Guys I'm the account holder of my company and we are working on a new EPP solution. Approx two months go I requested an Endoint Security entitlement so we can develop our product and then requested it again about a month ago. Is there a way to see what is the status of the request and whether this time frame is indeed the one we should expect? Thanks a lot!

Hello there. We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM. However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC. Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension. It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?

I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)

Hello, As I understand it, the ES framework provides notifications for specific event types. For my question, auth events do not matter, as I'm not interested in allowing/denying events, just reporting. Is there a way to retrieve the information if an event was successful/failed from an ES message? So far, I have found nothing in this regard in the documentation. For example, under certain circumstances, I get two notifications if I try to delete a file via the Finder, for which administrator privileges are required. The first is when the authorization dialog appears (this notification is for the failed unlink event), and the second is when I enter the correct credentials and the file is deleted. Example for reproduction: Open a terminal and create a file in "/etc" with the command "sudo touch test.txt". Run the command 'sudo eslogger unlink | grep -E "test.txt"' to start monitoring UNLINK events for files named "test.txt". Open the folder "/etc" in Finder. Select the file "test.txt", click on "File" in the menu, and hold the option key pressed. Then select "Delete Immediately...". In the appearing dialog, click on "Delete". Before entering the administrator password, and while the credentials dialog is still open, observe that eslogger already reports an UNLINK event for this file. It reports the user information: "ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20. Enter the administrator password to confirm the deletion of the file. Observe that eslogger reports a second UNLINK event for this file. This time with the user information: "ruid":0,"euid":0,"rgid":0,"auid":501,"egid":0. So, is there a way to check the first event for failure? Otherwise, I would need to check manually if the file is still there after receiving the first notification, if I only want to report events that "really" happened (excluding attempts).

I wrote a program to receive the notify events from endpoint security framework. ES_EVENT_TYPE_NOTIFY_AUTHENTICATION event is not notified/logged in any scenario. Please help me with the information on when does mac generate or notify this event.

I wrote a program to receive the notify events from endpoint security framework. While logging into the workstation it generates ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN event. How to get the user id and other user info from this event.

Hi guys Following this topic : https://developer.apple.com/forums/thread/654443 I test this in macOS 14 beta, audit can't work now. Is it expected or a bug? If it is expected, is there any announcement ? Thank you! Command return error: sudo audit -i Error sending trigger: (ipc/send) invalid destination port

I created a Endpoint Security the client, the System Extension have been normal load to/Library/SystemExtensions inside, and has been activated, but did not see the Extension to run, do you have who knows？

My team has received a bit of instruction in the past about how to use ESClients for Endpoint Security tasks. The source suggested using multiple ESClients but not too many. I think the proposed limit was 40. The question is this: how can I determine what warrants a new ESClient? For example, consider an app that has 30 concurrent tasks of type A, a task of type B, a task of type C, and a task of type D. Should each task type gets its own ESClient? Should the tasks of type A be divided between multiple ESClients? Can you deliver any additional guidance on this?

Is it possible to use ESF framework without enrolling into Apple developer program? I wanted to try out ESF for learning purpose.

I encountered such a problem, when I am in macOS 10.15 this part, through monitoring ES_EVENT_TYPE_AUTH_EXEC ESF framework, if I double click on the start/Users/test/Downloads/test. The app, The path of test.app corresponding to message->event.exec.target-> Path. data in the ES_EVENT_TYPE_AUTH_EXEC event is under /private/var/folders. This prevents me from blocking the test.app startup in the /Users/test/Downloads/ directory through string matching.

Can I control the pasteboard when user try to Ctrl + v? There's no option or related event in endpoint security. I'm came up the 'method swizzling', but it doesn't seem like a good way. Plz help me..

I want to create a feature that monitors which USB devices my computer is using and lets me know what they are. If the USB storage device is connected to my MacOS device, I want to prevent it from being used. Is it possible to implement such a method using ESF framework? Or is there another way to do this?

Hey all! I have a System Extension that, while doing some other things, starts up my custom Network Extension via [NEProvider startSystemExtensionMode]. This Network Extension contains a class (let's call it MyDataProvider) that overrides the NEFilterDataProvider interface and implements handleNewFlow. MyDataProvider thus acts as a network content filter. The problem is that installing my System Extension on a Ventura 13.4 (or older) system and starting up the Network Extension seemingly drops any ongoing connection I have. For example, my ssh connection will hang. This makes it quite annoying attempting to install the System Extension remotely. I do not see this behavior for my other class that inherits the NEFilterPacketProvider interface. Is this behavior expected of the NEFilterDataProvider? It seems like a bug since I do not see any documentation stating this behavior.

I implemented a method to monitor the testfile copy activity and reject it using ES_EVENT_TYPE_AUTH_CLONE. The copy code used is as follows： NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; NSString *sourcePath = self.CopyFilePath.stringValue; NSString *destinationPath = [sourcePath stringByAppendingFormat:@"(Code copy file)"]; BOOL success = [fileManager copyItemAtPath:sourcePath toPath:destinationPath error:&error]; if (success) { NSLog(@"File copy successful"); } else { NSLog(@"File copy failure：%@", error.localizedDescription); } This code fires the ES_EVENT_TYPE_AUTH_CLONE event, and I treat the auth event as ES_AUTH_RESULT_DENY, but still create a new file testfile(Code copy file) How to prevent through code [fileManager copyItemAtPath: sourcePath toPath: destinationPath error: & error]; Implementation of the file copy