Endpoint Security as a Daemon instead of Sys Ext.

Hi,


I found a way to create an App, that runs as a daemon as well, using the libEndopintSecurity.dylib to create a "es_new_client" and "es_subscribe" to events. It has the entitlement "com.apple.developer.endpoint-security.client". If I disable SIP, It seems to be fullly working, it get the ES EVENTS .. AUTH events too.


I have implemented as well the same App as by the guidelines, using hte wrapper App that holds the systemextension bundle within, using the system extension manager to to activate it, XPC to communicate, all good.


My question is, do I really have these two options ? I understand that once I would get the approval for the entitlement I could make the second approach to work with SIP. But can I make the first one work with SIP ? Is there any limitations for the first approach ? Could I deliver a solution based on on the first approach ?


Thanks.

do I really have these two options ?

Yes.

Is there any limitations for the first approach ?

Yes. A couple of ES sysex benefits immediately spring to mind:

  • NSEndpointSecurityEarlyBoot
    — See the
    EndpointSecurity
    man page for details.
  • SIP protection — This ensures that your ES sysex is only removed by the user (or site admin), as opposed to a

    launchd
    daemon which can be removed by any code running as root.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Got it. Thanks!

Endpoint Security as a Daemon instead of Sys Ext.
 
 
Q