I have an ESF Client process, and this process handles AUTH event in one multi-thread, at this time, if the Client process exits abnormally, will the AUTH event not be handled, thus causing the system to freeze

Hi, I'm exploring ways to control wide range of peripherals such as Keyboard, Mouse, Monitor, Router etc form connecting to mac device. I was able to easily achieve the external storage mount and unmount but having trouble understanding on how can I control which peripheral is allowed to connect to mac. Can you help me understand what events and processes in ES can be used to control them? Is ES app the correct approach for this or something else like IOKit framework?

I have developed an Endpoint Security extension which works with my normal Mac APP. For now, there are two independent projects, one is ES extension project, and the other is my normal APP. I want to distribute my APP as a pkg, so I need the ES extension in the package. I wonder to know what is the best way to package the ES extension with my normal APP? Should I add an Endpoint Security target in my normal APP project and copy the codes from ES project? Then, when user launch my APP, at some point, I need register the ES extension by OSSystemExtensionRequest?

Is there any reasonable way to track file edits and closures in Swift on a Mac? What I need: (Completed) Open a file from the server (With default application - for example: MS Word for docx) Track changes to the file, mainly OnChange, OnClose, and based on those, send commands and the file back to the server What i tried: I read forums.swift article and coresponding with this article also developer.apple.com and stackoverflow.com post. Everybody talks about the fact that it basically can't be done. At least not properly. I tried to get some scripts from the AI, but that was also completely useless. I currently want to try catching OnChange by displaying the resized file, and OnClose by using a file that creates a word and deletes it when closed. It's not an ideal solution, it's not even tested yet, but if we're primarily concerned with Word, Excel and PowerPoint, I don't currently have a better solution.

Hi, We have recently been approved for Endpoint Security entitlement on our account. We have an application (golang) that we need to assign this entitlement and sign manually. We have packaged the entitlement correctly with the application. We have tried using a Developer ID Application certificate that we created before this entitlement was given to our account and also with a newly created certificate. However the application crashes when it is launched and I see the following error in the console logs (the full crash report is too big to post). Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate? Any help would be much appreciated, we have been stuck on this for a bit. Thanks Sriram Translated Report (Full Report Below) Incident Identifier: EAA48D72-705A-420B-8179-6D9049A81657 CrashReporter Key: 4F18A957-F0B8-BE5D-A1D7-74191ABCF38A Hardware Model: MacBookPro14,1 Process: endpoint-security-example-test [6728] Path: /Users/USER/*/endpoint-security-example-test Identifier: endpoint-security-example-test Version: ??? Code Type: X86-64 (Native) Role: Unspecified Parent Process: zsh [2463] Coalition: com.apple.Terminal [1663] Responsible Process: Terminal [2417] Date/Time: 2024-07-31 13:34:45.7397 -0700 Launch Time: 2024-07-31 13:34:45.7294 -0700 OS Version: macOS 13.6.8 (22G820) Release Type: User Report Version: 104 Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Triggered by Thread: 0 Thread 0 Crashed: 0 0x116b40070 _dyld_start + 0 1 ??? 0x1 ??? Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b0da09d0 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000116b40070 rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x116b3b000 - 0x116bd6fff () <2b649d59-89d8-3db6-9ba4-a6aecba42f6e> ??? 0x10f15f000 - 0x10f21afff () <9440f210-132b-3da1-b7f5-4d2d62bc8e0d> ??? 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ??? Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed EOF

