Hi!
I'm trying to run SampleEndpointApp (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) on my machine with SIP disabled, but have no success in that. In system logs I can see the following messages:
As far as I understand it wants that my signature I used to sign the app and extension doesn't have proper entitlement?
But https://developer.apple.com/system-extensions/ says: "…you can test system extensions on your Mac by temporarily turning off System Integrity Protection."
So in theory I should be able to run ES extension on my machine.
I'm on BigSur 11.3 if that matters.
Could you please help me to understand what I could do improperly and how to fix that?
Thanks in advance,
Aleksandr
I'm trying to run SampleEndpointApp (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) on my machine with SIP disabled, but have no success in that. In system logs I can see the following messages:
Code Block ... taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.example.apple-samplecode.SampleEndpointApp.Extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client ... taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.example.apple-samplecode.SampleEndpointApp.Extension ... amfid: /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension signature not valid: -67671 ... kernel: mac_vnode_check_signature: /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension: code signature validation failed fatally: When validating /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension ...kernel: proc 5040: load code signature error 4 for file "com.example.apple-samplecode.SampleEndpointApp.Extension"
As far as I understand it wants that my signature I used to sign the app and extension doesn't have proper entitlement?
But https://developer.apple.com/system-extensions/ says: "…you can test system extensions on your Mac by temporarily turning off System Integrity Protection."
So in theory I should be able to run ES extension on my machine.
I'm on BigSur 11.3 if that matters.
Could you please help me to understand what I could do improperly and how to fix that?
Thanks in advance,
Aleksandr
Hi Aleksandr,
Assuming you've not been granted the necessary entitlements and want to test Endpoint Security and System Extensions. You will need to boot into Recovery mode and do the following from the terminal:
If you just want to test Endpoint Security directly in a stand-alone binary, you will need to disable SIP:
As you're using a System Extension. You will also need to disable AMFI on your test machine:
Just use caution when doing so, because of the inherited risk from
disabling these system protections (i.e. do so at your own risk!).
I've discussed this a bit more here:
https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba#gistcomment-3504906
Hope that helps,
Omar
Assuming you've not been granted the necessary entitlements and want to test Endpoint Security and System Extensions. You will need to boot into Recovery mode and do the following from the terminal:
If you just want to test Endpoint Security directly in a stand-alone binary, you will need to disable SIP:
Code Block csrutil disable
As you're using a System Extension. You will also need to disable AMFI on your test machine:
Code Block nvram boot-args="amfi_get_out_of_my_way=0x1"
Just use caution when doing so, because of the inherited risk from
disabling these system protections (i.e. do so at your own risk!).
I've discussed this a bit more here:
https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba#gistcomment-3504906
Hope that helps,
Omar