Post

Replies

Boosts

Views

Activity

Reply to using endpoitn security framework within a launchctl daemon
Few tips that will probably save some time for someone willing to use Endpoint Security without System Extension: you, can instantiate esclientt from within any process, including launchd agent or daemon without System Extension however, you will not get any benefits of the System Extension, like early boot or whatever-will-come-in-future your users will need to grant Full Disk Access to that daemon (manually, or through MDM), daemon will not appear in Privacy prefpane automatically, however you can do some mambo-jumbo that will involve an executable to be inside some of your bundles, then FDA will propagate to that executable and app will be visible in the prefpane and sure thing, you will need to have a proper provisioning profile in you daemon's bundle (yes, bundle, e.g. .xpc) also, this is not mentioned anywhere explicitly (or is it?), but daemon with EndpointSecurity entitlements may not have Hardened Runtime relaxation entitlements at the same time, e.g. strict library validation disabled
Jul ’20
Reply to Staple notarization ticket to a daemon
As you've noticed stapling is not supported for .zip packages (there is nowhere to put ticket), this is correct. macOS will indeed download and check notarization ticket for your binary upon first launch. But if there is no internet connection, this will fail and you will get nasty Gatekeeper alert. What you can do — create a package that will install you daemon (and probably launchd plist and some bootstrap script I guess) with pkgbuild and productbuild. Product package can be signed, notarized and stapled.
Jun ’20