background info: I dispatch async task to main queue in an es_handler_block_t(client subscribe open, create, exit, close events and mute all processes except DesktopServicesHelper). crash happened kinda randomly. most likely to happen when I copy a folder(contains a lot of files) in a volume to another volume. here's the crashed part of the diagnostic report . Thread 9 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x18c6e2a60 __pthread_kill + 8 1 libsystem_pthread.dylib 0x18c71ac20 pthread_kill + 288 2 libsystem_c.dylib 0x18c627a20 abort + 180 3 libc++abi.dylib 0x18c6d1d30 abort_message + 132 4 libc++abi.dylib 0x18c6c1fe8 demangling_terminate_handler() + 348 5 libobjc.A.dylib 0x18c3601d0 _objc_terminate() + 144 6 libc++abi.dylib 0x18c6d10f4 std::__terminate(void (*)()) + 16 7 libc++abi.dylib 0x18c6d1098 std::terminate() + 108 8 libdispatch.dylib 0x18c56a3fc _dispatch_client_callout + 40 9 libdispatch.dylib 0x18c571a14 _dispatch_lane_serial_drain + 748 10 libdispatch.dylib 0x18c572578 _dispatch_lane_invoke + 432 11 libdispatch.dylib 0x18c57bea8 _dispatch_root_queue_drain + 392 12 libdispatch.dylib 0x18c57c6b8 _dispatch_worker_thread2 + 156 13 libsystem_pthread.dylib 0x18c716fd0 _pthread_wqthread + 228 14 libsystem_pthread.dylib 0x18c715d28 start_wqthread + 8 Thread 9 crashed with ARM Thread State (64-bit): x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000 x4: 0x000000018c6d62cb x5: 0x000000016c1eed20 x6: 0x000000000000006e x7: 0x0000000000000000 x8: 0x851ef9fdee51098d x9: 0x851ef9fc824ff98d x10: 0x0000000000000200 x11: 0x000000000000000b x12: 0x0000000000000000 x13: 0x00000000001ff800 x14: 0x00000000000007fb x15: 0x00000000a5a0204e x16: 0x0000000000000148 x17: 0x00000001fe792c30 x18: 0x0000000000000000 x19: 0x0000000000000006 x20: 0x000000016c1ef000 x21: 0x0000000000004003 x22: 0x000000016c1ef0e0 x23: 0x000000016c1ef0e0 x24: 0x00000001f442b6a8 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000600003664800 x28: 0x0000000000000000 fp: 0x000000016c1eec90 lr: 0x000000018c71ac20 sp: 0x000000016c1eec70 pc: 0x000000018c6e2a60 cpsr: 0x40001000 far: 0x0000000000000000 esr: 0x56000080 Address size fault

I'm developing a system that uses an ES extension to control user file openings on Mac. When a user tries to open a file, the ES extension can either allow or deny the user from opening it. However, the policy for allowing/denying users to open files is managed by my normal Mac app. Therefore, the ES extension needs to proactively communicate with the normal app. Initially, I wanted to create an XPC service in my regular app, but according to the documentation, XPC services are managed by launchd and cannot be created by regular apps. So if I want my ES extension to communicate with the regular app proactively, what IPC method can I use?

Hi All, We have Endpoint Security System Extension. We are facing an issue in macOS Sonoma only where we have found that open() API is not returning any response when we try to open the files and OS killing/crashing the extension. We have found in log streaming below lines for our extension: error 12:50:51.093673+0530 tccd Failed to create LSApplicationRecord for file:///Library/SystemExtensions/3378971F-D41D-4230-A887-E0DC0F61E98D/com.*.sysextcontainer.onlineext.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' It seems internally some access is removed by apple on booting however we can still see our extension has Full Disk Access in System Settings. We have installed new macOS Sequoia Public beta 24A5289h and above issue is not observed and also issue not seen in previous OS(Big Sur, Monterey, Ventura) and seen only in Sonoma. We already have filed a Feedback : FB13806349 ... Thanks & Regards, Mohmad Vasim

The pidversion of a process with the same pid can increase during its lifetime. Which events, other than exec calls, can cause this increase in the pidversion? In other words, to what Endpoint Security events, other than fork, exec and exit, do I have to subscribe to get a process's complete and traceable pidversion history?

hi! I know endpoint security sysext with earlyboot property key enabled will run before all other applications run while system booting. presume all these are done before earlyboot time out: sysext run it's host app, host app notify sysext to subscribe some events through xpc, then other apps start runing. though this whole process seems to violate "sysext runs before all other applications run"... I still wonder is this possible?

