I have a macOS app that installs an endpoint system extension. After the user clicks "Allow" to allow it to be installed, the user must still scroll up to the "Full Disk Access" section and enable full disk access for the system extension.
It is easy for the user to forget to do this.
Is there an API (or other easy way) for the installing app to check whether the endpoint system extension has been granted full disk access?
I would like to display some big message in the GUI saying "You must enable Full Disk Access" until they do.
A few weeks ago I had problems with provisioning profiles for some macOS programs, so I deleted/revoked a bunch of certificates and provisioning profiles and started from scratch. (Everything seems to be working for me)
Unfortunately, a co-worker had two programs on his machine that were built with the old, test provisioning profiles with the revoked certificates, and it seems this may be preventing him from deleting the system extensions.
The apps have been deleted, but that does not delete the system extensions. I installed a new program that programmatically (tries to) uninstall the system extension, but it doesn't seem to work either.
When he reboots his computer, macOS pops up a window showing that the extensions may be malware. If he clicks "Show in Finder" and then tries to delete the system extensions from the Finder, he gets the message:
The operation can't be completed because you don't have permission to access some of the items.
Is it possible to delete the old system extensions that were installed with the old provisioning profiles? Are there multiple files that need to be deleted (e.g., the system extension and a .plist file somewhere)?
Post not yet marked as solved
I have an app that installs an endpoint system extension, and I have the app notarized.
I can install the endpoint system extension and enable Full Disk Access fine on
Ventura, Apple Silicon
Sonoma, Apple Silicon
But I cannot enable Full Disk Access on
Ventura, Intel
In System Settings, when I try to slide toggle switch on to enable full disk access, the toggle slides right back to off.
In previous development versions, I could enable Full Disk Access on the Intel machine.
Any idea why I cannot enable Full Disk Access on Ventura/Intel for my endpoint system extension in my notarized app?
One additional observation, the name displayed in the Full Disk Access section is different between the Apple Silicon and Intel Macs.
On Apple Silicon, only the final part of the Bundle ID is shown in Full Disk Access:
endpointagent
On Intel, the full Bundle ID is shown:
com.MyCompany.MyApp.endpointagent
Don't know if it matters, but I thought I'd point that out.
I have an endpoint system extension that monitors exec system calls. It works fine, but I have to follow a very specific order when installing it.
When I (the user) click to install, I get the option to open System Settings. There, I am presented with an option to "Allow" the endpoint application.
If I:
(1) click "Allow"
and then
(2) enable full disk access
The application runs but doesn't get exec events.
Console shows the error message
Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access
Even after enabling full disk access (after allowing the extension to be installed), I do not get the exec events.
To resolve this, I have to uninstall the endpoint system extension and reinstall it.
(Note: If I first grant full disk access and then allow the endpoint system extension to be installed, everything works fine, but I suspect most users will now follow this happy path.)
Is there a way to smooth this out, so that once full disk access is granted, the endpoint system extension gets events without needing to uninstall and reinstall the endpoint agent?
Post not yet marked as solved
I would like to release a Mac app through the Mac App Store that is free.
However, I would like to add new functionality in a future software update that is enabled through an in-app purchase.
I reviewed the App Store Review Guidelines, and I did not see any prohibitions to this approach (initially free, later add new functionality enabled by an in-app purchase).
If anyone knows of any rules or policies that I missed that would prohibit this, I would appreciate a heads up on it.
Thanks!
I am adding unit tests to an existing SwiftUI project, and I've discovered the main 'App' struct's init() function is being called automatically before the individual test functions are run.
(1) Is this expected behavior?
(2) Is there a way to disable the App struct's init() from being called when running unit tests?
In my use case, the App struct's init() does some initialization, including network activity, that I would prefer not happen during unit tests.
