I've developed a Endpoint Security system extension, which will be installed in a container APP. I use XPC to send message from container APP to the ES client, it works fine. I have developed an Endpoint Security system extension that will be installed in a container app. I utilize XPC to send messages from the container app to the ES client, and it functions properly. However, when I attempt to send messages from the ES client to the container app, it always displays an error: 'Couldn’t communicate with a helper application.'. I have removed the sandbox capability of the container app and also employed the same app group for both the ES client and the container app. When an XPC client is connected, I use the following code in the ES client to establish two-way communication. - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCProtocol)]; NXFileGuardXPCService *xpcService = [NXFileGuardXPCService sharedInstance]; newConnection.exportedObject = xpcService; // To APP container client (As remote interface) newConnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCClientProtocol)]; [newConnection activate]; self.containerAPPConnection = newConnection; return YES; } But it always fails. How can I deal with this error?

My role is developer in a development team. Now I want to distribute my Mac App to others by "Direct Distribution". I asked our team holder to apply for the Developer ID Application certification and Developer ID Installer certification, then import these certifications to my development Mac. But when I try to package my App, there is an error: [team id] does not have permission to create "Developer ID" provisioning profile. What is "Developer ID" provisioning profile? Should I ask my team holder to create a corresponding profile on Apple Developer site or should our team need subscribe to some Apple development service ?

I have developed an Endpoint Security extension which works with my normal Mac APP. For now, there are two independent projects, one is ES extension project, and the other is my normal APP. I want to distribute my APP as a pkg, so I need the ES extension in the package. I wonder to know what is the best way to package the ES extension with my normal APP? Should I add an Endpoint Security target in my normal APP project and copy the codes from ES project? Then, when user launch my APP, at some point, I need register the ES extension by OSSystemExtensionRequest?

I'm developing a system that uses an ES extension to control user file openings on Mac. When a user tries to open a file, the ES extension can either allow or deny the user from opening it. However, the policy for allowing/denying users to open files is managed by my normal Mac app. Therefore, the ES extension needs to proactively communicate with the normal app. Initially, I wanted to create an XPC service in my regular app, but according to the documentation, XPC services are managed by launchd and cannot be created by regular apps. So if I want my ES extension to communicate with the regular app proactively, what IPC method can I use?

I'm trying to display overlay on screen by following code: NSRect windowRect = [[NSScreen mainScreen] frame]; self.overlayWindow = [[NSWindow alloc] initWithContentRect:windowRect styleMask:NSWindowStyleMaskBorderless backing:NSBackingStoreBuffered defer:NO screen:[NSScreen mainScreen]]; [self.overlayWindow setReleasedWhenClosed:YES]; [self.overlayWindow setBackgroundColor:[NSColor colorWithCalibratedRed:0.0 green:1.0 blue:0.0 alpha:0.1]]; [self.overlayWindow setAlphaValue:1.0]; [self.overlayWindow setOpaque:NO]; [self.overlayWindow setIgnoresMouseEvents:NO]; [self.overlayWindow makeKeyAndOrderFront:nil]; self.overlayWindow.ignoresMouseEvents = YES; self.overlayWindow.level = NSScreenSaverWindowLevel; self.overlayWindow.collectionBehavior = NSWindowCollectionBehaviorCanJoinAllSpaces | NSWindowCollectionBehaviorCanJoinAllApplications; But when other APP enter full screen, the overlay disappears even I set the collectionBehavior with option NSWindowCollectionBehaviorCanJoinAllApplications. Is it possible to display a overlay on top of all other APPs?

When the user opens the "Save As" dialog, the Open and Save Panel Service will be launched by the system. Now I want to monitor the "Save As" operation in a user program, so is there an Endpoint Security event that I can use to monitor when the Open and Save Panel Service is launched? I've tested the ES_EVENT_TYPE_AUTH_EXEC event, but it did not work.

I'm using the ES framework to control files created by handling the event ES_EVENT_TYPE_AUTH_CREATE, but when a file is created by replacing the same name file, ES_EVENT_TYPE_AUTH_CREATE won't be reported. I've searched and tried the event ES_EVENT_TYPE_AUTH_EXCHANGEDATA, but it didn't work. Which event should I monitor for 'creating a file' by replacing a file with the same name?