Hi , Greetings of the day! I would like to get help to avoid the Endpoint Security System Extension crash due to below reason: Termination Reason: Namespace ENDPOINTSECURITY, Code 2 EndpointSecurity client terminated because it failed to respond to a message before its deadline Couple of events we have subscribed and for AUTH related events we are receiving deadline of 14 seconds in Sonoma and to avoid above issue we have implemented a queue to provide verdict within the deadline to avoid the OS killing of our extension however sometime we observe that we are getting crash with below message: Termination Reason: Namespace ENDPOINTSECURITY, Code 2 EndpointSecurity client terminated because it failed to respond to a message before its deadline **Dispatch Thread Soft Limit Reached: 64** (too many dispatch threads blocked in synchronous operations) There is no GCD API to check whether queue is reached to soft limit so we need help here to know or check whether queue is reached to soft limit 64. if we can check above then we should avoid adding the new tasks in it until its free to accept the tasks. And for NOTIFY_CLOSE, we are getting big value in seconds as deadline however we are adding all the processing of NOTIFY_CLOSE with dispatch_async however still receiving the crash. Here is code for AUTH_OPEN : dispatch_queue_t gNotifyCloseQueue = dispatch_queue_create( "com.example.notify_close_queue", dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL, QOS_CLASS_UTILITY, 0)); dispatch_queue_t gAuthOpenQueue = dispatch_queue_create("com.example.auth_open_queue",dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL,QOS_CLASS_USER_INTERACTIVE, 0)); BOOL AuthOpenEventHandler(es_message_t *pesMsg) { //Some Processing we are doing here like Calculate the deadline in seconds etc. and we are receiving 14 seconds in Sonoma // deadline - 14 seconds if ( deadlineInSeconds < 10 ) { dispatch_time_t triggerTime = dispatch_time(pesMsg->deadline, (int64_t)(-1 * NSEC_PER_SEC)); __block es_message_t *pesTempMsg; pesTempMsg = es_copy_message(pesMsg); dispatch_after(triggerTime, gAuthOpenQueue, ^{ if (pesTempMsg != NULL) { esRespondRes = es_respond_flags_result(pesClt,pesMsg,pesMsg->event.open.fflag,false); if(ES_RESPOND_RESULT_SUCCESS != esRespondRes) { es_free_message(pesTempMsg); return; } if (pesTempMsg != NULL) { es_free_message(pesTempMsg); } } return; }); } // Some Processing we are doing here to provide verdict and we are making sure that within 11 seconds we are setting the verdict // we are setting iRetFlag here based on verdict if (NULL != pesMsg) { esRespondRes = es_respond_flags_result(pesClt,pesMsg,iRetFlag,false); if(ES_RESPOND_RESULT_SUCCESS != esRespondRes) { es_free_message(pesMsg); return FALSE; } } return TRUE; } Here is the code for NOTIFY_CLOSE: BOOL NotifyEventHandler(es_message_t *pesMessage) { if (pesMessage->event_type == ES_EVENT_TYPE_NOTIFY_CLOSE && YES == pesMessage->event.close.modified) { __block es_message_t *pesTempMsg; pesTempMsg = es_copy_message(pesMessage); dispatch_async(gNotifyCloseQueue, ^{ // Performing Some processing on es_message_t if (pesTempMsg != NULL) { es_free_message(pesTempMsg); } }); if (pesMessage != NULL) { es_free_message(pesMessage); } } else { es_free_message(pesMessage); } return TRUE; } It would be helpful if someone help us to identify what could be wrong we are doing in above code and how to address/solve those problems (code snippet would be helpful) to avoid all possible crashes. ... Thanks & Regards, Mohamed Vasim

When the user opens the "Save As" dialog, the Open and Save Panel Service will be launched by the system. Now I want to monitor the "Save As" operation in a user program, so is there an Endpoint Security event that I can use to monitor when the Open and Save Panel Service is launched? I've tested the ES_EVENT_TYPE_AUTH_EXEC event, but it did not work.

