Hello, I don't manage to establish a connection between my Endpoint security system extension and my application. The following command always returns nil: NSConnection *conn = [NSConnection connectionWithRegisteredName:serverName host:nil]; It works from a FinderSync extension, so I'm sure that the server part (my application) is working. I have "NSLogged" the "serverName", so I'm sure that it's correct. Here is the entitlements of the app: % codesign -d --entitlements :- /Applications/myApp.app                              Executable=/Applications/myApp.app/Contents/MacOS/myApp ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http...PropertyList-1.0.dtd" plist version="1.0" dict keycom.apple.security.application-groups/key array string123ABCDEFG.a.b.c.d/string /array /dict /plist The entitlements of my Extension: % codesign -d --entitlements :- /Users/myuser/Library/Developer/Xcode/DerivedData/myApp-hjadpvvlcxmludafetdemwmwwglv/Build/Products/Debug/a.b.c.d.myAppLS.Extension.systemextension Executable=/Users/myuser/Library/Developer/Xcode/DerivedData/myApp-hjadpvvlcxmludafetdemwmwwglv/Build/Products/Debug/a.b.c.d.myAppLS.Extension.systemextension/Contents/MacOS/a.b.c.d.myAppLS.Extension ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http...PropertyList-1.0.dtd" plist version="1.0" dict keycom.apple.application-identifier/key string123ABCDEFG.a.b.c.d.myAppLS.Extension/string keycom.apple.developer.endpoint-security.client/key true/ keycom.apple.developer.team-identifier/key string123ABCDEFG/string keycom.apple.security.application-groups/key array string123ABCDEFG.a.b.c.d/string /array keycom.apple.security.get-task-allow/key true/ /dict /plist So, both belong to the same app group. I'm able to start the extension successfully: % systemextensionsctl list 1 extension(s)-- com.apple.system_extension.endpoint_security enabled active teamID bundleID (version) name [state] * 123ABCDEFG a.b.c.d.myAppLS.Extension (1.0/1) myApp LS Extension [activated enabled] But the connection to the app is not working. What should I check? Thank you.

Hello, I'm trying to get my app to communicate with a FinderSync extension using XPC. In my app, I run the listener: _xpcListener = [[NSXPCListener alloc] initWithMachServiceName:_serviceName]; _xpcListener.delegate = self; [_xpcListener resume]; Where _serviceName="a.b.c.d.e.f" In Info.plist of the app bundle, I have: keyMachServices/key dict keya.b.c.d.e.f/key true/ /dict In the FinderSync ext, I try to connect to the XPC service: _xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:_serviceName options:0]; ... [_xpcConnection resume]; It works in debug, but not when the app is installed. In this case, _xpcConnection.invalidationHandler is called. The FinderSync ext belongs to the app bundle. The .entitlements of the App: ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..." plist version="1.0" dict keycom.apple.security.application-groups/key array stringa.b.c.d.e/string /array /dict /plist The .entitlements of the FinderSync: ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..." plist version="1.0" dict keycom.apple.security.app-sandbox/key true/ keycom.apple.security.application-groups/key array stringa.b.c.d.e/string /array /dict /plist The app is notorized: % spctl --assess -vvvv /Applications/myApp.app                 /Applications/myApp.app: accepted source=Notarized Developer ID origin=Developer ID Application: ... In the Console, just after the start of the listener, there is this error (3 times) for myApp process: Trust evaluate failure: [leaf TemporalValidity] So I checked its certificates, but they are valid: % codesign -dvvvv --extract-certificates /Applications/myApp.app % openssl x509 -inform DER -in codesign0 -text ... Validity       Not Before: Jun 22 11:59:25 2020 GMT       Not After : Jun 23 11:59:25 2025 GMT .. % openssl x509 -inform DER -in codesign1 -text ... Validity       Not Before: Feb 1 22:12:15 2012 GMT       Not After : Feb 1 22:12:15 2027 GMT ... % openssl x509 -inform DER -in codesign2 -text ... Validity       Not Before: Apr 25 21:40:36 2006 GMT       Not After : Feb 9 21:40:36 2035 GMT ... The computer date is Ok: % date Thu Apr 8 09:20:44 CEST 2021 In the console, there is also this error for tccd process: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={identifier=a.b.c.d.e, pid=12245, auid=501, euid=501, binary_path=/Applications/myApp.app/Contents/PlugIns/Extension.appex/Contents/MacOS/Extension}, requesting={identifier=com.apple.appleeventsd, pid=328, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, I tried to add this com.apple.security.automation.apple-events entitlement to App and ext, but it didn't fix the problem. How can I debug this issue? Thank you.

