using endpoitn security framework within a launchctl daemon

Question

Created Jul ’20

Replies 2

Boosts 0

Participants 3

Hi,

We have managed to get the endpoint security framework working using the sample code and WWDC2020 video in developer mode and with sip disabled.
We have couple of questions here:

The documentation says it is a c library. We already have a daemon and we would like to integrate this functionality into our daemon. Can we use this through a launchctl daemon without using the app template and extension template?If it is possible, what else is needed apart from the entitlement in a production environment?
If we use a system extension template,how does an enterprise admin get around the user prompts for allowing system extensions ? Is there a way to grant full disk access by the admin without user intervention?

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’20

Can we use this through a [launchd] daemon

Yes, with some caveats. This topic was covered in WWDC 2020 Session 10159 Build an Endpoint Security app and I suggest you watch that from start to finish — it’s chock full of useful hints and tips.

If we use a system extension template,how does an enterprise admin get around the user prompts for allowing system extensions ? Is there a way to grant full disk access by the admin without user intervention?

A system admin can set this up by installing a configuration profile. See:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

vladimir.kukushkin OP

Jul ’20

Few tips that will probably save some time for someone willing to use Endpoint Security without System Extension:

you, can instantiate esclientt from within any process, including launchd agent or daemon without System Extension
however, you will not get any benefits of the System Extension, like early boot or whatever-will-come-in-future
your users will need to grant Full Disk Access to that daemon (manually, or through MDM), daemon will not appear in Privacy prefpane automatically, however you can do some mambo-jumbo that will involve an executable to be inside some of your bundles, then FDA will propagate to that executable and app will be visible in the prefpane
and sure thing, you will need to have a proper provisioning profile in you daemon's bundle (yes, bundle, e.g. .xpc)
also, this is not mentioned anywhere explicitly (or is it?), but daemon with EndpointSecurity entitlements may not have Hardened Runtime relaxation entitlements at the same time, e.g. strict library validation disabled

1