In the FAQ about Local Network, a lot of topics are covered but, unless I missed something, I didn't see the topic of MDMs being covered. [Q] Could the FAQ be updated to cover whether it is possible to grant this Local Network permission through a configuration profile? The answer, based on google searches and different forums, seems to be a negative. It seems a bit strange considering that this feature has been available on iOS for at least 3 years. Anyway, even if it is not possible, it would be useful to add in the FAQ that this is not possible.

In the man page for the eslogger tool, there is a reference to the jq tool. Postprocess the output in a shell pipeline with jq: % sudo eslogger exec | jq -r 'select(.process.executable.path == "/bin/zsh")|"(.process.audit_token.pid): (.process.executable.path) -(.event.exec.target.executable.path)"' The problem is that the jq tool is not installed by default with macOS. [Q] Isn't the idea that the man page should only reference tools that are part of the standard macOS distribution (or can be downloaded and installed by the OS when you try to run them, like with some developer tools)?

In macOS Sequoia, there are up to 3 locations where an end user can enable or disable a Network Extension. In order of appearance in the System Settings.app application: Network > Filters General > Login Items & Extensions (1) General > Login Items & Extensions > Network Extensions a) it's quite difficult for an end user (and even a developer) to understand why there are 3 different locations and whether we are dealing with the same unique item or not. e.g. why would an end user have a clue about the difference between a Network Extension and a (Packet | Content) Filter? b) it's not possible for an end user to figure out what the consequences of disabling an item in one of these 3 locations is going to be, because, in each case, the consequences appear to be different, undocumented or not detailed clearly in the UI. (2) [Q] Is there a clear, complete and detailed documentation for Network Extensions UX controls in macOS Sequoia? For either end users or developers? I could't find one when searching inside www.apple.com or developer.apple.com. (1) not sure why a Network Extension also appears here as it's not a launchd daemon controlled by a 3rd party launchd plist. And not sure to understand why it's there since there's now the Network Extensions panel. (2) it does not help that the output of the systemextensionsctl command line tool, in most cases, reports that the extension is still activated and enabled.

I tend to remember that it is not possible to get a status update for a FB Ticket as long as you are not the one (or part of the team) who created the ticket (for obvious privacy and confidentiality reasons). And based on what I'm reading from some posts in the forum, it's not unusual that a FB ticket declared to be a duplicate of another ticket is not updated when the original ticket is either fixed or closed. So what is the recommendation to be informed about the status of a problem when you know that a FB ticket was already filed by another party (and it's obvious your ticket will be marked to be a duplicate)? File a FB ticket on the same topic with a reference to the original FB ticket and pray? N.B. : this is not a case listed in the https://developer.apple.com/bug-reporting/ page.

[Q] What type of profiles are officially reported by the ES_EVENT_TYPE_NOTIFY_PROFILE_ADD and ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE events? It looks like to be only Configuration Profiles. Which would make sense as the properties of es_profile_t match closely the payload keys of a configuration profile file. Also only addition and removal of configuration profiles are reported when playing with configuration profiles and provisioning profiles.

When you use the eslogger command line tool to dump 'profile add' and 'profile remove' notify events, the instigator process seems to always be reported to be the mdmclient process whatever the "real" instigator is: the Profiles pane in System Settings.app. a MDM solution the profiles command line tool. [Q] Is this expected? Because for another family of notify events where there is also an instigator field, the instigator points to the "real" instigator.

There seems to be at least 3 possible APIs to detect the mounting of a volume on macOS: Endpoint Security APIs through the NOTIFY_MOUNT event. Disk Arbitration NSWorkspace notifications. If we omit NSWorkspace for different reasons (headless, background context), this leaves only 2 choices. From what I'm reading and understanding, the NOTIFY_MOUNT event is just telling that a volume is being mounted. It does not guarantee that the volume is mounted at the time of the event. So this seems to leave only Disk Arbitration. Since the Disk Arbitration API has been there for a long time, the question is: Is there a more modern API than Disk Arbitration to know when a volume has been mounted?

[Q] When a Network Extension is being upgraded/downgraded (and the .app Network Extension wrapper accepts it), what does macOS promise when it comes to the order of operations? a) Will the "new" extension be only started when the running one is fully exited? b) Will the "new" extension be started just after the first attempt to exit the running one has been triggered? I have not found any official documentation about this (Apple dev website, quick search of WWDC video transcripts) so far. From what I'm observing, macOS follows case b): there is an attempt to kill/terminate the running extension a watchdog is installed to check whether the extension is still running after x seconds. the system does not wait for the exit to be confirmed before launching the "new" extension. So if there are issues killing/terminating the previously running extension, there can be 2 extensions running at the same time. Until the watchdog leads to a stronger attempt to exit the old extension. [Q] What is the promise regarding the calls to startFilterWithCompletionHandler: and stopFilterWithReason:? Will the XPC message that calls startFilterWithCompletionHandler: be sent only when the previously running extension is fully exited? Or as long as stopFilterWithReason: from the previously running extension did complete, the XPC message will be sent?

