Yes, the standard macOS driver is matching the nub.

Sorry for the delay, I was confused by the change of the forum. I have "Local-Root" as the value (string) of OSBundleRequired

Thank you for your time and suggestions.

I think I got something, the system extension is missing the embedded provisioning profile with the "com.apple.developer.endpoint-security.client" entitlements. The app has a provisioning profile that was created from the developer portal with the system extension capability. Should I make a provisioning profile for the extension? I am not sure how to add the embedded profile to the extension. Any help would be greatly appreciated.

Hi, Yes I am using Xcode. My project has:the app in which I include the .systemextension using the "building phase" setting "copy files" tab. - the system extension in which I include a binary executable (the ES client) in the same way as above (changing destination from extension to executable).the ES client executable.The app has a provisioning profile with I think all the correct entitlements and capabilities. I am not sure how to add a profile to the executable or systemextension as the "Signing & Capabilities" tab show "None Required" for the provisioning profile. Thank for your help.

Okay, so I replace my system extension with a new one that I create from the NetworkExtension template. I was able to provide a provisioning profile. Now it can run with SIP enabled. The issue I have now is that I can only add the endpoint security entitlement to "Mac development" profiles and not to "Developer ID" profiles. The "additional entitlements" page does not show when creating a "Developer ID" profile. Is this expected ? How can I distribute my app if I can't sign it with my Developer ID. Did I miss something when making the endpoint security entitlement request? Thanks for your help.

To be sure we are on the same page, the "additional entitlements" page shows up for "Mac development" profile, but not for "Developer ID" profile. You are saying that this should not be the case if I was granted the Endpoint Security Entitlement? I have the confirmation email and there is a follow up number, I will use that to contact the support. Thank you

Sorry, I forgot this computer was logged in with another team member account. The message above is also from me.

@eskimo Thanks for your answer, somehow that part of the presentation didn't register with my brain. I will be sure to rewatch the whole thing! @mdolan Thanks for your answer, if I understand you correctly you are saying that if I add the NSEndpointSecurityEarlyBoot to my Endpoint Security extension it will boot before the launchd daemon? Right now I am connecting to the extension from my daemon and I can see that it fails a couple time before it can secure a communication channel (using NSXPCConnection and the initWithMachServiceName method). So I think that it is loading before the extension.

Thanks Eskimo as always. Found the interesting part in the transcript, I will paste it here as other developers might have the same question in the future. You should also be aware that ES does not send introspective AUTH events as this would lead to trivial deadlocks. The events will be implicitly allowed. We will, however, send NOTIFY messages for events instigated by your process. Share and Enjoy

Strange that it does not occur in 10.15.4. I know that it happens in 10.15.2 as well, good to know that it is fixed in 10.15.6

Thanks mdolan, I really appreciate the fact that you took the time to come back to this thread even if you were super busy. I ended up adding NSEndpointSecurityEarlyBoot to my ES client plist. And managing my connection with my other daemon knowing that it will boot after the ES client.

Sorry for highjacking your post Csaba. We are exactly in the same situation, contacted support multiple times and no answer. Our ticket number is 742110093. Could you also take a look at our request ? Thank you in advance

From https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues To avoid receiving this error message, archive (as of Xcode 10.2) or export your app directly from Xcode, or set the CODESIGNINJECTBASEENTITLEMENTS build setting to NO before building your app for distribution. But only change the build setting when you’re done debugging and ready to distribute, because doing so makes it impossible to debug the binary on a system that uses System Integrity Protection.

Thanks Eskimo Your answer made me realize the error was on my part. I think I started building my sysex using a driverkit template so I could not add a provisioning profile to the extension. Using the template for a network extension it worked perfectly.