I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)

Hello! After submitting two OSSystemExtensionRequest (let's say Endpoint and Network extensions), when the user allows only one (endpoint) extension, we receive request: didFinishWithResult callback for both manager delegates. This leads us to falsely believe that both our extensions are allowed. We tried to prevent this by using propertiesRequestForExtension where our (network) delegate will ask for properties, check if the given extension is enabled and then finish if it's ok. If it's not enabled, however, we receive no second callback when the user allows the other extension. We thought that we would need to submit another OSSystemExtensionRequest for the extension that wasn't allowed to receive a callback when it finally is. However, the second and all other consecutive requests immediately finish and we receive request: didFinishWithResult even when the user does not allow the second extension. Example: Endpoint and Network managers submit OSSystemExtensionRequest User only allows Endpoint extension Endpoint manager checks the properties, finds out it's enabled and finishes Network manager checks the properties, finds out it's disabled Network manager sends another OSSystemExtensionRequest Network manager immediately receives request: didFinishWithResult Network manager checks the properties, finds out it's disabled .... This loop ends when the user finally allows the network extension, when the manager finds out that it's enabled. Is there something we are missing? Shouldn't another OSSystemExtensionRequest finish with requestNeedsUserApproval. How should we go about this issue? Many thanks, Denis

I implemented a method to monitor the testfile copy activity and reject it using ES_EVENT_TYPE_AUTH_CLONE. The copy code used is as follows： NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; NSString *sourcePath = self.CopyFilePath.stringValue; NSString *destinationPath = [sourcePath stringByAppendingFormat:@"(Code copy file)"]; BOOL success = [fileManager copyItemAtPath:sourcePath toPath:destinationPath error:&error]; if (success) { NSLog(@"File copy successful"); } else { NSLog(@"File copy failure：%@", error.localizedDescription); } This code fires the ES_EVENT_TYPE_AUTH_CLONE event, and I treat the auth event as ES_AUTH_RESULT_DENY, but still create a new file testfile(Code copy file) How to prevent through code [fileManager copyItemAtPath: sourcePath toPath: destinationPath error: & error]; Implementation of the file copy

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?

Hey all! I have a System Extension that, while doing some other things, starts up my custom Network Extension via [NEProvider startSystemExtensionMode]. This Network Extension contains a class (let's call it MyDataProvider) that overrides the NEFilterDataProvider interface and implements handleNewFlow. MyDataProvider thus acts as a network content filter. The problem is that installing my System Extension on a Ventura 13.4 (or older) system and starting up the Network Extension seemingly drops any ongoing connection I have. For example, my ssh connection will hang. This makes it quite annoying attempting to install the System Extension remotely. I do not see this behavior for my other class that inherits the NEFilterPacketProvider interface. Is this behavior expected of the NEFilterDataProvider? It seems like a bug since I do not see any documentation stating this behavior.

I want to create a feature that monitors which USB devices my computer is using and lets me know what they are. If the USB storage device is connected to my MacOS device, I want to prevent it from being used. Is it possible to implement such a method using ESF framework? Or is there another way to do this?

Can I control the pasteboard when user try to Ctrl + v? There's no option or related event in endpoint security. I'm came up the 'method swizzling', but it doesn't seem like a good way. Plz help me..

Is it possible to use ESF framework without enrolling into Apple developer program? I wanted to try out ESF for learning purpose.

I encountered such a problem, when I am in macOS 10.15 this part, through monitoring ES_EVENT_TYPE_AUTH_EXEC ESF framework, if I double click on the start/Users/test/Downloads/test. The app, The path of test.app corresponding to message->event.exec.target-> Path. data in the ES_EVENT_TYPE_AUTH_EXEC event is under /private/var/folders. This prevents me from blocking the test.app startup in the /Users/test/Downloads/ directory through string matching.

My team has received a bit of instruction in the past about how to use ESClients for Endpoint Security tasks. The source suggested using multiple ESClients but not too many. I think the proposed limit was 40. The question is this: how can I determine what warrants a new ESClient? For example, consider an app that has 30 concurrent tasks of type A, a task of type B, a task of type C, and a task of type D. Should each task type gets its own ESClient? Should the tasks of type A be divided between multiple ESClients? Can you deliver any additional guidance on this?

I created a Endpoint Security the client, the System Extension have been normal load to/Library/SystemExtensions inside, and has been activated, but did not see the Extension to run, do you have who knows？

Hello there. We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM. However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC. Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension. It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?

Hi guys Following this topic : https://developer.apple.com/forums/thread/654443 I test this in macOS 14 beta, audit can't work now. Is it expected or a bug? If it is expected, is there any announcement ? Thank you! Command return error: sudo audit -i Error sending trigger: (ipc/send) invalid destination port

I wrote a program to receive the notify events from endpoint security framework. While logging into the workstation it generates ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN event. How to get the user id and other user info from this event.

I wrote a program to receive the notify events from endpoint security framework. ES_EVENT_TYPE_NOTIFY_AUTHENTICATION event is not notified/logged in any scenario. Please help me with the information on when does mac generate or notify this event.

Guys I'm the account holder of my company and we are working on a new EPP solution. Approx two months go I requested an Endoint Security entitlement so we can develop our product and then requested it again about a month ago. Is there a way to see what is the status of the request and whether this time frame is indeed the one we should expect? Thanks a lot!

Hello, As I understand it, the ES framework provides notifications for specific event types. For my question, auth events do not matter, as I'm not interested in allowing/denying events, just reporting. Is there a way to retrieve the information if an event was successful/failed from an ES message? So far, I have found nothing in this regard in the documentation. For example, under certain circumstances, I get two notifications if I try to delete a file via the Finder, for which administrator privileges are required. The first is when the authorization dialog appears (this notification is for the failed unlink event), and the second is when I enter the correct credentials and the file is deleted. Example for reproduction: Open a terminal and create a file in "/etc" with the command "sudo touch test.txt". Run the command 'sudo eslogger unlink | grep -E "test.txt"' to start monitoring UNLINK events for files named "test.txt". Open the folder "/etc" in Finder. Select the file "test.txt", click on "File" in the menu, and hold the option key pressed. Then select "Delete Immediately...". In the appearing dialog, click on "Delete". Before entering the administrator password, and while the credentials dialog is still open, observe that eslogger already reports an UNLINK event for this file. It reports the user information: "ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20. Enter the administrator password to confirm the deletion of the file. Observe that eslogger reports a second UNLINK event for this file. This time with the user information: "ruid":0,"euid":0,"rgid":0,"auid":501,"egid":0. So, is there a way to check the first event for failure? Otherwise, I would need to check manually if the file is still there after receiving the first notification, if I only want to report events that "really" happened (excluding attempts).