Post not yet marked as solved
When you use the eslogger command line tool to dump 'profile add' and 'profile remove' notify events, the instigator process seems to always be reported to be the mdmclient process whatever the "real" instigator is:
the Profiles pane in System Settings.app.
a MDM solution
the profiles command line tool.
[Q] Is this expected?
Because for another family of notify events where there is also an instigator field, the instigator points to the "real" instigator.
Post not yet marked as solved
[Q] What is the thread safety status of the IOBluetooth framework?
Is it possible call any class from the IOBluetooth framework from a secondary thread?
I haven't found so far information about this in the documentation and the only pieces of info you can find through a google search say the framework is not thread safe but these are old pieces of info.
There seems to be at least 3 possible APIs to detect the mounting of a volume on macOS:
Endpoint Security APIs through the NOTIFY_MOUNT event.
Disk Arbitration
NSWorkspace notifications.
If we omit NSWorkspace for different reasons (headless, background context), this leaves only 2 choices.
From what I'm reading and understanding, the NOTIFY_MOUNT event is just telling that a volume is being mounted. It does not guarantee that the volume is mounted at the time of the event.
So this seems to leave only Disk Arbitration.
Since the Disk Arbitration API has been there for a long time, the question is:
Is there a more modern API than Disk Arbitration to know when a volume has been mounted?
In the online documentation for es_event_mount_t, there are 3 fields listed for the es_event_mount_t structure:
statts
es_statfs_t
reserved
I only see 2 fields in Xcode 14 and 14+1 SDKs.
[Q] Is this a typo? If it is, I can file a feedback report.
In the documentation for es_event_mount_t, the documentation describes the statfs field as "The statistics of the mounted file system".
[Q] As the file system is not mounted yet in the context of an AUTH event, is it to be read as the "The future/request statistics of the mounted file system".
It's worth noting that the header documentation says:
The file system stats for the file system being mounted.
So it looks like the online documentation describes the field for the NOTIFY event and the header one for the AUTH event. This is a bit confusing.
In the documentation for es_event_remount_t, the documentation describes the statfs field as "The statistics of the remounted file system.".
[Q] As the file system is not remounted yet in the context of an AUTH event, is it to be read the "The future/request statistics of the remounted file system"?
[Q] In the case of a mount update, the statistics look more like the current statistics of the file system not the requested updated ones. What are these statistics supposed to be in this case?
The header documentation says:
The file system stats for the file system being remounted
which in the case of an update does not really clearly say whether this is the current or future stats.
Post not yet marked as solved
[Q] When a Network Extension is being upgraded/downgraded (and the .app Network Extension wrapper accepts it), what does macOS promise when it comes to the order of operations?
a) Will the "new" extension be only started when the running one is fully exited?
b) Will the "new" extension be started just after the first attempt to exit the running one has been triggered?
I have not found any official documentation about this (Apple dev website, quick search of WWDC video transcripts) so far.
From what I'm observing, macOS follows case b):
there is an attempt to kill/terminate the running extension
a watchdog is installed to check whether the extension is still running after x seconds.
the system does not wait for the exit to be confirmed before launching the "new" extension.
So if there are issues killing/terminating the previously running extension, there can be 2 extensions running at the same time. Until the watchdog leads to a stronger attempt to exit the old extension.
[Q] What is the promise regarding the calls to startFilterWithCompletionHandler: and stopFilterWithReason:?
Will the XPC message that calls startFilterWithCompletionHandler: be sent only when the previously running extension is fully exited? Or as long as stopFilterWithReason: from the previously running extension did complete, the XPC message will be sent?
Post not yet marked as solved
I'm trying to figure out how to enable DNS-over-HTTPS or -TLS on macOS 12 or later when a NEFilterDataProvider is activated.
From what I'm observing, this can not be done using a configuration profile as the DNS Settings will then appear as not running or disabled in the Network/Filters pref pane (using a MDM or not).
Correct me if I'm wrong but, from what I'm understanding in the last answer of this thread, Private Relay (Oblivious DoH?) would not work either.
[Q] Is it possible to configure DNS-over-HTTPS or -TLS at the system level when a NEFilterDataProvider is activated? If it is, how is it supposed to be done?
[Q] In the method:
- (NEFilterDataVerdict *)handleInboundDataFromFlow:(NEFilterFlow *)flow readBytesStartOffset:(NSUInteger)offset readBytes:(NSData *)readBytes;
of a NEFilterDataProvider subclass, if flow is a _NEFilterSocketFlow *, is it possible for the remoteEndpoint property of the socket flow to be something else than a NWHostEndpoint *?
Post not yet marked as solved
Let's say there is a dylib whose source code is available in a repository of https://github.com/apple-oss-distributions.
I can see a version/tag for this release in github.
Now I want to find which versions of macOS include this version of the dylib.
This requires to be able to tell which version of the lib is distributed with a specific macOS version. And this is already being a problem.
If I create a small executable that is linked to this library and I use otool -L to see the version of the dylib, I get 1.0.0. Which definitely does not match a version/tag from github.
