Hi Quinn, I verified and found that, the extra 2 ES_EVENT_TYPE_AUTH_CLONE events which are triggered when we deny first ES_EVENT_TYPE_AUTH_CLONE event, are coming from process "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper". Any further help to avoid extra 2-3 ES_EVENT_TYPE_AUTH_CLONE events will be appreciated.

Hi Quinn, Is there any parameter in System Extension Event message which will suggest that it is retry event by system with extra privileges ? In case we have such indicator then there is no need of raising bug to Apple.

@mdolan Thanks for quick response. Local drive attributes are as below (Using mount command) /dev/disk1s1 on / (apfs, local, read-only, journaled) pen drive attributes are as below (Using mount command) /dev/disk3s1 on /Volumes/dheeraj2 (apfs, local, nodev, nosuid, journaled, noowners) Both of them are not having noatime option set.

We visited developer account portal and revoked the developer/installer certificate by clicking on 'Revoke' button. After revocation we received certificate revocation communication e-mail from apple. So I think as per your comment, we have involved 'Apple Product Security' in revocation process. Let us know if we are missing anything.

@eskimo In continuation to above reply... Actually my application is trying to validate files on basis of certificate revocation status. Could you please suggest proper way to test such application ?

@eskimo Your guidance on above reply is appreciated.