Hello, We have several reports from users that our app looses its Full Disk Access permission after reboot. This is something we have not able to reproduce internally, but that is affecting a noticeable amount of users, running various versions of macOS: 11.7.2, 12.4, 12.6.2, 13.1, 13.2, 13.2.1, 13.3, 13.3.1. We also noticed that we are not the only one affected by the issue: https://community.norton.com/en/forums/resolve-repeated-norton-full-disk-access-prompt-when-you-open-norton-macos-13 https://kevinyank.com/posts/privacy-security-settings-reset/ Unfortunately, none of the workaround described in those articles seems to work for our user on the long term. Is it an issue known by Apple? Is there a workaround? Thanks for your help.

Hello,I attempted to create a sample app using Endpoint Security. It's working ok for ES_EVENT_TYPE_NOTIFY_OPEN events. But as soon as I attempt to use ES_EVENT_TYPE_AUTH_OPEN, Endpoint Security is freezing the mac, and it either kill my process or the user session.I've performed a sample code that is trusting processes for each notification during 30 sec, then enable blocking mode. And it fails.Is it expected?#import #import @import OSLog; int main(int argc, const char * argv[]) { @autoreleasepool { // insert code here... es_client_t *client = NULL; es_new_client_result_t newClientResult = es_new_client(&client, ^(es_client_t * client, const es_message_t * message) { switch (message->event_type) { case ES_EVENT_TYPE_AUTH_OPEN: os_log( OS_LOG_DEFAULT , "EndpointSecurity : Allowing event from : %{public}s : Open %{public}s",message->process->executable->path.data, message->event.open.file->path.data); es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); // Immediately allow events break; case ES_EVENT_TYPE_NOTIFY_OPEN: os_log(OS_LOG_DEFAULT , "EndpointSecurity : trusting : %{public}s",message->process->executable->path.data); es_mute_process(client, &message->process->audit_token); break; default: os_log(OS_LOG_DEFAULT , "EndpointSecurity : unexpected event type : %i",message->event_type); es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); // Immediately allow events break; } }); // Handle any errors encountered while creating the client. switch (newClientResult) { case ES_NEW_CLIENT_RESULT_SUCCESS: // Client created successfully; continue. break; case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED: panic("Extension is missing entitlement."); break; case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED: panic ("Extension is not running as root."); break; case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED: // Prompt user to perform TCC approval. // This error is recoverable; the user can try again after // approving TCC. return 0; break; case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT: panic ("Invalid argument to es_new_client(); client or handler was null."); break; case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS: panic ("Exceeded maximum number of simultaneously-connected ES clients."); break; case ES_NEW_CLIENT_RESULT_ERR_INTERNAL: panic ("Failed to connect to the Endpoint Security subsystem."); break; } // Subscribe the client to the ES_EVENT_TYPE_NOTIFY_OPEN event. es_event_type_t eventTypes[] = { ES_EVENT_TYPE_NOTIFY_OPEN }; es_return_t subscribeResult = es_subscribe(client, eventTypes, 1); if (subscribeResult != ES_RETURN_SUCCESS) { panic ("Client failed to subscribe to event."); } dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(30 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{ os_log(OS_LOG_DEFAULT , "EndpointSecurity : Started blocking mode"); es_unsubscribe_all(client); // After 30 sec, replace ES_EVENT_TYPE_NOTIFY_OPEN by ES_EVENT_TYPE_AUTH_OPEN event. es_event_type_t eventTypes[] = { ES_EVENT_TYPE_AUTH_OPEN }; es_return_t subscribeResult = es_subscribe(client, eventTypes, 1); if (subscribeResult != ES_RETURN_SUCCESS) { panic ("Client failed to subscribe to event."); } }); NSRunLoop *runLoop = [NSRunLoop currentRunLoop]; [runLoop run]; } return 0; }

Hi,Since Network Kernel Extensions are deprecated, is it possible to use their replacement (Network Extension) with a Developper ID signed app?When I try to do so, my app is terminated because of "Unsatisfied entitlements: com.apple.developer.networking.networkextension"

Hi,Is there a way for a NEDNSProxyProvider to not handle a flow, without blocking the request?It NO / false is returned in -handleNewFlow:, it seems that the request is blocked.Alternatively, I could perform the DNS request using res_send (resolv.h), but if a do so, I get back the request in my proxy again…Thanks for your help