Hi,
I am testing the behavior of my app if I change it's app bundle content.
I created an app with a script within it's Resources folder.
I signed the app and verify that the code sign is accepted with the spctl command.
Then I modify the script within the app bundle and spctl gives me a sealed resource is missing or invalid which was expected.
However I thought that I wouldn't be able to launch the app bundle now that it is compromised but I was able to execute it.
Do I need to make it go through GateKeeper by first downloading the app from a server?
In that case if I download an non-modified app, launch it successfully then modify it, would subsequent launch fail or not?
The app will be delivered through MDM and I think that GateKeeper does not verify MDM-delivered apps.
Is it possible to make the app non-launchable if the files within its Resources folder have been modify/compromised?
Edit: The app won't be installed to /Applications/ but to a specific folder
Thank you in advance!
Post
Replies
Boosts
Views
Activity
Hello,
I am making a LaunchAgent that shows a NSAlert modal when the user makes a specific action.
I need this NSAlert to be active when appearing on the user screen (i.e. all other windows need to be in a non-active state).
However, the NSAlert does not get active and the window just under it stays active.
When the NSAlert is shown from a basic Storyboard based app, the NSAlert gets active.
So I use eskimo's tutorial to transfer my LaunchAgent to an app bundle and now the NSAlert becomes active when appearing!
Moving the binary from Contents/MacOS and launching it outside of the bundle make the NSAlert inactive again.
Now my question is, is this behavior documented somewhere?
Why do we need the binary to be in a app bundle for it to be able to have active window?
Thank you!
Hi,
We are creating a Installer package which will be distributed to user through MDM with the InstallApp command.
Our distribution package use the Distribution.xml file and InstallerJS to check each flat package version and select the package for install only if there is no receipt or if the already installed package version is older.
The package is working fine when using the GUI Installer or through the command line installer.
When trying to install the package through MDM, all package which use InstallerJS javascript to decide if it will be install or not will not be selected and thus will not be installed.
Is this the expected behaviour?
Looking at the install log, I can see that the package selection seems to be done by appstored when installing through MDM.
Is appstored not able to understand the InstallerJS script?
The documentation specifies that InstallerJS is for the Installer application.
https://developer.apple.com/documentation/installer_js
If that's the case is there a way to select specific flat package for install when distributing through MDM?
Thanks in advance!
When submitting a request for System extension activation, the delegate receive a OSSystemExtensionRequestResult
result code.
The enum contains two values: OSSystemExtensionRequestCompleted
OSSystemExtensionRequestWillCompleteAfterReboot
When I upgrade my system extension, I always receive OSSystemExtensionRequestCompleted. Is there anyway I could specify that I want the new system extension to be activated only after a reboot?
Thanks
Hello,
We finally got our endpoint security client entitlement from Apple so we would like to test the notarization process.
As I understand below are the required steps: Create provisioning profile for container app with es client entitlement
Use the profile in xcode
build and sign the app with xcode
(here I am not sure) zip the app and run it through xcrun for notarization
staple the app
with the steps above, I enable SIP and try to install the system extension by getting the app in /Applications and double-clicking it.
I get the usual "Extension blocked" message, go to the settings and authorize the app.
I can see that the extension has been activated with "systemextensionsctl list" but get a crash report for the es client with code EXC_CRASH (Code Signature Invalid)
Termination reason: Namespace CODESIGNING, Code 0x1
So I am guessing the signing or notarization process is not right. My es client has a .entitlements file but I am not seeing a embedded entitlement file in the .systemextension bundle.
Should I notarize the es client as well? Or maybe the build process does not link the entitlement for my es client? In my build setting I have the correct path for "Code Signing Entitlements".
Any help would be welcomed! Thank you!
Hi,
I am testing Endpoint Security event capabilities and noticed that events such as ES\_EVENT\_TYPE\_NOTIFY\_OPEN do not notify the client about file access events that were denied because of folder permission issues (i.e. Error: Permission denied (no read or write access)) or because the file did not exist (i.e. Error: No such file or directory). Is there a way to be notify about such file access events?
We would like to be able to be notified about attempt to check content of unauthorized folder even if the file the process tried to open did not exist.
Thank you
Hi,
I have two quick questions, I could not find the answer in the official documentation.
Am I doing something wrong or ES client does not receive AUTH event triggered by itself (e.g. if the ES client open a file, it does not receive a message even if it is subscribed to AUTH_OPEN event type). On a side note, it receives NOTIFY event from itself.
Secondly, if it is the expected behavior or on the contrary I am doing something wrong, is there official documentation describing the expected behavior?
Thanks!
Hello,
My project includes an Endpoint Security Client and a daemon that communicates with the ES client using NSXPCConnection. The daemon is launched by launchd thank to a plist file in /Library/LaunchDaemons.
As both processes are started by launchd I was wondering if there was a predetermined order in which they are started. For the moment based on the PID, the daemon seems to be starting before the EndpointSecurity client.
Is this startup order documented somewhere?
Thanks
Hi,
I am developing an application based on Endpoint Security System Extension.
The application works fine with SIP disabled but when I enable SIP, the extension crashes with:
Exception Type: EXC_CRASH (Code Signature Invalid).
However, when checking the code signature with "codesign -vvv --strict --deep mySystemextension/myBinary" there is no issues with the codeSigning.
The app, systemextension and extension binary are all signed with Developer ID which was granted System Extension capability by Apple.
I can register the extension with my app with no issues but when launchd tries to launch my extension, it crashes with the above mentioned error code.
Does anyone has an idea on how I could resolve this issue?
Thanks
I have a kernel extension for SCSIPeripheral devices using IOKitPersonalities.Pluging in a matching device on a booted Mac always load the kext. However, on some configurations (especially with macOS 10.15.4) if the device is already plugged in when booting up the Mac, the kext will not be loaded. The phenomenon always happen on a Mac presenting the issue. However on other Mac even with OS version 10.15.4 the phenomenon never appears. I am not sure where the issue reside, I am presuming that it is a timing issue with the device being matched before my kext is loaded (maybe on Mac with a lot of kext being loaded?).If someone have pointers on how to resolve this issue, I would be glad to hear about it. Thank you !