Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed. The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!! Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this. 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at <private> for pid: 784 process path: <private> library path: (null) 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, <private> 2024-04-25 16:29:51.570679-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100 2024-04-25 16:29:51.570682-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app. #!/bin/bash echo "Running postinstall" /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension & exit 0 Any help would be much appreciated. Thanks!

Hi, I was wondering if it was possible to get a notification when there is a change to the forced defaults that my app uses. This forced defaults are sent via MDM using the com.apple.ManagedClient.preferences payload type. I've seen that UserDefaults.didChangeNotification is available but it only works if the change is made from inside the app and not if the payload gets updated by the MDM. class MySettings { private let defaults = UserDefaults(suiteName: "com.myapp.app.mysettings") init() { // Somehow register for notifications } func defaultsChanged() { // This would be called when the defaults change } }

Hi, how could I get the command line arguments of a process given its audit token. My app is a Content Filter Network Extension written in swift. I can obtain the audit token from NEFilterFlow but I can't figure out how to get the process arguments, I was able to get the pid from the audit token using audit_token_to_pid.

Hello, I wanted to hear some opinions on this problem I want to tackle. Currently at my job we have an Endpoint Security sysext app (swift) deployed on 10k+ macs and we are using a custom rule engine we developed to run some rules on the events received by the app. These rules are downloaded by the app. This works great but we wanted to dive into the world of ML and try to use it to detect more complex malware that may be more difficult to detect using rules. We thought of two options to approach this: Periodically collect events from all macs and send them to an api to be stored somewhere and perform the training in the cloud. Somehow, maybe using the ML frameworks provided in Swift, train the model IN the device rather than in the cloud. I know this is a very broad question but I just wanted to hear some suggestions. Thanks in advance.

Hi, I was wondering if there is something similar to NSObject's value(forKey:) for structs. I need to get a structs attribute by name and I don't want to turn my structs into classes, inherit from NSObject and use @objc in my attributes as I think it doesn't look good. I also read that you can use Mirror and use the children property to iterate the attributes but given that performance is important in my case it doesn't look like a good option. Any help would be appreciated, thanks!

Hi, I am currently dealing with a crash when converting UnsafePointer<CChar>!to String in Swift. The pointer comes from the type es_string_token_t which my app receives from the Endpoint Security framework. This is what my code looks like: extension es_string_token_t {   var description: String {     if self.data != nil && self.length > 0 {       return String(cString: self.data)     }     return ""   } } And it produces the following crash: Thread 4 Crashed:: Dispatch queue: com.apple.root.default-qos 0 libsystem_platform.dylib 0x18bd44864 _platform_strlen + 4 1 libswiftCore.dylib 0x198f3a3c0 String.init(cString:) + 32 2 com.company.app.App 0x10456aac0 0x104564000 + 27328 3 com.company.app.App 0x10456f768 0x104564000 + 46952 4 com.company.app.App 0x1045793d8 0x104564000 + 87000 5 com.company.app.App 0x10457e8f8 0x104564000 + 108792 6 com.company.app.App 0x10458758c 0x104564000 + 144780 7 libdispatch.dylib 0x18bb6a5f0 _dispatch_call_block_and_release + 32 8 libdispatch.dylib 0x18bb6c1b4 _dispatch_client_callout + 20 9 libdispatch.dylib 0x18bb7da04 _dispatch_root_queue_drain + 680 10 libdispatch.dylib 0x18bb7e104 _dispatch_worker_thread2 + 164 11 libsystem_pthread.dylib 0x18bd2c324 _pthread_wqthread + 228 12 libsystem_pthread.dylib 0x18bd2b080 start_wqthread + 8 My app is deployed on arround 13k macs and only some of them experience this crash which I havent been able to reproduce. Any help would be appreciated.

Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.

Hi, I have an endpoint security app and I was wondering what is the best way to check if a process was signed by a specific Developer ID certificate. Lets say im subscribed to auth_exec events and wanted to deny execution of processes signed with Developer ID Application: Adobe Inc. Would obtaining the common names of the certificate with SecCertificateCopyCommonName and then comparing strings be the right way or am I missing something?

Hi, I a developing Network Extension for macos that runs constantly on my system. When I have a new update to release the extension downloads the pkg installer into the /tmp directory and executes it with sudo installer -pkg /tmp/installer.pkg -target / I have noticed that on some systems, mainly Catalina, when the installer is executed the extension is replaced and activated but the process never launches and after this happens I can't find a way to launch it aside from having the users reboot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 9A63A32J6B com.company.myapp.Agent (2.0/1) Agent [terminated waiting to uninstall on reboot] * * 9A63A32J6B com.company.myapp.Agent (2.1/1) Agent [activated enabled] As you can see it does say enabled and activated so I do not know what could be happening.

Hi, could someone help me convert the cdhash property from es_process_t to a String in Swift. Thanks. var cdhash: (UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8)

Hi, in my ES application I am trying to ignore execution events of apple processes. I think the way to do this is to check for the is_platform_binary attribute of es_message_t but i found that when executing Xcode this attribute is false, is it because I downloaded it from the app store? Also would checking for the "com.apple" prefix of the signing id be a good way to identify apple signed processes?

Hi I was wondering how I could get the code directory hash string of an app given its audit token. I would like to do this in Swift. Thanks.

Hi, I am developing an Endpoint Security extension and I would like to get the full list of processes that ended up calling the process I receive in an event. For example if I receive a es_process_t I have this process audit token, I would like to get the parents audit token and then the parent's parent token and so on till I get the full list of processes. I hope i made myself clear :)

I have developed a Content Filter NE and I am seeing some flows that I don't understand so I wanted to see check if I am interpreting them correctly. # Example Flow bundle id: com.apple.opendirectoryd localEndpoint.hostname: My mac's IP localEndpoint.port: 55408 remoteEndpoint.hostname: Domain controller IP remoteEndpoint.port: 389 direction: inbound Looking at that flow what I understand is that the Domain Controller is generating traffic to my mac. Is this correct? I ask this because I thought DCs couldn't directly initiate a connection to a mac. I get this flow when trying to join my mac to the AD.

Hi I am trying to implement XPC between my helper app and my network extension. It is giving me this error when I try to get the remoteObjectProxyWithErrorHandler Error Domain=NSCocoaErrorDomain Code=4097 "connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension" UserInfo={NSDebugDescription=connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension} Why could this be happening?