How to support MacOS 10.14 when using EndpointSecurity Framework

Code Signing Entitlements
liuxingyuzm OP
Created Jul ’20
Replies 4
Boosts 0
Views 551
Participants 3
Has anybody gotten an application with the system extension install entitlement to work on 10.14 and below? We have to support 10.14 obviously, but if we include the system extension install entitlement (com.apple.developer.system-extension.install) in our application's Info.plist (the applicatoin that contains the system extension) it immediately crashes with a bad code signature on 10.14 and below. The application works (and system extension installs) on 10.15.


If the entitlement isn't necessary, how do we get the extension to install on 10.15? We haven't gotten the extension to install correctly with SIP enabled without using this entitlement.
Replies  4
Boosts  0
Views  551
Participants  3
keeen OP
Aug ’20
I am facing the same issue. Does Apple have an official story on how to support an application with a system extension for both Mojave and Catalina simultaneously?
0
DTS Engineer OP
Apple
Aug ’20
I can’t think of any obvious answers here. If you’d like me to dig deeper, you should open a DTS tech support incident so that I can allocate the time to do that.

ps I’m actually surprised that this fails. I had assumed that 10.14 would ignore a constrained entitlement as long as it was allowlisted by a profile. Clearly I’m missing something here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
keeen OP
Aug ’20
@eskimo, thanks for the response. Just so we're clear: the system-extension.install entitlement is not something that is relevant or "known to" Mojave, right? What do you mean by a "constrained entitlement"? What would be intuitive in my mind... is if Mojave saw that entitlement, "knew nothing of it", and didn't kill the app, but that's clearly not how that works.
0
DTS Engineer OP
Apple
Aug ’20

What do you mean by a "constrained entitlement"?

In my lexicon a constrained entitlement is one that must be allowlisted by a profile.

Just so we're clear: the system-extension.install entitlement is not something that is relevant or "known to" Mojave, right?

Correct, but I’m not sure how 10.14 will react when it sees it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
How to support MacOS 10.14 when using EndpointSecurity Framework
First post date Last post date
 
 
Q