Secondary app connecting to endpoint extension

I am having problems connecting to my endpoint system extension from another app.


The ES's main app (the front-end GUI) connects fine to the endpoint extension and they communicate fine. I am using the mach service name of


<TeamID>.<system extension BundleID>.xpc


However, when trying to connect from another GUI app using the same code and trying to use the same mach service name, the connect fails with error


"Couldn’t communicate with a helper application."


Anyone know the magic incantation I need to add to get this working?


Thanks,

Answered by DTS Engineer in 407951022

Apparently (?) even an independent application needs to have the sandbox removed to connect to the EndpointSecurity extension.

The App Sandbox prevents the app from connecting to arbitrary system-wide Mach services. Such a connection must be explicitly whitelisted. This happens automatically for built-in services but not for third-party services.

Is there an exception I can add to the App Sandbox to allow it to connect to the ES extension?

That’d be Global Mach Service temporary exception (

com.apple.security.temporary-exception.mach-lookup.global-name
).

Note Despite the “temporary” in the name, it’s fine to use this in a Developer ID app. If you want this app to ship via the Mac App Store, things get trickier. App Review generally takes a dim view of folks reaching outside of their sandbox.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

What API are you using to create the connection?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Quick update:


I duplicated my original endpoint project, stripped out the system extension, changed the Bundle ID, created a new Identifier and provisioning profile for the new Bundle ID, and, voila, I now have two independent programs connected to the endpoint extension.


So, yes, independent applications can connect. Now I just need to figure out what detail I've missed in the other program. The devil is in the details.


Here is how I am connecting (which works)

let newConnection = NSXPCConnection(machServiceName: MachServiceName, options: .privileged)
// set up interfaces and exported object
newConnection.resume()
let service = newConnection.remoteObjectProxyWithErrorHandler { error in ... } as? MiddleToLowerComm
service?.establishConnection(message: "Hello") { }

Turns out my secondary app still had the sandbox turned on.


I had to remove the app sandbox to get it to work. Apparently (?) even an independent application needs to have the sandbox removed to connect to the EndpointSecurity extension.


Is there an exception I can add to the App Sandbox to allow it to connect to the ES extension? I'd prefer to have the Sandbox on if possible.

On a related note, I'd like my network system extension to communicate with my endpoint system extension, but if I distribute the application with the network extension through the MacApp Store, I need the sandbox turned on - at which point it won't be able to talk to the endpoint system extension.


I suspect I could use a LaunchDaemon to act as a bridge between the network and system extensions, but I'd prefer not to add another layer of complexity if possible.

Accepted Answer

Apparently (?) even an independent application needs to have the sandbox removed to connect to the EndpointSecurity extension.

The App Sandbox prevents the app from connecting to arbitrary system-wide Mach services. Such a connection must be explicitly whitelisted. This happens automatically for built-in services but not for third-party services.

Is there an exception I can add to the App Sandbox to allow it to connect to the ES extension?

That’d be Global Mach Service temporary exception (

com.apple.security.temporary-exception.mach-lookup.global-name
).

Note Despite the “temporary” in the name, it’s fine to use this in a Developer ID app. If you want this app to ship via the Mac App Store, things get trickier. App Review generally takes a dim view of folks reaching outside of their sandbox.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Just confirming if someone runs across this discussion trying to solve a similar problem problem.


Adding my <teamID>.<endpoint system extension BundleID>.xpc as an entry to com.apple.security.temporary-exception.mach-lookup.global-name array in entitlements allowed me to turn the sandbox back on.


So I'm happy there. Not looking forward to battling for the exception with the Mac App Store review team though. 😉


Todd

Secondary app connecting to endpoint extension
 
 
Q