Build an Endpoint Security App (Thursday, June 25th, 2020)

The Endpoint Security framework is meant to be a replacement for:
  • Kauth API

  • Unsupported Mac kernel framework

  • OpenBSM audit trail

Kernel extensions are bad, m'kay?

Using the Endpoint Security framework to build ES system extensions is what developers should be doing now.

Several types of system extensions are supported:

Network - used for VPNs, content filters, etc.
DriverKit - Controlling hardware
EndpointSecurity - targeted at endpoint detection and response products

Benefits of using EndpointSecurity:
  • Protected by System Integrity Protection (SIP)

  • LaunchD job protection

  • Launch before third party applications

For EndpointSecurity architecture details, I recommend watching the session video.

Runtime requirements:

Entitlement: com.apple.developer.endpoint-security.client

Docs: https://developer.apple.com/system-extensions

System Extensions require an additional requirement for the containing app bundle. For more details, see the documentation linked above.

System extensions also require approval from the user to complete installation, unless whitelisted by a system extension whitelist profile from an MDM server.

Privacy - in order to increase user privacy, applications must obtain user consent for Full Disk Access, unless Full Disk Access permission is granted by a Privacy Preferences Policy Control profile from an MDM server.

Network Events

The EndpointSecurity framework does not provide events related to networking operations. This is intentional, as these events are better covered by the NetworkExtension framework.

There is a minor exception which is related to Unix domain sockets. The EndpointSecurity framework does provide events for this exception.

It is possible to combine the EndpointSecurity and NetworkExtension frameworks into a single unified System Extension. For this use, the system extension APIs and install flow should be used for system extensions which are of a single extension type.

macOS Big Sur includes improvements for efficiency and speed over macOS Catalina and Endpoint Security framework

Most requested data access points will be added by Apple as appropriate.
Build an Endpoint Security App (Thursday, June 25th, 2020)
 
 
Q