questions about EndpointSecurity & System Extension

Hi,


We have some questions about the EndpointSecurity Frameworks.


1. Whether the EndpointSecurity Client must be a system extension?

We use the es-client entitlements making a develop provisonprofile with its EndpointSecurity-client capabilities. Then, build a simple app(no system extension) with EndpointSecurity.Framework and the provisonprofile. It works well on other machine which SIP is enabled. (Root permission & approved by TCC )

So, whether it means that we can distribute the EndpointSecurity-Client as a simple app(without system extension)?


2. If we must package Endpoint Security as a system extension, and be contained in an app. Whether the containing app can be distributed in Mac App Store?

Answered by DTS Engineer in 402187022

right now NetworkExtension system extensions have the opposite problem, where you can’t deploy them via Developer ID

I have some good news on that front. It should now be possible to ship Developer ID signed NetworkExtension system extensions. Yay!

To get this working, you have to use a new set of NE entitlement values. For example, a Mac App Store transparent proxy uses the

app-proxy-provider
value, while a Developer ID product should use
app-proxy-provider-systemextension
. The full list of these is documented on the
com.apple.developer.networking.networkextension
entitlement page.

Note These entitlement values are understood by macOS 10.15 and later.

If you have an existing development signed NE sysex project, here’s how to change it over:

  1. On the developer web site, create two new App IDs, one for the container app and one for the system extension embedded within that container.

  2. Add the Network Extension capability to both App IDs.

  3. Add the System Extension capability to the app’s App ID.

  4. Add any other capabilities you need.

  5. Create Developer ID profiles for both of these.

  6. Download and import those profiles into Xcode.

  7. In Xcode, configure your app and sysex targets to use manual code signing.

  8. Then select the appropriate profile for each target.

  9. Change the bundle IDs to match your new App IDs. This will require additional changes in your code, for example:

    It’s best to do a search for the old bundle ID in order to make sure you got everything.

  10. For both the app and the sysex, change your

    .entitlements
    file to use the new sysex variant of the entitlement. For example, if you’re creating a transparent proxy, you’d change
    app-proxy-provider
    to
    app-proxy-provider-systemextension
    .

    Note Xcode has not yet been updated to display a nice string for these (r. 58567937).

  11. Build your app.

  12. Install and test on a macOS 10.15 with SIP disabled.

    Note You only need to have SIP disabled if your app isn’t notarised. When you deploy to users, you notarise your app and that lifts the SIP requirement.

I just went through this process here in my office and it seems to work.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

As this is brand new, the short answer here is that I don’t know )-: It should be pretty easy to test though.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I will share what I find when I get to that point.


Thanks, Quinn

I'm still trying to launch my command-line endpoint agent via launchd from an XPC request from the GUI application.


Everything works fine with SIP turned off, but once SIP is turned back on, the endpoint agent exits with a status of -9.


The console error message is:

removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /usr/local/netsqllc/libexec/netsq_endpoint_agent:
   Code has restricted entitlements, but the validation of its code signature failed.

The code has been signed with my "Developer ID Application" certificate

The package built with my "Developer ID Installer" certificate

The package has been notarized.

And the application installed via the notarized package installer.


My "request to use Endpoint Security was approved", but I had some problems with the instructions in the email. They seemed to indicate that this would be a GUI app and not a command-line app.


For example, I cannot set the "Provisional Profile" for a command-line application.


Any suggestions or Tech Notes for configuring the command-line application for Endpoint Security with SIP activated?


Thanks,

For example, I cannot set the "Provisional Profile" for a command-line application.

This is likely to be the problem. Amongst other things, a provisioning profile whitelists the entitlements you use [1]. Thus, your ES daemon will definitely need this profile. Unfortunately there’s no way to package a daemon along with a profile, which is why Xcode won’t let you do this for your current command-line tool target.

For the system to pick up the profile, you have to package your daemon in an app-like structure. The easiest way to do this is to create an app target, strip out all the app stuff (apart from the

Info.plist
), and replace the
main
function with your daemon’s main.

