Thank you a lot for all this information.

Thank you for all your tips. I found the way to get exclusive access to USB Devices and this helped to avoid using device by other clients. However, the problem is that my application must be the first. Otherwise kIOReturnExclusiveAccess is returned if another client refuses IOUSBInterface closing. Endpoint Security is a very powerful framework. However, are there any way to open enhancement request for Endpoint Security? I believe, it would be great to have something like driver filter. Such functionality will allow to develop applications, which prevents data breaches, much more easily. Many 3rd party apps implement their own data transfer solution, typically by having the iOS app run a web server which the mac can then connect through and upload to through Safari. Thank you for this valuable comment. I will investigate this separately. I am very grateful for your assistance.

Thank you a lot for response! Starting with the bottom line question first, the big question I'd ask here is what you're actually trying to block and why. I'm not sure there is any good way to block "everything" at the USB layer and unless you that's REALLY what you want. The customers wants to have such possibility in DLP system. Criteria to block is device properties ( e.g. productId, vendorId etc.) I found solution which is based on USBDeviceReEnumerate() and it alows to unplug the device. ( see 'https://developer.apple.com/forums/thread/741051'). However, using USBDeviceReEnumerate() leads to looping because the system tries to plug the device again and again. Are there any way to avoid this looping? Is it safe if application constantly calls USBDeviceReEnumerate()? Strictly speaking, it is possible to block USB devices through the IOKit stack. You an use either of those user clients to obtain exclusive access, at which point "no one else" will be able to communicate with the device. Thank you! It sounds very interesting. I will investigate this possibility.

Thank you a lot for your help, clear-cut explanation and example.

The second solution is to move all initialisation from main() to class which implements the protocol NSApplicationDelegate into the method applicationDidFinishLaunching. I suppose this solution is recommended. Thank you again!

Hello Kevin, The most part of application is written on C++ due to a lot of cross platform code. The entry point is main() where CFRunLoopRun() is called. AppKit framework is called by C++ via wrapper class around an Objective-C (pimpl idiom). The goal is to get icon of app which is currently active. Looks like the only correct way to approach the problem is to start the main event loop via NSApplication. I did the following modifications: Replaced the call CFRunLoopRun() to [[NSApplication sharedApplication] run] in main(). Added check [[NSRunningApplication currentApplication] isFinishedLaunching]. Looks like this solution works. Thank you a lot for your help and time! I learned a lot of valuable things.

Thank you for the help! You said it's a launch agent, but will it present any kind of UI or is it intended to be completely invisible to the user? There is no any UI implementation. This is background process. What does your component actually "do"? The call CGImageForProposedRect is triggered by NSWorkspaceDidActivateApplicationNotification event. NSWorkspaceDidActivateApplicationNotification handler is triggered if IDE(not Xcode) gets focus immediately after starting app under debugger. Looks like DidActivateApplicationNotification is received before application is launched. Is it expected behavior?

First off all thank you a lot for your response and help. How "immediately" do you mean? This happens VERY early in apps lifetime. Process starts separate thread which triggers CGImageForProposedRect. How exactly are you running your app? Looks like this happens only under debugger which launches app "directly" (executing it's binary). This process is planned to run as launch agent (app bundle). I am afraid I can not check the fact of finishing app launching because app does not rely on NSApplication(https://developer.apple.com/documentation/appkit/nsrunningapplication/1532002-finishedlaunching?language=objc) Are there any other way to check the application is established all necessary connections with system daemons? Nothing interesting in console log was found. Thank you!

Thank you a lot for clear cut explanation and tips!

Thank you a lot for your help. Let's say FilterDataProvider makes a filtering decision for a three new flows. The flow #1 is paused (handleOutboundDataFromFlow returned pauseVerdict) until data is analyzed to make a desision. Will FilterDataProvider receive data of flows #2 and #3 in handleOutboundDataFromFlow while the flow #1 is paused?

Thank you for confirmation that this is impossible.

Looks like this new framework implements functionality which I was looking for. SCScreenshotManager is promising. Thank you a lot for your help!

Thank you for clear cut explanation!

thank you a lot!

Thank you for the answer! Yes, the ES is being planned to be used in daemon. As far as I know the number of ES clients is limited by the system. Are there any constant which defines this number? (headers) Can I create several ES clients in my daemon? Are there any limitations like a races in case of calling es_subscribe()/es_unsubscribe() in running client? Can I manage subscription by a fly? Can I use posix mutexs in functions which are called inside the block? Should we take care of signals while being in the block? Can/should we block some? Can we fork a new thread/process out of the block? Thank you for support!