Hi Apple Developer Forums,
We are developing a managed macOS security/monitoring agent for enterprise customers (deployed only to MDM-managed endpoints). Our goal is to collect per-process network connection metadata (e.g., which process initiated a TCP connection, destination IP/port, timestamps). We are not intercepting or collecting network payload/content—only connection metadata for security telemetry/compliance.
We previously explored options like:
- sysctl PCB lists (e.g., net.inet.tcp.pcblist_n) / kernel structs (not stable ABI; appears private/fragile)
- Aggregate TCP stats (sysctl net.inet.tcp.stats) which are public but system-wide only
- proc_pidinfo() / PROC_PIDFDSOCKETINFO for per-PID socket snapshots (polling-based; limited / not event-driven)
It seems the supported, event-based approach for per-process connection visibility is EndpointSecurity.framework, but it requires the entitlement:
- com.apple.developer.endpoint-security.client
Questions:
- Is EndpointSecurity.framework the recommended/supported approach for per-process TCP connection events on macOS for a managed enterprise security agent?
- What is the correct process to request approval for the Endpoint Security client entitlement under an Apple Developer Program team? (We were directed to post here.)
- Which Endpoint Security event types are appropriate for capturing connect/accept/close style network events per-process, strictly for metadata telemetry?
- Are there any platform/privacy constraints or best practices Apple expects us to follow for this use case (MDM-managed enterprise deployments)?
We can provide additional details (distribution method, signing, MDM deployment model, privacy disclosures) if needed.
Thanks!