I'm using the ES framework to control files created by handling the event ES_EVENT_TYPE_AUTH_CREATE, but when a file is created by replacing the same name file, ES_EVENT_TYPE_AUTH_CREATE won't be reported. I've searched and tried the event ES_EVENT_TYPE_AUTH_EXCHANGEDATA, but it didn't work. Which event should I monitor for 'creating a file' by replacing a file with the same name?

My company is developing internal security software to deploy exclusively on corporate Mac endpoints. We are using the Endpoint Security framework, which requires the restricted com.apple.developer.endpoint-security.client entitlement. We were granted development access to this entitlement, but we have been denied distribution access. It's not practical to use ad-hoc provisioning for distributing the app internally to our users. Unfortunately the brief denial message did not provide any advice for a path forward. If my company signed up for the Apple Developer Enterprise Program (https://developer.apple.com/programs/enterprise/), is it possible to grant the Endpoint Security entitlement for internal enterprise distribution? Otherwise, we appear to be stuck and unable to use Endpoint Security for our internal applications.

Hello, I am writing an Endpoint Security Client application that is supposed to monitor file creation/writing/deletion. It works fine except for one thing - it doesn't pick up changes to the cron jobs file. I am monitoring directory that stores cron job config file and if I would add/delete/write to any new file manually (using for example vim) it will be picked up on by the ES client (yes I know cron files are not meant to be edited manually). But if I want to make changes with command crontab -e then although the contents of the file change, ES client is not sending a notification about it. Any ideas why? Is the mechanism responsible different than just file writing?

We have developed a system extension based on the Endpoint Security framework, but after upgrading to macOS 15 beta, the system extension fails to enable in Login Items & Extensions. The specific prompt is shown in the image , and the system log indicates an XPC connection failure. When we use the command to check the extension status, it is [activated waiting for user]. We have tried some other products that use system extensions, and they are also unable to load the system extension.

I am learning about endpoint security and other system extensions, while I was handling ES_EVENT_TYPE_AUTH_IOKIT_OPEN event I realized that I cannot auth deny any bluetooth events. I tried to deny any open or execute events related to com.apple.bluetoothd but it did not work. I searched google and found out that I can use CoreBluetooth to control bluetooth. But when I get connected to bluetooth keyboard or mouse, didConnectPeripheral dose not get called or when I call [central cancelPeripheralConnection:peripheral] disconnection never happens. Is there any recommendation for handling or controlling events related to bluetooth connection?

hi all. I subscribe the notify write event, every time I recieve a notify write event message i will send log data and reply block(didn't do nothing) with async method to host app(Objc XPC API).host app will reply immediately once it recieves data. after a while my sysext crashed, then I checked system log find the log below. launchd: exited with exit reason (namespace: 30 code: 0xc40000000004aaaa) - (unknown reason) is it because of exceeding the maximum limit of xpc's block queue length, or too many memory allocation, or... by the way, host app didn't crash. how this happened exactly? how could i solve it?

Hi :wave: I started a new project to experiment with EndpointSecurity framework. It seems to have been worked, but when I try to add XPC I face some troubles. I am not able to send XPC message from my app to my system extension. No runtime error, but when I'm inspecting logs: That correspond to this code: https://github.com/tony-go/TestES/blob/main/Extension/main.swift#L21-L30 Full project: https://github.com/tony-go/TestES/ I thought at first that it could come from a missing @objc somehere but it does not seems ... I also wonder why I cannot catch this error at runtime ?

Hello. Is there a legal way to block iOS devices from being mounted on macOS? I noticed, that when an iOS device is connected, it pretends to be like a storage device but it is not. It not even going through diskArbitration. It seems that some fileProvider is taking place there. I know that it is possible to do via the MDM profile: <key>PayloadContent</key> <dict> <key>.GlobalPreferences</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>ignore-devices</key> <true/> </dict> </dict> </array> </dict> </dict> But is there some programmatic solution? If I use EndpointSecurity and block file operations for the usbmuxd process on /var folder, it prevents iOS devices from being mounted. But wouldn't be there any negative side effects from such a solution?