Hello, I have implemented an Endpoint Security system extension with the NSEndpointSecurityMachServiceName property. My app is able to connect to the extension using initWithMachServiceName and is able to run the functions exported by the extension. But the reverse produces a strange error in the app process: NSXPCConnection: 0x12f924aa0 connection to service on pid 30174 named a.b.c.d.e.f: Exception caught during decoding of received selector hello, dropping incoming message. Exception: NSXPCDecoder: 0x10b909600 received a message or reply block that is not in the interface of the remote object (hello), dropping. ( 0  CoreFoundation           0x00007fff205f56af __exceptionPreprocess + 242 1  libobjc.A.dylib           0x00007fff2032d3c9 objc_exception_throw + 48 2  Foundation             0x00007fff212c73e4 -[NSXPCDecoder __decodeXPCObject:allowingSimpleMessageSend:outInvocation:outArguments:outArgumentsMaxCount:outMethodSignature:outSelector:isReply:replySelector:interface:] + 2244 3  Foundation             0x00007fff21312001 -[NSXPCDecoder _decodeMessageFromXPCObject:allowingSimpleMessageSend:outInvocation:outArguments:outArgumentsMaxCount:outMethodSignature:outSelector:interface:] + 33 4  Foundation             0x00007fff21310e3b -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 418 5  Foundation             0x00007fff212c8d49 message_handler + 206 6  libxpc.dylib            0x00007fff201c6c28 _xpc_connection_call_event_handler + 56 7  libxpc.dylib            0x00007fff201c5a9c _xpc_connection_mach_event + 935 8  libdispatch.dylib          0x00007fff202d8867 _dispatch_client_callout4 + 9 9  libdispatch.dylib          0x00007fff202efa47 _dispatch_mach_msg_invoke + 441 10 libdispatch.dylib          0x00007fff202de4a7 _dispatch_lane_serial_drain + 263 11 libdispatch.dylib          0x00007fff202f05b8 _dispatch_mach_invoke + 498 12 libdispatch.dylib          0x00007fff202de4a7 _dispatch_lane_serial_drain + 263 13 libdispatch.dylib          0x00007fff202df0fe _dispatch_lane_invoke + 426 14 libdispatch.dylib          0x00007fff202e8c5d _dispatch_workloop_worker_thread + 819 15 libsystem_pthread.dylib       0x00007fff20480499 _pthread_wqthread + 314 16 libsystem_pthread.dylib       0x00007fff2047f467 start_wqthread + 15 ) The "hello" function called from the extension is logically in the interface of the local object (the app). Why should it be in the interface of the remote object (the extension)? hello is a very simple function: (void)hello; Any idea to make it work? Thank you. Chris

Hello, In my FinderSync extension, I update file badges with the following instruction, but the Finder doesn't (always) refresh them. [[FIFinderSyncController defaultController] setBadgeIdentifier:result forURL:[NSURL fileURLWithPath:normalizedPath]]; I tried without success to force the refresh with:   [[NSWorkspace sharedWorkspace] noteFileSystemChanged:path];   NSString *source = [NSString stringWithFormat:@"tell application \"Finder\" to update item (POSIX file \"%@\")", path];         NSAppleScript *appleScript = [[NSAppleScript alloc] initWithSource:source];   if (appleScript != nil) {     [appleScript executeAndReturnError:nil];   } Hiding then showing the files (chflags) doesn't work better. I'm in macOs Big Sur. Any idea to get around this bug? Thank you. Chris

