Extra context information : the app must be sandboxed then the AppleEvent seems a no-go.

Effectively I confirm that com.apple.token is required in keychain-access-groups entitlement on macOS as well when using kSecAttrAccessGroupToken. Missing to do so, will return error -34018 (tested on macOS 14).

Sorry, PPPC stands for Privacy Préférences Policy Control in some MDM. In MDM protocol this is the TCC payload. According to the doc your provided it seems to be possible. I’ll try this.

I looked at Darwin source Security-Security-60158.140.3 Following call stack: CMSDecoderFinalizeMessage (CMSDecoder.c) SecCmsMessageIsEncrypted (cmsmessage.c) SecCmsContentInfoGetChildContentInfo (cmscinfo.c) On lines 115 or 119 or 123 or 127 of SecCmsContentInfoGetChildContentInfo if ptr is null ccinfo will memory fault. The ptr value is checked line 133 but this is too late. This would not solve my encryption but at least a fix here would avoid the exception. In my situation it means one of data ptr is unexpectedly null. As the exception is only sent when signing & encrypting, I assumes this is SEC_OID_PKCS7_ENVELOPED_DATA case. Looking at CMSEncoderCopyEncodedContent (CMSEncoder.cpp) line 1310 we can confirm that signed data is enveloped in encrypted data. Following call stack: CMSEncoderCopyEncodedContent CMSEncoderUpdateContent SecCmsEncoderUpdate cmsSetupForEnvelopedData SecCmsEnvelopedDataCreate SecCmsContentInfoSetContentEncAlg SECOID_SetAlgorithmID I'm not sure exactly what is asserted in SECOID_SetAlgorithmID but this might be an hint.

Thanks Eskimo for the suggestion. I filled a Feedback Assistant FB11420810 is that enough ? I’ll start with Darwin hints and open a DTS if required.

Please find the related crash report. CrashReport.log

NSString*   message = @"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur."; NSData* rawData = [message dataUsingEncoding:NSASCIIStringEncoding];   id  signIdentity = nil; id  encryptCertificate = nil; // Load signing identity NSDictionary*    signQuery = @{         (id)kSecClass:(id)kSecClassIdentity,         (id)kSecMatchTrustedOnly:@YES,         (id)kSecMatchIssuers:mySigningCAIssuer,         (id)kSecReturnRef:@YES }; CFTypeRef   item = nil; OSStatus    status = SecItemCopyMatching((CFDictionaryRef)signQuery, &item); if (status == errSecSuccess) {         signIdentity = CFBridgingRelease(item); } // Load encryption certificate NSDictionary*    encryptQuery = @{         (id)kSecClass:(id)kSecClassCertificate,         (id)kSecMatchTrustedOnly:@YES,         (id)kSecMatchIssuers:myEncryptCAIssuer,         (id)kSecReturnRef:@YES }; status = SecItemCopyMatching((CFDictionaryRef)encryptQuery, &item); if (status == errSecSuccess) {         encryptCertificate = CFBridgingRelease(item); } // Export encrypted data CFDataRef   dataRef = nil; status = CMSEncodeContent((__bridge SecIdentityRef)signIdentity, nil, nil, false, kCMSAttrSmimeEncryptionKeyPrefs, rawData.bytes, rawData.length, &dataRef); NSData* encodedData = CFBridgingRelease(dataRef); [encodedData writeToFile:@"/Users/Shared/test-encrypted.p7m" atomically:true]; // Import encrypted data CMSDecoderRef  cmsDecoderRef = nil; status = CMSDecoderCreate(&cmsDecoderRef); status = CMSDecoderUpdateMessage(cmsDecoderRef, encodedData.bytes, encodedData.length); if (status == errSecSuccess) {         status = CMSDecoderFinalizeMessage(cmsDecoderRef); // Exception is sent here when signing + encrypting } // Get content CFDataRef   content = nil; status = CMSDecoderCopyContent(cmsDecoderRef, &content); // nil is received when encrypting only - OK when signing only CFRelease(cmsDecoderRef);

Here it is : FB10332955

In my case it’s about managed Macs.

Thanks Quinn for this very clear confirmation. I’m not sure why you want to defer that work to an XPC service but it’s not in line with our expectations The problem I try to solve is the same as the original subject of the thread ‘Deny uninstalling SysExt’. In particular when disabled from System Preferences.

Sorry my ascii art is broken for bundle hierarchy.

About using an Agent as Extension Manager Delegate. I tried using an Agent (XPC Service) hosted in the System Extension’s host app. Then I have something like: Container.app /Contents/Resources /Contents/Library/SystemExtensions/Extension.sysext /Contents/XPCServices/Agent.xpc The agent cannot load the system extension (error ‘extension not found’). This seems coherent with documentation stating that extensions are searched at /Contents/Library/SystemExtensions from main bundle. XPC Service’s main bundle is the Agent.xpc above. However I noticed that the OSSystemExtensionRequest has a nil attribute named _containingApplication this looks like container app support is somehow planned. Also there’s an error OSSystemExtensionErrorUnsupportedParentBundleLocation in the Framework which hint again at nested bundle support. Did I missed something. Is there a way to say to SystemExtension Manager that it need to look at the XPC’s container app bundle instead of own bundle ?

Yes it is likely that root was used to mean admin. Standard users cannot disable SysExt so there’s no issue for them. MDM configuration profiles (user-accepted or DEP) can whitelist the SysExt but cannot prevent unloading. Maybe this is related to the complexity of integrating with Finder or other dynamic unloading/reloading of SysExt. Anyway MDM policy could be a way to deal with it. SysExt delegate maybe also (to be seen which process would have to host the delegate). But my surprise is mainly that I should be able to deny moving app2 to trash if my SysExt is hosted in app1. This has worked for some time but fails as of 12.5. I filled a feedback FB10168135. Regards, Jerome

Hi, I face the same issue. I noticed stance behaviors : Terminal commands such as rm and mv are managed when rename or unlink/truncate events are denied. Finder usage (as described in your post) used to work for some time (Finder always trigger rename events) but is failing since 12.4 (and 12.5 betas) There’s no event for disabling the extension from System Preferences (kext event do not apply) If somebody has some hint here it is welcome. Regards, Jerome

Hi sourabMIC, Looking at your rules you allow all outgoing traffic to port 80 & 443. Please note however that some captive portals might use 8443 or any other port - there are plenty of implementation variants. I'm not sure if you want to avoid some traffic but please note that macOS Captive Portal Assistant usually kicks in using captive.apple.com host check. This might help you adjusting the NENetworkRule at least temporarily to allow other ports.