In the online documentation for es_event_mount_t, there are 3 fields listed for the es_event_mount_t structure: statts es_statfs_t reserved I only see 2 fields in Xcode 14 and 14+1 SDKs. [Q] Is this a typo? If it is, I can file a feedback report. In the documentation for es_event_mount_t, the documentation describes the statfs field as "The statistics of the mounted file system". [Q] As the file system is not mounted yet in the context of an AUTH event, is it to be read as the "The future/request statistics of the mounted file system". It's worth noting that the header documentation says: The file system stats for the file system being mounted. So it looks like the online documentation describes the field for the NOTIFY event and the header one for the AUTH event. This is a bit confusing. In the documentation for es_event_remount_t, the documentation describes the statfs field as "The statistics of the remounted file system.". [Q] As the file system is not remounted yet in the context of an AUTH event, is it to be read the "The future/request statistics of the remounted file system"? [Q] In the case of a mount update, the statistics look more like the current statistics of the file system not the requested updated ones. What are these statistics supposed to be in this case? The header documentation says: The file system stats for the file system being remounted which in the case of an update does not really clearly say whether this is the current or future stats.

I'm trying to figure out how to enable DNS-over-HTTPS or -TLS on macOS 12 or later when a NEFilterDataProvider is activated. From what I'm observing, this can not be done using a configuration profile as the DNS Settings will then appear as not running or disabled in the Network/Filters pref pane (using a MDM or not). Correct me if I'm wrong but, from what I'm understanding in the last answer of this thread, Private Relay (Oblivious DoH?) would not work either. [Q] Is it possible to configure DNS-over-HTTPS or -TLS at the system level when a NEFilterDataProvider is activated? If it is, how is it supposed to be done?

[Q] In the method: - (NEFilterDataVerdict *)handleInboundDataFromFlow:(NEFilterFlow *)flow readBytesStartOffset:(NSUInteger)offset readBytes:(NSData *)readBytes; of a NEFilterDataProvider subclass, if flow is a _NEFilterSocketFlow *, is it possible for the remoteEndpoint property of the socket flow to be something else than a NWHostEndpoint *?

Let's say there is a dylib whose source code is available in a repository of https://github.com/apple-oss-distributions. I can see a version/tag for this release in github. Now I want to find which versions of macOS include this version of the dylib. This requires to be able to tell which version of the lib is distributed with a specific macOS version. And this is already being a problem. If I create a small executable that is linked to this library and I use otool -L to see the version of the dylib, I get 1.0.0. Which definitely does not match a version/tag from github. If I use dlopen and the mach-o/dylib.h APIs to find the version listed in the appropriate segment/section, I also get 1.0.0. The next step I'm looking at is to spend some time to successfully build the dyld_shared_cache_util to extract the dylib from the cache and hope there will be more info. But, maybe, there is a document on Apple's website or a feature in the github repository that I missed. So the question is: is there a simple way to get this info?

https://developer.apple.com/documentation/endpointsecurity/es_statfs_t It seems like the online documentation for es_statfs_t is based on the 32-bit statfs API while the 64-bit statfs API is actually used. Am I missing something?

2 questions regarding conflict between DNS Proxy Providers and between DNS Proxy Provider and DNS Settings: [Q#1] On macOS, is it possible to run 2 DNS Proxy Providers at the same time? I've seen posts about this but never a definitive official answer. And I didn't see any mention in the WWDC sessions or online documentation about this. I don't see how this could work correctly but… [Q#2] On macOS, is it possible to run a DNS Proxy Provider and a DNS Settings at the same time? From what I'm seeing, activating a DNS Settings (through a .mobileconfig file) deactivates a running DNS Proxy Provider. Activating a DNS Proxy Provider deactivates the DNS Settings.

[Q] Is there a known issue with installd or PackageKit where installd would: try to use a trashed sandbox in /Library/InstallerSandboxes/ fail to extract the embedded .pkg of a distribution to this sandbox (because the sandbox has disappeared in the meantime). report that the problem is that "Authorization is required to install the packages." (even though the installer(8) command was run via sudo). purge the invalid sandbox conclude the failed installation by suggesting to contact the software manufacturer. ?