Or use a system extension, which already has this app-like structure and thus avoids this problem completely.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Some entitlements, like the App Sandbox entitlements, can be used without being whitelisted, but the ES entitlement definitely needs it.

Hi Quinn and others,


I tested this and yes, an external app can talk to my ES extension using XPC as if the extension was a launchd service.


Looking at the man page more carefully (man EndpointSecurity), I see that at the bottom, the date is "27 November, 2018" (is it really that old?) and probably hasn't been updated for the change the release note is referencing. But that is speculation on my part.

'The man page that this leads you to says for NSEndpointSecurityMachServiceName, "If set, this string will be the name of the MachService which can be used for XPC between the ES extension and its app."'


I have not been able to find any refernce to "NSEndpointSecurityMachServiceName".


Is this the equivalent of the


NetworkExtension > NEMachServiceName


in the Info.plist file created for Network Extensions?


Anyone have pointers to documentation for this?


I am thinking this might be associated with the problem I raised in this post where I am trying to figure out how additional apps can connect to the EndpointSecurity extension: Secondary app connecting to endpoint extension


Thanks,

Todd2,


It's on my 10.15.4 Beta (19E234g) VM, not on my host 10.15.3 version. Didn't realize it until just now. But I found it through the 10.15.4 release notes originally.

Thanks.


I should really create a second disk for running the latest Betas. I don't want to get bit in the **** by a change that catches me off guard.

I should really create a second disk for running the latest Betas.

Like mdolan, I use a VM for this. It’s way more pleasant than booting to a second partition.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

When I used a VM before (parallels) I was not seeing the raw network packets (which I also use). Back then I was only processing IPv4, so maybe all the traffic was IPv6 at the VM and then bridged to IPv4 before going out on the physical network. One of these days I'll go back and check.


Has anyone processed raw packets via NEFilterPacketProvider in a VM? If so, which system VM system were you using?

Has anyone processed raw packets via

NEFilterPacketProvider
in a VM?

Yes.

If so, which system VM system were you using?

I use VMware Fusion. I chose back in the day because I knew folks on the team, so I can’t offer any insight as to whether it’s better or worse then any of its competitors.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello, I download SimpleFirewall Demo. and I build it with my Developer ID Certificate. but when I open the app

it tells me:

LSOpenURLsWithRole() failed with error -10810 for the file /Users/fa11ing1eaf/Library/Developer/Xcode/DerivedData/MEDR-cffdnlrhzmbcxmhgxgewmtfsfzqs/Build/Products/Debug/SimpleFirewall.app


I Don't know why.

Please help me.


waiting your reply

email: zhanghongbo05@meituan.com

I am seeing this fail after notarizing my Packet Tunnel Provider.

I see
Code Block
error 16:49:08.750262-0400 NEVPNTunnelPlugin([476]): Validation of the extension failed nesessionmanager
default 16:49:08.750966-0400 NESMVPNSession[Primary Tunnel::7BB4FF26-2EAD-47AF-85F7-880749561AD0:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin([476]) started with PID 0 error (null) nesessionmanager
error 16:49:08.750013-0400 Rejecting app extension provider PacketTunnel because it is signed with a Developer ID certificate neagent


I've checked my embedded profile
Code Block
security cms -D -i  /Applications/MYAPP.app/Contents/embedded.provisionprofile

Code Block
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
</array>
<key>com.apple.application-identifier</key>
<string>BUNDLEID</string>
<key>keychain-access-groups</key>
<array>
<string>TEAM.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>TEAM</string>
<key>com.apple.developer.associated-domains</key>
<string>*</string>
</dict>


Notarization was approved with it's .dmg.

Any idea's?
I’m going to recommend that you start a new thread here because this one is way too long already. Feel free to reference thread for context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

@eskimo is it possible to make that post with the developer ID details the accepted answer? I actually gave up on developerID for a day or two until I eventually came back here and scrolled to the bottom.

questions about EndpointSecurity &amp; System Extension
 
 
Q