I'm confuse about the loading condition of Finder Sync Extension. I want to run the Finder sync as a user agent service, so I use a command line tool project and added a Finder sync extension target in the project. But when I debug the extension in Xcode, select Finder to run, the init method of Finder sync class never called, I also check the Activity Monitor, there is no the Finder sync extension. But if I use a Cocoa APP, the Finder sync extension will load as normal. So what's the condition to run a Finder Sync Extension in Finder?

I'm using XPC to do IPC with an agent service. I use NSXPCConnection initWithMachServiceName to create the connection and active it. Then I get the agent service remote object proxy with method remoteObjectProxyWithErrorHandler. But when the agent service unloaded, I can also get the remote proxy without any error. Is there anyway to check XPCConnection really connect to a XPC server?

I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client. I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call. If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?

I'm a bit confuse on the file permission between root and admin account. I'm developing the background user agent process, and I created the agent plist file with the permission R&W for my admin account. When I tried to load my agent process with launchd, it said the plist file permission is not right. Only after I change the plist file owner to root chown root my.plist, did everything work. From the above situation, it seems that the root user cannot access files that are only authorized to the admin user. Admin account also can't access files authorized only to root, unless you add sudo or enter the password when the request admin password box pops up. But by sudo or password, it just temporarily converts your account from admin to root account. So am I right in my speculation?

I'm finding a way to hook vnode operations, following is a snippet of the code: IOReturn FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void) { // // register our listener // this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback this ); // give a cookie to callback if( NULL == this->VnodeListener ){ DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) ); return kIOReturnInternalError; } return kIOReturnSuccess; } Here use kauth_listen_scope to get the newly created vnode object, then will hook on it. But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity. So is there any other way to get the newly created vnode object?

I'm currently trying to develop a transparent data encryption(TDE) system on MacOS 12.6.8. Our company has its own file encryption format. In order to facilitate safe and convenient file transfer between Windows and Mac platforms, we need to develop a TDE system on the Mac platform (on the Windows platform, we have developed such a system based on the Minifilter framework). I tried to implement this system using a MacFuse based file system and the Endpoint Security system extension, but found that this did not allow complete control of files on the Mac system. For example, when you use Finder to copy an encrypted file, the decrypted data will be copied out. I'm guessing this might be due to Finder or some other system process cache. By referring to the current product introductions of other companies, I learned that the current TDE systems on Mac systems are all based on kernel extension. But I noticed that Apple no longer encourages kernel extension development, and the Mac kernel has fewer and fewer APIs open to development. So I would like to ask is it still feasible to develop a TDE system based on the kernel extension?

I'm developing a encrypte&decrypt filesystem on Mac. I use MacFuse to realize this filesystem and mount it under a folder. By doing this I can hook the open file method when user are trying to open the encrypted file(such as A.rtf) under the mounted folder. Then I will decrypt A.rtf and generate a new decrypted file, let's call it as B.rtf. In the hooked open file method, I will return B.rtf file descriptor so that the user can open the decrypted file. All works fine, until I opend the encrypted file once and copy it. It seems Mac system directly using the decrypted cache data when doing copy, so the decrypted content will be copied. I tried add fcntl(fd, F_NOCACHE, 1); fcntl(fd, F_NODIRECT, 1) after int fd = open([p UTF8String], mode);, but it not work. So is there a way to clearly tell the Mac system, do not cache my data when open files?

I'm developing an APP on Mac. There will be some template sensitive file be decrypte during the user using it. I don't want my client see these files by Finder or Terminal, so I tried to mount a file system and store the decrypted folder under the filessystem, then don't return the contents of decrypted folder when filesystem call contentsOfDirectory. It works under my filesystem. But when user directly access these files by Finder(not from my filesystem mounted path), the files are still here can be seen by the user. Is there anyway to make my files hide from Finder? Such as Finder extension, or some special folder Mac offered to store these sensitive files?