ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED despite a valid entitlement

Question

Created Feb ’20

Replies 6

Boosts 0

Views 1.2k

Participants 3

I have a built launchDaemon and want to apply the endpoint security extension entitlements I downloaded from my apple dev account.

So far I've tried:

1) download the provisioning profile from dev console.

2) extract the entitlements into a '.entitlements' file, via 'security cms -D -i securitytool.provisionprofile > securitytool.entitlements

3) applying that entitlements with 'codesign --entitlements securitytool.entitlements -f -s "[APPLICATION_ID]" [BINARY]

Result:

es_new_client() is getting back 'ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED'

This is dispite displaying valid entitlements when using `codesign -d --entitlements - [BINARY]' - everything seems fine

Please could you tell me step by step how to add valid entitlements to a built launch daemon ? (I build offline on a different machine)

Answered by DTS Engineer in 408131022

create an app target, and build an "app" but with all the code that goes into the [
launchd
daemon]

This.

Its really not clear to me exactly what you mean by "app-like structure"

Fair enough. This question has cropped up a lot recently, so I created a new post, Packaging a Daemon with a Provisioning Profile, that explains it in depth. Let me know if you still have problems, or you have any general feedback about that post.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’20

Are you running your daemon from

launchd

? Or testing it from Terminal using

sudo

? If it’s the latter, try the former.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

DTS Engineer OP

Apple

Feb ’20

Oh, wait, looking at the other thread you posted on it seems like you’re really off in the weeds. The ES entitlement must be whitelisted by your provisioning profile. There’s no way to attach a profile to a daemon. Rather, you must package your daemon in an app-like structure and include your profile there.

The easiest way to do that is to create an app target for your daemon, and then remove all the app-specific stuff and replace the main entry point with your daemon’s main entry point.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

RobHDt OP

Feb ’20

Hi Eskimo,

Thank you for your response. Btw I have acquired the proper endpoint security entitlement from apple now. and I've tried both the former and latter approach in your last comment. Please could you elaborate on this a little.

Do you mean that you can build your launch Daemon as a command line tool and embed that into a app target, and place this built app in /Library/LaunchDaemons/

Or

create an app target, and build an "app" but with all the code that goes into the launchDaemon, and set this as a background app ?

Or

something else. Its really not clear to me exactly what you mean by "app-like structure" or "create an app target for your daemon" or "remove all app-specific stuff".

Best Regards.

0

Answer 4

DTS Engineer OP

Apple

Feb ’20

Accepted Answer

create an app target, and build an "app" but with all the code that goes into the [
launchd
daemon]

This.

Its really not clear to me exactly what you mean by "app-like structure"

Fair enough. This question has cropped up a lot recently, so I created a new post, Packaging a Daemon with a Provisioning Profile, that explains it in depth. Let me know if you still have problems, or you have any general feedback about that post.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

mdolan OP

Feb ’20

When you retire Quinn, 3rd party macOS development will grind to a halt 😉 No one will be able to figure out anything without your help.

0

Answer 6

RobHDt OP

Feb ’20

Following this helped alot. One other thing I found is that building the project with the distribution provisioning profile through xcode gui built successfully. And launching this through 'launchctl' worked fine with SIP enabled.

However attempting to build through the command line tool 'xcodebuild' failed when using the distribution provisioning profile, but not when using the test profile.

Does anyone know why building through xcodebuild with distribution profiles fail ?

0