have included ES enhancements that allow more folks to move over.

FYI, internally ES makes heavy use of MAC, but we take great care to not surface that at the API level.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hooks with mandatory access control framework
 
 
Q