Below is simplified version of what I am seeing beginning with the App struct:
import SwiftUI
import os.log
@main
struct MyTest2App: App {
init() {
os_log("===== In MyTest2App.init() =====")
}
var body: some Scene {
WindowGroup {
ContentView()
}
}
}
Here is an example of a struct that I want to exercise in a unit test:
import Foundation
struct Foo {
var name: String
var count: Int
init(name: String, count: Int) {
self.name = name
self.count = count + 1
}
}
Here is a unit test file:
import XCTest
final class MyTest2Tests: XCTestCase {
override func setUpWithError() throws {
}
override func tearDownWithError() throws {
}
func testExample() throws {
let foo = Foo(name: "Apple", count: 3)
XCTAssertEqual(foo.count, 4)
}
}
Here is part of the output console. The first line is the output from the App struct's init() function:
2023-09-27 10:41:26.798791-0700 MyTest2[66138:9429362] ===== In MyTest2App.init() =====
2023-09-27 10:41:26.869966-0700 MyTest2[66138:9429362] ApplePersistenceIgnoreState: Existing state will not be touched. New state will be written to /var/folders/yg/vfstql350kqgzp17lmh11jg80000gn/T/com.ennetix.MyTest2/com.ennetix.MyTest2.savedState
...
I have a network system extension that sends flow records to my GUI app, and I saw an unusual string (%awdl0) appended to the local and remote IPv6 addresses in flow records from the UniversalControl program on my Intel iMac Pro.
fe80::f42d:14ff:fe38:7db7%awdl0
fe80::18d7:9bff:feae:2e32%awdl0
Any idea why the suffix is appended to the IPv6 address and what it means?
Here are more details about the event:
{
"localPort" : "56604",
"socketProtocol" : 6,
"version" : 0,
"programLastComponent" : "UniversalControl",
"localName" : "fe80::f42d:14ff:fe38:7db7%awdl0",
"time" : 716847716.50096297,
"socketType" : 1,
"remotePort" : "57968",
"socketFamily" : 30,
"procInfo" : {
"path" : "\/System\/Library\/CoreServices\/UniversalControl.app\/Contents\/MacOS\/UniversalControl",
"lastComponent" : "UniversalControl",
"teamId" : "",
"signingId" : ""
},
"timeStr" : "2023-09-19T20:21:56Z",
"remoteName" : "fe80::18d7:9bff:feae:2e32%awdl0",
"pid" : 667,
"webHost" : "",
"webUrl" : ""
}
And here is the flurry of flows reported including their ports:
Post not yet marked as solved
I have an app that uses Apple's Endpoint Security system extension to collect a number of events including authentication events.
I've noticed AKD (Apple Keychain Daemon?) generates fail authentication events when I unlock my Mac with either Touch ID or password. I don't think I've ever seen it succeed.
Does anyone know what AKD is trying to authenticate and why it is failing?
Should I mask these out from being shown, or are there cases where AKD authentication will matter?
Hardware: MacBook Pro with M1
OS: macOS 13.5.2
Device is configured stand-alone (not a managed device)
Looking at the certificate chains for various binaries (using Apple's APIs or codesign --vvd) shows several patterns for the common names.
I am wondering why some code has the structure
Apple Root CA
Developer ID Certification Authority
Developer ID Application: Google LLC (EQHXZ8M8AV)
while others have the pattern
Apple Root CA
Apple Worldwide Developer Relations Certification Authority
Apple Mac OS Application Signing
Note, the second pattern does not include an organizational name.
Why is there a difference?
Is the second pattern an older pattern and the first (with the organization name) the new pattern?
(There are other certificate patterns like for Apple's binaries and development code I am testing)
I ran into a strange situation (bug?) today trying to resize the relative height of two views in a VStack on macOS. I accomplished this by inserting a thin rectangle between the two views and applying a DragGesture to it. It works fine... until it doesn't. It takes a lot of changing of the view heights before I hit the bug, but if I drag & release enough times, I will eventually hit it.
At some point, the code goes into an infinite loop and the program effectively freezes. os_log() is showing the .onChange value.height continuously flip flopping between -0.25 and +0.25.
I found a kludge/work-around. If the onChange's absolute value is less than 1, I don't update the frame hight. Then the code runs like a champ.
Am I doing something wrong? Is this a bug I should file?
