Hi,We have some questions about the EndpointSecurity Frameworks. 1. Whether the EndpointSecurity Client must be a system extension? We use the es-client entitlements making a develop provisonprofile with its EndpointSecurity-client capabilities. Then, build a simple app(no system extension) with EndpointSecurity.Framework and the provisonprofile. It works well on other machine which SIP is enabled. (Root permission & approved by TCC ) So, whether it means that we can distribute the EndpointSecurity-Client as a simple app(without system extension)?2. If we must package Endpoint Security as a system extension, and be contained in an app. Whether the containing app can be distributed in Mac App Store?

Hi,As suggested in the previous post, I want to check the code signature to prevent my XPC service in the Network Extension from unauthorized access, but my signature checking doesn't work in a sandboxed network extension.Here is the minimal working example, which checks if the code itself has a trusted signature:- (void)test { OSStatus ret; SecCodeRef mycode = NULL; SecRequirementRef myreq = NULL; CFErrorRef myerr = NULL; do { ret = SecRequirementCreateWithString(CFSTR("anchor trusted"), kSecCSDefaultFlags, &myreq); if (ret != errSecSuccess) break; ret = SecCodeCopySelf(kSecCSDefaultFlags, &mycode); if (ret != errSecSuccess) break; NSLog(@"validate start"); ret = SecCodeCheckValidityWithErrors(mycode, kSecCSDefaultFlags, myreq, &myerr); NSLog(@"validate return=%d err=%@", ret, myerr); } while ((0)); if (myerr) { CFRelease(myerr); } if (myreq) { CFRelease(myreq); } if (mycode) { CFRelease(mycode); } }This snippet works in sandboxed app and UN-sandboxed network extension. In a sandboxed network extension, however, it outputs validate return=-2147416000 err=Error Domain=NSOSStatusErrorDomain Code=-2147416000 "(null)" (CSSMERR_CSP_INVALID_CONTEXT_HANDLE)After digging into the logs from system frameworks, I find following two lines by which I believe the error is related to sandboxing.<Security`Security::MDSSession::LockHelper::obtainLock(char const*, int)> com.mycompany: (Security) [com.apple.securityd:mdslock] obtainLock: calling open(/private/var/db/mds/system/mds.lock) <Security`Security::MDSSession::LockHelper::obtainLock(char const*, int)> com.mycompany: (Security) [com.apple.securityd:mdslock] obtainLock: open error 1Is this a limitation in macOS system or I have to adjust my code for the sandbox in network extension?Thanks in advance.

Hi,As we known, kernel extension will be replaced with system extension.User will receive a notifictaion after osx 10.15.4.But there seems be no detail schedule for disabling 3rd party kext loading completely?Is there any related information?Which osx version will disable 3rd party kext loading?Then we can plan our customer support.Thank you very much!

Hi,When I try to activate multiple system extensions at the same time, the sheet shows "Placeholder Developer" rather than the name of the developer. Both system extensions have been signed with distribution provision profile and they will run without problem if I allow them in System Preferences - Security & Privacy.Is there anything I can do to change "Placeholder Developer" to show my name, or an issue to fix in next macOS release?I have tested on 10.15.3 (19D76) and 10.15.4 beta 4 (19E250c).PS: there should be a screenshot but I don't know how to post it.The dialog is System Preferences - Security & Privacy, General Tab.On the bottom a label shows "Some system software was blocked from loading." with a "Allow..." button on the right.After clicking the "Allow..." button, a sheet appears, titled "System software from following developers was blocked from loading."The list in sheet contains two identical items: "Placeholder Developer" with a checkbox on the left.

On OSX12 system, iTurns, Music and other apps will trigger the CMIOObjectAddPropertyListener(Block) callback function when they are opened, while the camera device is not actually started.