Hello, My app (embedding a Finder ext and Sys ext) is running well in my development machine (Big Sur with SIP disabled) but crashes at startup in Catalina (with SIP). The app is signed and notarized. Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 I did the following checks: codesign -dv --verbose=4 /Applications/myApp.app Executable=/Applications/myApp.app/Contents/MacOS/myApp Identifier=a.b.c.d Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=37422 flags=0x10000(runtime) hashes=1158+7 location=embedded VersionPlatform=1 VersionMin=659200 VersionSDK=721152 Hash type=sha256 size=32 CandidateCDHash sha256=97cb5bb480cd24ee3f3abc025271110f481bef5a CandidateCDHashFull sha256=97cb5bb480cd24ee3f3abc025271110f481bef5a601b72d7c0b1440d2188c096 Hash choices=sha256 CMSDigest=97cb5bb480cd24ee3f3abc025271110f481bef5a601b72d7c0b1440d2188c096 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=3915776 Executable Segment flags=0x1 Page size=4096 CDHash=97cb5bb480cd24ee3f3abc025271110f481bef5a Signature size=8992 Authority=Developer ID Application: ... Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=19 May 2021 at 10:50:35 Info.plist entries=22 TeamIdentifier=... Runtime Version=11.1.0 Sealed Resources version=2 rules=13 files=118 Internal requirements count=1 size=196 = Could the "Runtime Version=11.1.0" explain the issue? Note that the deployment target is 10.15. codesign -vvv --deep --strict /Applications/myApp.app ... /Applications/myApp.app: valid on disk /Applications/myApp.app: satisfies its Designated Requirement spctl -a -t exec -vvv /Applications/myApp.app 2&1 | grep Notarized source=Notarized Developer ID security cms -D -i /Applications/myApp.app/Contents/Library/SystemExtensions/a.b.c.d.e.Extension.systemextension/Contents/embedded.provisionprofile  ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..." plist version="1.0" dict keyAppIDName/key string.../string keyApplicationIdentifierPrefix/key array string.../string /array keyCreationDate/key date2021-03-29T06:47:11Z/date keyPlatform/key array stringOSX/string /array keyIsXcodeManaged/key false/ keyDeveloperCertificates/key array dataMIIFtjCCBJ6gAwIBAgIIDPP2OBmNMQwwDQYJKoZIhvcNAQELBQAweTEtMCsGA1UEAwwkRGV2ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjAwNjIyMTE1OTI1WhcNMjUwNjIzMTE1OTI1WjCBpTEaMBgGCgmSJomT8ixkAQEMCjg2NFZEQ1MyUVkxRTBDBgNVBAMMPERldmVsb3BlciBJRCBBcHBsaWNhdGlvbjogSW5mb21hbmlhayBOZXR3b3JrIFNBICg4NjRWRENTMlFZKTETMBEGA1UECwwKODY0VkRDUzJRWTEeMBwGA1UECgwVSW5mb21hbmlhayBOZXR3b3JrIFNBMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOPkChyZl1hPMQNeU+YEBi+lDQxQsFFmpjrFPpZNlM3noLKvzP8KI9uBs/TEt0Yx/OpbbuQHT+z0afr/eVepffT/c001dMMy96AwesjT0L3VI5tApzBC8Ds+iAXV0LBSkj41rcnxoRSH7tnOcIQ7pQbe2RJVBsc0R686b3lf8RTDDnKsDbYQ0NjLLRu+gg3XQaaF2YkGwavYlOH4W674UbhauyDp427yL4rHmpWqsWB16iKVLngATvhRsIAoMMDQNiqgpwFQvgM+RE87gWITXtMeiLJsN11ycZgC+NwIVlAgk6niLZkPJyQyRXtC/dMYUGlju0OxQJlR3aZ4FDUhl8UCAwEAAaOCAhMwggIPMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUVxftos/cfJihEOD8voctLPLjF1QwQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWRldmlkMDYwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQSsj8IO9I/UtSJbMvBWka5Yp6GyTAOBgNVHQ8BAf8EBAMCB4AwHwYKKoZIhvdjZAYBIQQRDA8yMDE5MDkxNjAwMDAwMFowEwYKKoZIhvdjZAYBDQEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBABL6WyRaT4OIK8kEpcbAiLyy3J2MRuB9sWIyQR0iYoqZyd3D+I+kEhd25UCuMyxUN48nK1juNoKdHqtkEjl6xJqOioNMAGbBga3jHl8LTmOWZ8u5Vg2ODzsI2uX/oTmHelh1g6dAxk6nl2UBhiJdCTpszJXMPvOHUqIpbH8kRHhQUq+OoRXkkB32bJPd/fLyPjxnPz30tN4OFu6ms6rO08e1Z9avhQntwAMPi6OYy3LAED2n7NOSkdtpP8j9rFCz6yrcZyNjG0D045G1bIA8mVzU95j5bc68Bpb4NUKxC9vqkoUbNbM8vkTOVJmceuBqt3i+3bLRnfkeFwKrtDSeP00=/data /array keyEntitlements/key dict keycom.apple.developer.endpoint-security.client/key true/ keycom.apple.developer.system-extension.install/key true/ keycom.apple.application-identifier/key string.../string keykeychain-access-groups/key array string....*/string /array keycom.apple.developer.team-identifier/key string.../string /dict keyExpirationDate/key date2039-03-25T06:47:11Z/date keyName/key string.../string keyProvisionsAllDevices/key true/ keyTeamIdentifier/key array string.../string /array keyTeamName/key string.../string keyTimeToLive/key integer6570/integer keyUUID/key stringdb2079f3-d329-4c03-b8ca-23a61ec3b305/string keyVersion/key integer1/integer /dict /plist%                    Is there something bad here? Thank you Chris

Hello, I would like to intercept the open event on a file in order to load it from a cloud. I am trying to use an EndpointSecurity extension but I don't know how to manage the "deadline" timeout. I subscribed to the ES_EVENT_TYPE_AUTH_OPEN event. When I'm able to fetch the file before the event deadline, I call es_respond_flags_result with authorized_flags = 0xffffffff to accept, else I call it with authorized_flags = 0 to deny. In the latter case, it is not satisfactory as the open process fails. How could I solve this issue?

Hello, I have an app with Minimum system version = 10.13 in Info.plist. This app embeds a sys ext whose Minimum system version is 10.15. It's running in 10.15 and 11, but not in 10.14 and 10.13. => kLSIncompatibleSystemVersionErr The sys ext is installed only if "@available(macOS 10.15, *)", the app can run without it. How can I manage this issue? Thank you.

Since Ventura (Mac M1 only), Endpoint Security extensions have lost the rights to launch: => es_new_client returns ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED It is needed to reboot in Recovery mode, go to Startup Security Utility and select "Allow user management of kernel extensions from identified developers". Is this something that will be fixed soon? (we can't ask our customers to do that)