new to Apple, MacOS, SystemExtensions. I don't see anything about my topic in system extensions documentation. should I use XPC? or we have a better way here?

Hello, 3 questions regarding Endpoint Security Framework: Does ESF support tracing the dup2(2) function? There is the ES_EVENT_TYPE_NOTIFY_DUP event, but it seems that it only reports dup(2), not dup2(2)? Does ESF support tracing the dup(2), and close(2) calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well? Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open file A and we get fd1, then open the same file A and we get fd2, then perform dup(fd1), then with ESF it seems that it's impossible to tell if we've duplicated fd1 or fd2. Also this model doesn't support dup2(2) usage at all.

Hello, I am going to use endpoint security framework in my application. Unfortunately, I have not found any clear cut explanation about how to use endpoint security in multithread applications. Can we say the handler block (es_handler_block_t), which is the parameter of es_new_client(), is running in separate thread? Does es_new_client() create new thread? Should I synchronize a handler block and the code which calls es_delete_client()? Should I protect the handler block by mutex? Thank you in advance.

Hello, I requested entitlement 4 times from 4 days ago. But I did not get any kind of response mail. I need entitlement for only development, to check file IO events. Is there any way to request entitlement ? Regards, Daehong

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.

I'm trying to log Endpoint Security events to os_log. I'd be grateful if someone could confirm that using the --oslog option with eslogger actually writes event data to the system log. If I monitor with sudo eslogger exec fork exit I see events at the command line, yet if I add the --oslog option, I don't see those events when monitoring the log with sudo log stream --predicate 'subsystem == "com.apple.eslogger"'. Nor do I see them if I filter in the Console app on just the subsystem "com.apple.eslogger". Have I missed out something with my work? Any help appreciated. Thanks.

This is a topic that comes up regularly, both in my Day Job™ with DTS and here on DevForums. This situation is a bit subtle, and it’s long past the time I should have written a proper explanation of it. If you have questions or comments, put them in a new thread here on DevForums. To ensure that I see your thread, tag it based on the technology you’re using. For example: If you’re working with Endpoint Security, use the Endpoint Security tag. If you’re building a Network Extension provider, use the Network Extension tag. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Inferring High-Level Semantics from Low-Level Operations Apple supports a number of APIs that let you observe low-level operations. For example: An Endpoint Security (ES) client can learn about low-level file system operations, like open and close. A Network Extension (NE) filter provider can learn about outgoing and incoming network packets. Folks using these APIs often want to infer high-level semantics from these low-level operations. For example: An ES client might want to prevent the Finder from copying files to an external drive. An NE filter provider might want to block Safari from fetching specific URLs. While DTS supports these APIs, we don’t support this sort of low-to-high inference. That’s because our goal is to help developers use Apple’s APIs in a sustainable way, and it’s impossible to do this inference in a way that will be binary compatible in the long term. Let me illustrate this with an example. Consider the NE scenario above. It’s easy for an NE packet filter to drop packets being sent to a specific host. However, that approach is very brittle. If something changes in the implementation path from Safari requesting a URL to how that’s rendered as IP packets, your product will break. A great example of such a change is iCloud Private Relay. This isn’t to say that such inference can’t be done at all, just that it’s not possible to do it in a sustainable way. Given that, here’s my advice: Try to work with high-level operations where possible. For example, ES recently added high-level log in and log out notifications, which means you no longer need to infer such events from lower-level ones. If the system doesn’t support the necessary high-level operations, file an enhancement request that describes your requirements. In the meantime, you can have a go at doing this inference yourself, but be aware that DTS can’t support you in that task.

ES_EVENT_TYPE_NOTIFY_CREATE doesnt get triggerd if i copy a file to iPhone connected to mac device. Also, ES_EVENT_TYPE_NOTIFY_MOUNT doesnt get triggered when an iphone is connected to a macos device

Hi! There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle." https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num However, as we all know, system will kill ES client, if the message is not answered in (deadline) time. I've a lot questions about this thing: What the "drop" actually is? The event is not provided to es client from the kernel? What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline) Are the dropped events responded by the system immediately, or they do wait something? Are only auth events could be dropped, or notify too? What is the system resolution for dropped auth events? (allow I guess) What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?

We are trying to get access to Endpoint security entitlement for our enterprise app that uses Endpoint Security Extension but after almost 5 month and over 3 requests there is no response from Apple. We kindly asked Apple for entitlement because we have to distribute our application to our customer ASAP. I need some information around this issue. What the reason ? How can I contact support for my requests? Thanks in advance

I refer to Google's ESF project code to handle NOTIFY events, but after my notifyQueue is set to QOS_CLASS_BACKGROUND, the process memory gets larger when a lot of events occur. Is there any way to fix this without affecting performance The code is as follows： notifyQueue = dispatch_queue_create("notify",dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL,QOS_CLASS_BACKGROUND, 0)); if (msg->action_type == ES_ACTION_TYPE_NOTIFY) { es_message_t *copied_msg = [self copy_message:msg]; if (!copied_msg) { return; } dispatch_async(self->_notifyQueue, ^{ @autoreleasepool { [self handle:copied_msg]; [self free_message:copied_msg]; } }); }

In the ESF framework, if I set up a process through audit token mute. Will the creation and corresponding child processes of this process also be mute mute. mute process A. process A creates a child process B. Whether the child process B is mute？

I have developed a process monitoring software for internal use in my company using the endpointsecurity API. When I tried to package and distribute it to my colleagues, I found out that I need to apply for the com.apple.developer.endpoint-security.client entitlement from Apple. It has been almost 2 months since I submitted the application, but it hasn't been approved yet. I sought help from customer service, but they haven't provided any useful feedback. I'm hoping to get help from the developer community. How can I expedite the approval of the com.apple.developer.endpoint-security.client entitlement? thanks~

Hello, I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions. It seems that endpoint software should now function with MACF by implementing hooks from userland. Does this mean the Endpoint Security Framework will soon become deprecated? I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation. Thanks

I have implemented an app to monitor computer events according to ESF framework, but a crash will appear, and the crash content is Time Awake Since Boot: 800000 seconds Time Since Wake: 2594 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (SIGKILL) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace ENDPOINTSECURITY, Code 2 I can't find it. Why is this happening. Can you tell me under what circumstances such a crash would occur.

Hello community we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events. Upon inspection of the log files, we found the following (but not on all machines): [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' and [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content. A feedback has already been filed: FB13174804 An additional code-level support was returnd woithout any explanation. Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros. Any idea, whats going on here? Frank Fenn Sophos Inc.

Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events. Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming). This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events. When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended. Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?

Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks