Scenario: Copy file operation via Finder to an external device like USB Expected behavior: Endpoint Security Client should receive ES_EVENT_TYPE_NOTIFY_CLOSE event Current behavior: ES_EVENT_TYPE_NOTIFY_CLOSE is not been for the file being copied with Monterey 12.3 Beta. If you copy same file via cp command, ES_EVENT_TYPE_NOTIFY_CLOSE is seen Is this a bug?

The Endpoint Security framework provides open auth event. However certain application may just open a file to check size, access, but not read the content. Our use case is geared toward apply security when the application actually reads the content. Could Apple engineer confirm if there is any plan to support this? Had raised enhancement request long time back (Feedback FB6484629). Just thought of checking if there any update on the same. Any suggestions/comments?

The use case is enterprise Admin wants to enable/disable Safari Extension without user's involvement. Currently, the onus is on User to enable/disable the extension. In managed endpoint environment, the Admin needs control to enable certain extension silently/automatically (without user's involvement)

Endpoint security clients are expected to respond to the authorization requests within 60 secs. If not responded within 60 secs timeout, the client is killed. There are use cases where the processing of authorization request can take beyond 60 secs. Is there any API or MDM setting to override default 60 secs timeout? I understand the purpose behind 60 secs timeout, secure application to respond rather than waiting. But there are legitimate use cases and if enterprise admin can make that can via MDM, it won't be exposed to all consumer software using endpoint security. We also thought of denying the request if timeout reaches and letting application to raise the request again. However it results into user experience issues. Any thoughts/comments/ideas?

The endpoint security framework APIs take cache related flag as one of the parameters. Example: esrespondauthresult(esclientt * client, const esmessaget * message, esauthresultt result, bool cache);" There isn't much documentation on where and how this cache can be leveraged. Some APIs documentation in the code does refer saying its cache across endpoint security client. But not much details about how clients can leverage, cache size, expiry etc. Further, wondering if this cache can be used within endpoint security client for the given response. For example, if the client responds saying block, the application may retry multiple times, can this cache help in responding back w/o giving call to the client? Any reference to the documentation on this would certainly help.

In KAuth, we were able to monitor file close event using KAUTHFILEOPCLOSE listeners in synchronous fashion However, corresponding event in Endpoint Security (ESEVENTTYPENOTIFYCLOSE) is Async. We don’t expect an AUTH event, however we expect it to be synchronous. It is okay even if we are not able to block/deny it. I understand you have Auth and Notify model in new framework. Having synchronous but not Auth won't fit into your existing model. May be if it can be exposed as Auth and you can ignore the result as the call being file close. If you have any suggestion or workaround, let us know.

The Auth event for ExchangeData Auth does not come unless you also subscribe to Notify event for ExchangeData. If you subscribe ESEVENTTYPEAUTHEXCHANGEDATA: Result: No events if you subscribe ESEVENTTYPEAUTHEXCHANGEDATA + ESEVENTTYPENOTIFYEXCHANGEDATA Result: Auth and Notify events Other Auth events work independently of notify event, this seem to be a bug.