Here is the SwiftUI test code:
import SwiftUI
import os.log
struct ResizableViews: View {
@State private var height: CGFloat = 200
let minHeight:CGFloat = 30
let maxHeight: CGFloat = 400
var body: some View {
Group {
VStack (spacing: 0) {
Rectangle()
.fill(Color.blue)
.frame(height: height)
// The draggable rectangle/handle
Rectangle()
.background(Color.gray)
.frame(height: 10)
.gesture(
DragGesture()
.onChanged { value in
os_log("CHANGE \(value.translation.height)")
// abs() > 1 is a kludge to avoid infinite loop
// with value changes flipping between -0.25 and
// 0.25
if abs(value.translation.height) >= 1 {
let tmpHeight = height + value.translation.height
height = min(max(tmpHeight, minHeight), maxHeight)
}
}
.onEnded{ value in
os_log("END \(value.translation.height)")
}
)
Rectangle()
.fill(Color.red)
}
}
}
}
Here is the console output showing the value.translation.height flip flopping between -0.25 and +0.25.
Hardware: MacBook Pro with Apple M1 Pro
OS: Ventura 13.5.1
I ran into a strange problem during development this morning. When trying to install my Endpoint and Network System Extensions (something I was able to do yesterday, and many times before), my Mac is prompting me to enable Kernel Extensions.
Right before this happened, I had problems deleting the previous version of the apps from the /Applications folder (it took many tries). This too was unusual.
After agreeing to allow the installation of my Endpoint System Extension, I was greeted with this previously unseen message and button:
When I click "Enable System Extensions...", and I am greeted with this alert:
I also ran into this problem when trying to install my Network System Extension.
Anyone have any idea how I screwed up my system?
Anyone know how to return it to normal behavior?
System: Mac Studio 2022
OS: Ventura 13.4.1
(I'm thinking of re-instaling Ventura this evening; would prefer not to)
I have a regular GUI-based app that communicates with an Endpoint System Extension installed by another app.
Both the GUI app and Endpoint System Extension have the same Team ID and are part of the same App Groups.
But I still need to do one of the following to the GUI-based app to allow it to communicate with the Endpoint System Extension over XPC:
Disable the sandbox
Add com.apple.security.temporary-exception.mach-lookup.global-name to entitlements
For some reason I thought there was another way to resolve this. Am I missing anything?
(My goal is to allow an app distributed through the Mac App Store to communicate with my Endpoint System Extension if it exists, and I am worried about the "temporary-exception" entitlement needed to support this.)
If I distribute an app through the Mac App Store that includes a Network Extension that must be installed (and getting the user's permission in the process), and later I submit an update to the app (although no changes to the network extension piece) through MAS, will the user need to re-install the Network Extension?
That is, does updating an app with that has a Network Extension remove the previous Network Extension from the system?
I noticed jq (installed from Homebrew) has an ad hoc signature and is rejected by spctl but runs fine. I don't remember ever being prompted by my Mac as to whether this binary should be allowed to run.
I repeated the experiment with another binary (aescrypt) downloaded from Homebrew.
Should Gatekeeper prevent these binaries from executing until I intervene?
Is there any online documentation explaining the conditions that allow some binaries that are rejected by spctl and have no signature chain rooted at Apple to execute?
(Or am I just not understanding how to use Gatekeeper and spctl?)
codesign analysis:
% codesign -vvd /opt/homebrew/bin/aescrypt
Executable=/opt/homebrew/Cellar/aescrypt/0.7/bin/aescrypt
Identifier=aescrypt
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=545 flags=0x20002(adhoc,linker-signed) hashes=14+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none
And checking spctl analysis:
% spctl --assess -vvv /opt/homebrew/bin/aescrypt
/opt/homebrew/bin/aescrypt: rejected
IIRC, when Apple introduced the new Network Extension and Endpoint Security system extension architectures, apps with Network Extensions in their bundle had to be distributed through the Mac App Store, whereas apps with Endpoint Security extensions could not be distributed through the Mac App Store (or vice versa).
I can no longer find language on such restrictions.
Can I distribute an app with both a Network Extension and an Endpoint Security extension in the same app bundle via the Mac App Store?
Todd_at_Ennetix.