Hi! There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle." https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num However, as we all know, system will kill ES client, if the message is not answered in (deadline) time. I've a lot questions about this thing: What the "drop" actually is? The event is not provided to es client from the kernel? What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline) Are the dropped events responded by the system immediately, or they do wait something? Are only auth events could be dropped, or notify too? What is the system resolution for dropped auth events? (allow I guess) What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?

Hi! I've a per-app VPN in a form of PacketTunnelProvider with bundle id rules. I have a service application (not from AppStore), which resides in the /Library/Application Support/.../SomeOtherBundle.app/.../ServiceApplication.app There is a mechanism which updates SomeOtherBundle.app with ServiceApplication.app periodically. Sometimes after such update, the ServiceApplication.app can't access the VPN, its traffic just not being forwarded to the tunnel. After some research, I found, that the reason for this is the system is not aware of the new version of ServiceApplication.app binary, and it is not really relies on bundle id, but instead on macho uuid. There is only old macho uuid known to the system, so my new version of the app is not accounted and not routed to the tunnel. The question here, is how to notify the system about my app update, so it will route it correctly?

Hi there! I know there was some update that allows the one to develop using driverKit without requesting entitlements for development. Unfortunately, it seems that block-storage-device capability is the only missed from list, so it can't be really added and used. Is it expected or a bug?

Hi there! There was a presentation of the SCSI support in DriverKit on 2020 WWDC: https://developer.apple.com/videos/play/wwdc2020/10210/ Currently, the Xcode 12.4 (latest) has nothing regarding SCSI in DriverKit folders. Documentation says it is still in beta: https://developer.apple.com/documentation/scsicontrollerdriverkit So I've downloaded xcode 12.5 beta, where the driverkit 20.4 beta resides (according to https://developer.apple.com/support/xcode/) And what we have there? Just Kernel.framework/Versions/A/Headers/DriverKit/IOReturn.h 65:#define sub_iokit_scsi err_sub(16) And nothing more! So, the question is: do we have any way to use SCSI devices now on BigSur? Could I develop something for it with DriverKit, or should I use kext-approach for now, and wait for SCSI DriverKit support to be released indeed?