Hey, No we did not find how to defer activation to the next reboot. Seems like the after reboot is reserved for particular SystemExtensions.

Thanks Eskimo! We will consider about using the codesigning API or another way to validate our script. And thanks nk_kennedy for the comments!

Thank you eskimo for your answer. What I am afraid of is if a malicious program modifies the script contained in our app bundle after it is being distributed with our MDM solution. From manual test I did it seems that the app will run even if the script has been compromised. I thought that by code signing the app it would prevent the app launch when the content changed.

Hi! Thanks for your suggestion. The binary already makes itself the active application with NSApp.activate(ignoringOtherApps: true) but it had no effect. Moving a binary out of its app bundle makes its window non-active so I think there something related to app bundle... As a side note, talking about bundle, the Info.plist has Application is agent (UIElement).

Thanks Eskimo Your answer made me realize the error was on my part. I think I started building my sysex using a driverkit template so I could not add a provisioning profile to the extension. Using the template for a network extension it worked perfectly.

From https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues To avoid receiving this error message, archive (as of Xcode 10.2) or export your app directly from Xcode, or set the CODESIGNINJECTBASEENTITLEMENTS build setting to NO before building your app for distribution. But only change the build setting when you’re done debugging and ready to distribute, because doing so makes it impossible to debug the binary on a system that uses System Integrity Protection.

Sorry for highjacking your post Csaba. We are exactly in the same situation, contacted support multiple times and no answer. Our ticket number is 742110093. Could you also take a look at our request ? Thank you in advance

Thanks mdolan, I really appreciate the fact that you took the time to come back to this thread even if you were super busy. I ended up adding NSEndpointSecurityEarlyBoot to my ES client plist. And managing my connection with my other daemon knowing that it will boot after the ES client.

Strange that it does not occur in 10.15.4. I know that it happens in 10.15.2 as well, good to know that it is fixed in 10.15.6

Thanks Eskimo as always. Found the interesting part in the transcript, I will paste it here as other developers might have the same question in the future. You should also be aware that ES does not send introspective AUTH events as this would lead to trivial deadlocks. The events will be implicitly allowed. We will, however, send NOTIFY messages for events instigated by your process. Share and Enjoy

@eskimo Thanks for your answer, somehow that part of the presentation didn't register with my brain. I will be sure to rewatch the whole thing! @mdolan Thanks for your answer, if I understand you correctly you are saying that if I add the NSEndpointSecurityEarlyBoot to my Endpoint Security extension it will boot before the launchd daemon? Right now I am connecting to the extension from my daemon and I can see that it fails a couple time before it can secure a communication channel (using NSXPCConnection and the initWithMachServiceName method). So I think that it is loading before the extension.

Sorry, I forgot this computer was logged in with another team member account. The message above is also from me.

To be sure we are on the same page, the "additional entitlements" page shows up for "Mac development" profile, but not for "Developer ID" profile. You are saying that this should not be the case if I was granted the Endpoint Security Entitlement? I have the confirmation email and there is a follow up number, I will use that to contact the support. Thank you

Okay, so I replace my system extension with a new one that I create from the NetworkExtension template. I was able to provide a provisioning profile. Now it can run with SIP enabled. The issue I have now is that I can only add the endpoint security entitlement to "Mac development" profiles and not to "Developer ID" profiles. The "additional entitlements" page does not show when creating a "Developer ID" profile. Is this expected ? How can I distribute my app if I can't sign it with my Developer ID. Did I miss something when making the endpoint security entitlement request? Thanks for your help.

Hi, Yes I am using Xcode. My project has:the app in which I include the .systemextension using the "building phase" setting "copy files" tab. - the system extension in which I include a binary executable (the ES client) in the same way as above (changing destination from extension to executable).the ES client executable.The app has a provisioning profile with I think all the correct entitlements and capabilities. I am not sure how to add a profile to the executable or systemextension as the "Signing & Capabilities" tab show "None Required" for the provisioning profile. Thank for your help.