Adding EndpointSecurity client entitlement to an app

I am trying to write non-system extension EndpointSecurity client. As recommended by “eskimo”, I have made an app in xcode, gutting it so that main runs the ES client.


However I do not know how to add EndpointSecurity entitlement. In December we have received a mail from Apple notifying us that we can now use this entitlement. In the attached email, there was a description how to add the entitlement to provisioning profile: “When you create a Development or Distribution provisioning profile for your Bundle ID, you'll be prompted to select additional entitlements. Click Profiles on the sidebar, then click the Add button in the upper-left corner. Choose a provisioning profile type and follow the prompts until you see ‘Additional Entitlements.’ Select the Endpoint entitlement from the dropdown to include the Endpoint Security entitlements in your new profile. Click Continue to finish the process.” This seems out of date; there does not seem to be a way how to add entitlements when generating provisioning profile. I can see System Extension and Network Extension entitlements when setting up app id, however even there the EndpointSecurity entitlement is not present.


Surprisingly, I am able to sign the app with a provisioning profile that does not contain ES client entitlement (I have thought it would fail, as the profile is supposed to be a whitelist of entitlements), and the app itself seems to have the entitlement:


$ codesign -d --entitlements :- com.whatever.test.app/

contains key com.apple.developer.endpoint-security.client set as true


however trying to run this unsurprisingly fails (i guess now the profile is applied?):

taskgated-helper: com.whatever.test: Unsatisfied entitlements: com.apple.developer.endpoint-security.client

taskgated-helper: Disallowing: com.whatever.test

amfid: /path/to/com.whatever.test.app/Contents/MacOS/com.whatever.test signature not valid: -67671

kernel: proc 73552: load code signature error 4 for file "com.whatever.test"


Please anyone knows what should be done to add the Endpoint Security client entitlement to an app?

Up vote post of ondra k Down vote post of ondra k
2.9k views
Posted by
ondra k
Reply
Add a Comment

Replies

This seems out of date; there does not seem to be a way how to add entitlements when generating provisioning profile.

No, that’s right. It’s possible that the ES entitlement template wasn’t added to you team properly. First, make sure you’re logged in as the right team. I’m a member of multiple teams, and I also get confused by that (-:

If that help, go through the whole process of creating a new profile, taking screen shots as you go, and get back in touch with the folks who granted you the entitlement.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Creating a Provisioning Profile for a Developer Id the sequence is as follows


  1. Select whether profile is for Development/Distribution [choose Developer ID and Continue]
  2. Select an App ID [Continue]
  3. Select Certificates [Continue]
  4. Additional Entitlements


There is a drop-down menu Entitlements with the value Default.


Its at this point that it should be possible to select the Endpoint security entitlement if it has been granted.


I've just run through this sequence so it was working as of today [13.ii.2020].


Note that it is NOT listed as a 'capability' when creating an App ID

Posted by
adverse camber
Post not yet marked as solved Up vote reply of adverse camber Down vote reply of adverse camber
Add a Comment

Thanks for the help eskimo and adverse camber.



I am Admin in one team. In this team I can see "Additional Entitlements" step if I am creating Mac App Store (in Distribution section) profile (by using "Apple Distribution" certificate), and in the listbox, aside from Default, there is also "System Extension EndpointSecurity for Mac (Dist)" in the listbox. This means that the entitlement has been correctly assigned to the team. However this "Additional Entitlements" step is not available for me when creating either "Developer ID" distribution profile or "macOS App Development" provisioning profile; those are the two I need, as we distribute outside of App Store.



Were I not an Admin in the team, I would say that there is some access issue, as a colleague who is App Manager and Developer in another team can, unlike me, see the "Additional Entitlements" step when creating "macOS App Development" provisioning profile (although in that team we do not have the ES entitlement requested). According to https://developer.apple.com/support/roles/ Admin is a superset of App Manager and Developer, so this makes no sense...

Posted by
ondra k
Up vote reply of ondra k Down vote reply of ondra k
Add a Comment

Internally, these templates are scoped to specific provisioning profile types. It sounds like the template was added for Mac App Store profiles but not Developer ID profiles. To correct this, you’ll need to get back in touch with the folks who granted you the entitlement.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

We got same issue: Apple tell us we have been able to use the Endpoint Security entitlements. But when we login as admin account, and try to create the mac development profiles which contain the Endpoint Security entitlements, we found that only "Network Extension Dev" showed in the listbox in additional Entitlements, where can we choose the Endpoint Security entitlements?

Posted by
jiangsen
Post not yet marked as solved Up vote reply of jiangsen Down vote reply of jiangsen
Add a Comment