If I use dlopen and the mach-o/dylib.h APIs to find the version listed in the appropriate segment/section, I also get 1.0.0.
The next step I'm looking at is to spend some time to successfully build the dyld_shared_cache_util to extract the dylib from the cache and hope there will be more info.
But, maybe, there is a document on Apple's website or a feature in the github repository that I missed.
So the question is: is there a simple way to get this info?
Post not yet marked as solved
https://developer.apple.com/documentation/endpointsecurity/es_statfs_t
It seems like the online documentation for es_statfs_t is based on the 32-bit statfs API while the 64-bit statfs API is actually used.
Am I missing something?
Post not yet marked as solved
2 questions regarding conflict between DNS Proxy Providers and between DNS Proxy Provider and DNS Settings:
[Q#1] On macOS, is it possible to run 2 DNS Proxy Providers at the same time?
I've seen posts about this but never a definitive official answer. And I didn't see any mention in the WWDC sessions or online documentation about this.
I don't see how this could work correctly but…
[Q#2] On macOS, is it possible to run a DNS Proxy Provider and a DNS Settings at the same time?
From what I'm seeing, activating a DNS Settings (through a .mobileconfig file) deactivates a running DNS Proxy Provider. Activating a DNS Proxy Provider deactivates the DNS Settings.
Post not yet marked as solved
[Q] Is there a known issue with installd or PackageKit where installd would:
try to use a trashed sandbox in /Library/InstallerSandboxes/
fail to extract the embedded .pkg of a distribution to this sandbox (because the sandbox has disappeared in the meantime).
report that the problem is that "Authorization is required to install the packages." (even though the installer(8) command was run via sudo).
purge the invalid sandbox
conclude the failed installation by suggesting to contact the software manufacturer.
?
Context
The event handler of an xpc_connection_t object named myConnection is set and handles XPC_TYPE_ERROR objects:
xpc_connection_set_event_handler(myConnection, ^(xpc_object_t object) {
});
A message is sent using:
xpc_connection_send_message_with_reply(myConnection, myMessage , myQueue, ^(xpc_object_t object) {
});
The documentation for the well-known XPC_ERROR_ dictionaries and for xpc_connection_set_event_handler seems to suggest that all the errors received via the reply block will also be received by the event handler.
Question
Are there error cases where only the reply block of xpc_connection_send_message_with_reply will receive an XPC_ERROR*_ object?
Post not yet marked as solved
It looks like that the UX for embedded LaunchDaemons is a "bit" broken in macOS 13.1 (at least). And the UX of the Login Items pane is also quite broken.
I have a simple app bundle with one launch agent and one launch daemon (both embedded).
If I try to register the launch agent, it works. If I try to unregister it, it works,
If i try to register the launch daemon, I can allow it using the system notification.
if I try to register the launch daemon and close the system notification, I can't find a way to allow it in the Settings > General > Login Items pane. If I try to register it again, I don't get a system notification to allow it.
if I try to register the launch daemon and close the system notification and I then try to register the launch agent, it fails and requires approval, which I can't grant because the system notification is AWOL.
if I disable the entry in the Login Items pane for the app, usually, I see disabled items being added for the launch agent and launch daemon while the application is removed from the list.
when I delete the app on Disk, the entries sometimes stay in the Login Items pane, sometimes disappear. Sometimes, quitting Setting.app and opening it again solves the issue, sometimes it doesn't.
if I try to click on the (i) button for either the Launch Agent or Launch Daemon entry, it does not show them in the Finder whereas the app is still there. The (i) button works correctly for an item in ~/Library/LaunchAgents.
Basically, the whole UX seems broken and is totally confusing for both the end user and the developer.
[Q] Is this how this is expected to work?
I'm trying to create a very simple project where an application contains a helper application and the helper application is defined as a LaunchAgent by the main application.
So far, when I call agentServiceWithPlistName:, and then request the status, I get the value 3 (i.e.SMAppServiceStatusNotFound).
I checked that the main .app bundle did not have obvious issues:
there is definitely a .plist in Contents/Library/LaunchAgents.
the .plist definitely defines the BundleProgram value.
there is definitely a .app helper application and the relative path pointed by the BundleProgram key looks definitely correct.
[Q] Are there some useful logs provided by the SMAppService APIs/framework that can provide an idea why a service is not found?
I haven't seen any so far in Console.app.
I have not seen so far a hint in the documentation that would suggest that this SMAppService mechanism requires an app to be notarized or codesigned with a level above (Run locally).
Extra Question: Is there an official example for these new APIs?
While checking the "Updating helper executables from earlier versions of macOS" (Ref. https://developer.apple.com/documentation/servicemanagement/updating_helper_executables_from_earlier_versions_of_macos), the first recommendation is to:
Install the helper executable within the app bundle, such as in Contents/Resources.
This is a bit surprising considering that, AFAIK, "Contents/Resources" has always been considered a bad location for executables.
[Q] Is this an error in the documentation or is putting the helper executables in the Contents/MacOS directory not recommended anymore?
