Hello,
We have several reports from users that our app looses its Full Disk Access permission after reboot.
This is something we have not able to reproduce internally, but that is affecting a noticeable amount of users, running various versions of macOS: 11.7.2, 12.4, 12.6.2, 13.1, 13.2, 13.2.1, 13.3, 13.3.1.
We also noticed that we are not the only one affected by the issue:
https://community.norton.com/en/forums/resolve-repeated-norton-full-disk-access-prompt-when-you-open-norton-macos-13
https://kevinyank.com/posts/privacy-security-settings-reset/
Unfortunately, none of the workaround described in those articles seems to work for our user on the long term.
Is it an issue known by Apple? Is there a workaround?
Thanks for your help.
Post
Replies
Boosts
Views
Activity
Hello,I attempted to create a sample app using Endpoint Security. It's working ok for ES_EVENT_TYPE_NOTIFY_OPEN events. But as soon as I attempt to use ES_EVENT_TYPE_AUTH_OPEN, Endpoint Security is freezing the mac, and it either kill my process or the user session.I've performed a sample code that is trusting processes for each notification during 30 sec, then enable blocking mode. And it fails.Is it expected?#import
#import
@import OSLog;
int main(int argc, const char * argv[]) {
@autoreleasepool {
// insert code here...
es_client_t *client = NULL;
es_new_client_result_t newClientResult =
es_new_client(&client,
^(es_client_t * client, const es_message_t * message) {
switch (message->event_type) {
case ES_EVENT_TYPE_AUTH_OPEN:
os_log( OS_LOG_DEFAULT , "EndpointSecurity : Allowing event from : %{public}s : Open %{public}s",message->process->executable->path.data, message->event.open.file->path.data);
es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); // Immediately allow events
break;
case ES_EVENT_TYPE_NOTIFY_OPEN:
os_log(OS_LOG_DEFAULT , "EndpointSecurity : trusting : %{public}s",message->process->executable->path.data);
es_mute_process(client, &message->process->audit_token);
break;
default:
os_log(OS_LOG_DEFAULT , "EndpointSecurity : unexpected event type : %i",message->event_type);
es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); // Immediately allow events
break;
}
});
// Handle any errors encountered while creating the client.
switch (newClientResult) {
case ES_NEW_CLIENT_RESULT_SUCCESS:
// Client created successfully; continue.
break;
case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED:
panic("Extension is missing entitlement.");
break;
case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED:
panic ("Extension is not running as root.");
break;
case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED:
// Prompt user to perform TCC approval.
// This error is recoverable; the user can try again after
// approving TCC.
return 0;
break;
case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT:
panic ("Invalid argument to es_new_client(); client or handler was null.");
break;
case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS:
panic ("Exceeded maximum number of simultaneously-connected ES clients.");
break;
case ES_NEW_CLIENT_RESULT_ERR_INTERNAL:
panic ("Failed to connect to the Endpoint Security subsystem.");
break;
}
// Subscribe the client to the ES_EVENT_TYPE_NOTIFY_OPEN event.
es_event_type_t eventTypes[] = { ES_EVENT_TYPE_NOTIFY_OPEN };
es_return_t subscribeResult = es_subscribe(client, eventTypes, 1);
if (subscribeResult != ES_RETURN_SUCCESS) {
panic ("Client failed to subscribe to event.");
}
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(30 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
os_log(OS_LOG_DEFAULT , "EndpointSecurity : Started blocking mode");
es_unsubscribe_all(client);
// After 30 sec, replace ES_EVENT_TYPE_NOTIFY_OPEN by ES_EVENT_TYPE_AUTH_OPEN event.
es_event_type_t eventTypes[] = { ES_EVENT_TYPE_AUTH_OPEN };
es_return_t subscribeResult = es_subscribe(client, eventTypes, 1);
if (subscribeResult != ES_RETURN_SUCCESS) {
panic ("Client failed to subscribe to event.");
}
});
NSRunLoop *runLoop = [NSRunLoop currentRunLoop];
[runLoop run];
}
return 0;
}