Endpoint Security SystemExtension Documentation

App & System Services Drivers
BoBKelso OP
Created Oct ’19
Replies 4
Boosts 0
Views 1.5k
Participants 4

Hello,

Is there a proper documentaion how an Endpoint security system extension has to be structured? Because I can not find it.

I would expect the following:


  • The naming convension of the extension bundle (already available)
  • Folder structure of the extension
  • All Info.plist keys that are mandatory, and example values describing them
  • All other Info.plist keys that are only relevant to the systemextension
  • All entitlements that either must be set or should be set within the extension.
  • All Info.plist keys and entitlements that are mandatory for the containing Application bundle.
    • like the com.apple.developer.system-extension.install entitlement


    • And Xcode should come with a template for Endpoint Security SystemExtensions targets. Currently there is only Network SystemExtensions available.


    I already opened two feedback reports regarding this issues in June:

    FB6145201 for the Xcode Template and FB6145147 for better documentation of the Endpoint Security Framework.


    Best Regards

    Timo

    Replies  4
    Boosts  0
    Views  1.5k
    Participants  4
    DTS Engineer OP
    Apple
    Oct ’19

    Is there a proper documentaion how an Endpoint security system extension has to be structured?

    No there is not, but I figured you know that already because your bugs haven’t come back to )-: If you’ve run into specific roadblocks, feel free to post your questions here. I’ll try to help out in this context but, if not, I may ask you to open a DTS tech support incident so that I can research stuff in more depth.

    Share and Enjoy

    Quinn “The Eskimo!”
    Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

    let myEmail = "eskimo" + "1" + "@apple.com"
    0
    prokash OP
    Oct ’19

    Hello,


    I'm also looking for an example workspace. Or some instructions to create such extension, embed in an app using xcode. For Network extension, there was one from Apple ( SimpleFirewall). It was helpful. But for Endpoint security ( replacing Kauth and others ), could someone point me to some place where at least we could create a legit workspace, then follow the API. Hope the online API shows up soon for use as docs. Otherwise SDK API reading ...

    0
    BoBKelso OP
    Oct ’19

    Hi eskimo,

    I figured out that I was missing the NSSystemExtensionUsageDescription key in the Info.plist.

    I already opened a Feedback to improve the error messages logged by sysextd (FB7361399). I would have figured out the issue way faster if there would have been an error description.


    One colleague attended this years WWDC and in the labs she was promised that if an Endpoint Security System Extension is activated by the user it will automatically receive Full Disk Access. However my extension did not receive FDA. Did I miss an extra key in the Info.plist?


    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>CFBundleDevelopmentRegion</key>
  <string>$(DEVELOPMENT_LANGUAGE)</string>
  <key>CFBundleDisplayName</key>
  <string>Scanner</string>
  <key>CFBundleExecutable</key>
  <string>$(EXECUTABLE_NAME)</string>
  <key>CFBundleIdentifier</key>
  <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
  <key>CFBundleInfoDictionaryVersion</key>
  <string>6.0</string>
  <key>CFBundleName</key>
  <string>$(PRODUCT_NAME)</string>
  <key>CFBundlePackageType</key>
  <string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
  <key>CFBundleShortVersionString</key>
  <string>1.0</string>
  <key>CFBundleVersion</key>
  <string>1</string>
  <key>NSSystemExtensionUsageDescription</key>
  <string>Scans your FileSystem</string>
  <key>LSMinimumSystemVersion</key>
  <string>$(MACOSX_DEPLOYMENT_TARGET)</string>
  <key>NSHumanReadableCopyright</key>
  <string>Copyright © 2019...</string>
</dict>
</plist>


    Additionally I think this behaviour should be officially documented!


    In the end I really like to see something like a technical note that ties all relevant documentations together. And additionaly this note should come with an example.


    Best regards,

    Timo

    0
    Security Engineer OP
    Apple
    Jun ’20
    Sample code is available now. Please follow : https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security.

    Also Xcode 12 has native template for Endpoint Security System Extension target.
    1
    Endpoint Security SystemExtension Documentation
    First post date Last post date
     
     
    Q