I want to prevent the root user from uninstall my EndpointSecurity System Extension. I succeeded to deny this when he removes with Terminal command, by intercepting ES_EVENT_TYPE_AUTH_RENAME and ES_EVENT_TYPE_AUTH_UNLINK events and answering ES_AUTH_RESULT_DENY for the Extension's application in /Applications folder. However, when the user drag&drops the Extension's application to the Trash, he succeeds. More than that, it looks like I don't receive any event about it in the Extension. Thanks.

Hi. I'm developing System Extensions that utilizes EndpointSecurity API. The problem is, the Extension gets killed due to unknown reason by different processes: Nov 24 11:12:44 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[940]): Service exited due to SIGKILL | sent by nsurlsessiond[420] Nov 24 11:31:26 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[936]): Service exited due to SIGKILL | sent by xpcproxy[1152] Nov 24 11:39:37 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[1155]): Service exited due to SIGKILL | sent by xpcproxy[1232] Nov 24 12:29:59 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[929]): Service exited due to SIGKILL | sent by sandboxd[1129] Nov 24 12:29:59 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[929]): Service exited due to SIGKILL | sent by sandboxd[1129] Nov 24 18:45:14 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[961]): Service exited due to SIGKILL | sent by log[1045] Nov 24 19:31:33 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[937]): Service exited due to SIGKILL | sent by sandboxd[1029] Nov 24 23:17:45 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[930]): Service exited due to SIGKILL | sent by sandboxd[1004] Nov 24 23:32:10 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[1011]): Service exited due to SIGKILL | sent by helpd[928] Before termination, I see such logs: 2020-11-24 23:19:27.560609+0200 0x2b00     Error       0x0                  0      0    kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 930) 2020-11-24 23:19:27.560673+0200 0x297b     Error       0x0                  0      0    kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 930) and then: 2020-11-24 23:19:27.781038+0200 0x2ae4		 Info				0x0									929		0		endpointsecurityd: (CoreAnalytics) [com.apple.CoreAnalytics:client] Dropping com.apple.endpointsecurity.timeout as it isn't used in any transform (not in the config or budgeted?) I've checked sequence number of every type of es_message, nothing looks dropped. Could it be connected to the fact the Extension was installed and started running on VM, then snapshot was done, and it continued after VM being restored from snapshot? Please help, thanks a lot!

Hi. I'm trying to connect to my ES System Extension from it's App using XPC. The App code: _connection = [[NSXPCConnection alloc] initWithMachServiceName:@“TeamID.ExtensionBundleId.xpc” options:NSXPCConnectionPrivileged];   [_connection resume]; The Extension code: _connectionListener = [[NSXPCListener alloc] initWithMachServiceName:@“TeamID.ExtensionBundleId.xpc”];   _connectionListener.delegate = self;   [_connectionListener resume]; where TeamID and ExtensionBundleId are substituted with real values. The listener's delegate in Extension conforms to NSXPCListenerDelegate. Problem: the Extension's callback (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection is never executed. Also tried with setting NSEndpointSecurityMachServiceName in Extension's plist to custom name, without success. What am I doing wrong? Thanks.