EndpointSecurity app missing TCC authorization

Does the problem persist after a restart?

Are you using Apple Development signing?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It does persist after a restart. I am using the automatic signing in XCode

Hmmm, interesting. This is working for me. Here’s how I tested it:

1. I downloaded the Monitoring System Events with Endpoint Security sample.

2. I opened the project in Xcode 16.2.

3. In the Signing & Capabilities editor, I selected my team for both the app and extension targets.

4. In ViewController.m, I added my Team ID (SKMME9E2Y8) to the extension ID.

5. I built the app.

6. I copied it to a macOS 15.1 VM.

7. In the VM, I moved the app to the Applications folder.

8. I ran Console and starting a search for “Failed to create”.

9. I launched the app.

10. And clicked the Install Extension button.

11. I ran through the approval process.

12. In Console I saw the extension trying to start and failing. Specifically, I saw the log message Failed to create the ES client: 4, where 4 is ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED.

13. In System Settings > Privacy & Security > Full Disk Access, I enabled the extension.

14. I stopped seeing the errors from step 12, and the extension started successfully:

% sudo launchctl list SKMME9E2Y8.com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension
{
	"LimitLoadToSessionType" = "System";
	"MachServices" = {
		"SKMME9E2Y8.com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.xpc" = mach-port-object;
	};
	"Label" = "SKMME9E2Y8.com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension";
    …
	"PID" = 786;
	…
};

I’m not sure why this problem is showing up on your machine. In my experience it’s common to see weird TCC problems on developer machines. That’s why I always test stuff like this on a ‘clean’ machine, typically a VM.

IMPORTANT When testing in a VM, be aware of the issue discussed in this thread.

Are you able to try this on a different machine? If so, please do. If not, you might be able fix your current machine with tccutil.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am following pretty much the same steps, but with no luck. Question regarding step 13 : you said that you enabled the extension. Do you mean that you enabled only the extension and not the App Bundle containing the extension?

In the meanwhile I dug a bit more into the logs and I could see another error that could help:

tccd: [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/34CA2880-358B-4E1B-BB5D-FE3AD9022E4D/com.X.Y.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)'

It looks kind of similar to this and this. Do you have any idea what's the status for the feedback tickets opened as a follow up of these posts? Do you think they might be related to my case?

Ah, yes, sorry about the confusion there. I went to System Settings > Privacy & Security > Full Disk Access and enabled whatever was there. I don’t actually recall whether it was showing the app or the extension. And I’ve deleted that VM… oh wait… I didn’t get around to deleting the VM, so I can go check…

It turns out that the UI was showing the extension, and that’s what I enabled. Consider:

On a clean machine? If not, that needs to be your next step. Chasing TCC problems on development machines is a mug’s game.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I followed once again your steps and now it seems to work. The only difference I see for now is the Bundle Identifier. Why does it work out of the box only by adding the Team ID in ViewController.m ? Shouldn't it require an existing identifier with all the necessary entitlements in the Apple Development Program account?

I’m glad to hear you got it working.

Our sample code is set up so that each target gets a unique App ID based on the developer’s Team ID. When you build the sample, Xcode automatic code signing registers those unique App IDs with your team. Neat!

If you search the project for SAMPLE_CODE_DISAMBIGUATOR, you can see how that works.

This works well in most cases, but it needs a slight tweak in this case because the code in ViewController.m embeds the bundle ID of the sysex (the bundle ID being one component of the App ID). Personally I try to not do this [1], but I didn’t write the sample (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In my test projects I use this code:

final class SysExLoader: NSObject, OSSystemExtensionRequestDelegate {

    … lots more stuff …

    private static func systemExtensionBundleID() -> String? {
        let sysExDir = Bundle.main.bundleURL
            .appendingPathComponent("Contents")
            .appendingPathComponent("Library")
            .appendingPathComponent("SystemExtensions")
        let contents = try! FileManager.default.contentsOfDirectory(at: sysExDir, includingPropertiesForKeys: nil)
        let sysExes = contents.filter { $0.pathExtension == "systemextension" }
        // If there isn’t exactly one sysex, this is ambiguous and we fail.
        guard let sysEx = sysExes.first, sysExes.count == 1 else { return nil }
        let sysExBundle = Bundle(url: sysEx)!
        let result = sysExBundle.bundleIdentifier!
        return result
    }
}

It makes sense. The AppIDs do show up in the Identifiers page. Thanks for clarifying everything!