Thanks. I completely missed the defer verdict functionality.Makes complete sense, seems we get to decide whether or not to allow the flow even before its opened a socket.

Following this helped alot. One other thing I found is that building the project with the distribution provisioning profile through xcode gui built successfully. And launching this through 'launchctl' worked fine with SIP enabled.However attempting to build through the command line tool 'xcodebuild' failed when using the distribution provisioning profile, but not when using the test profile.Does anyone know why building through xcodebuild with distribution profiles fail ?

Hi Todd2, thanks for the suggestion but I've tried with normal HTTP and through Chrome.source ip and port are always 0.This really sounds like a bug

Hi Eskimo,Thank you for your response. Btw I have acquired the proper endpoint security entitlement from apple now. and I've tried both the former and latter approach in your last comment. Please could you elaborate on this a little.Do you mean that you can build your launch Daemon as a command line tool and embed that into a app target, and place this built app in /Library/LaunchDaemons/Orcreate an app target, and build an "app" but with all the code that goes into the launchDaemon, and set this as a background app ?Orsomething else. Its really not clear to me exactly what you mean by "app-like structure" or "create an app target for your daemon" or "remove all app-specific stuff".Best Regards.

For reference, eskimo has responded in the new thread that I posted in the last comment

Hi Eskimo,Could you please elaborate on this ? I have a built launchDaemon and want to apply the endpoint security extension entitlements I downloaded from my apple dev account.So far I've tried:1) download the provisioning profile from dev console.2) extract the entitlements into a '.entitlements' file, via 'security cms -D -i securitytool.provisionprofile > securitytool.entitlements3) applying that entitlements with 'codesign --entitlements securitytool.entitlements -f -s "[APPLICATION_ID]" [BINARY]Result:es_new_client() is getting back 'ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED'Please could you tell me step by step how to add valid entitlements to a built launch daemon ? (I build offline on a different machine)NOTE - I have asked this in its own thread : https://forums.developer.apple.com/message/407976#407976Best Regards,Rob

Hi Eskimo,I've built an endpointSecurity extension into a launchDaemon. This worked on a development machine with SIP disabled. I now want to add the proper EndpointSecurity entitlement I obtained through apple so I can run on machines with SIP enabled. However this comes as a provisioning profile. Can we build a launch daemon with this provisioning profile ?

Useful thing to know if anyone find this - after turning off sid protection 'crsutil disable' in recovery mode, you should use 'systemextensionsctl developer on' to allow the system extension to install from the build directory instead of /Applications.I've also found that using 'systemextensionsctl reset' before using 'systemextensionsctl uninstall' can lead to an odd state where when you install a network extension with the same name it may not work correctly, the NSXPconnection will fail to connect.also strangly enough, after using systemextensionsctl unistall, the extension will say something like, 'uninstalled will remove on reboot' but I wont actually but removed on reboot. It will eventually disappear from the list after some undetermined number of reboots. Its very odd behaviour and again can effect extensions with the same name.The best thing to do is to use 'systemextensionsctl developer on' and never explicitly uninstall the extension, just rebuild and run to 'upgrade'

Thank you Eskimo, that post was very useful.

For anyone finding this - please see this post for the answerhttps://forums.developer.apple.com/message/403168#403168

Hi scknight,I've done all of these things and I'm still getting a code signiture error : https://forums.developer.apple.com/message/403291#403291BR

thanks for the help, I've tried this. See https://forums.developer.apple.com/message/403291#403291

Thanks, have done so. Please see https://forums.developer.apple.com/message/403291#403291

Also note that the binary appears signed :NOTE that I've tried in a fresh project to, but this is from attempting to add the endpointSecurity Extension into the FilterNetworkTraffic example that apple provided.'codesign -dvvv --entitlement :- [PATH_TO_APP]'(output slightly obfuscated with _____)Identifier=com.example.apple-samplecode.SimpleFirewall_______Format=app bundle with Mach-O thin (x86_64)CodeDirectory v=20200 size=2709 flags=0x0(none) hashes=76+5 location=embeddedHash type=sha256 size=32CandidateCDHash sha256=58331fd900707ae49b2943de6dfc27b178cfbe34CandidateCDHashFull sha256=58331fd900707ae49b2943de6dfc27b178cfbe347135ac15fb58bd7ce4e170c0Hash choices=sha256CMSDigest=58331fd900707ae49b2943de6dfc27b178cfbe347135ac15fb58bd7ce4e170c0CMSDigestType=2CDHash=58331fd900707ae49b2943de6dfc27b178cfbe34Signature size=4746Authority=Apple Development: ___________Authority=Apple Worldwide Developer Relations Certification AuthorityAuthority=Apple Root CASigned Time=Jan 23, 2020 at 10:34:54 AMInfo.plist entries=23TeamIdentifier=_________Sealed Resources version=2 rules=13 files=11Internal requirements count=1 size=224<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.application-identifier</key> <string>______.com.example.apple-samplecode.SimpleFirewallB75W84SR5U</string> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>_______</string> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>_______.com.example.apple-samplecode.SimpleFirewall</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.get-task-allow</key> <true/></dict></plist>

Has anyone here solved this ?