Can not run endpoint security system extension with SIP disabled on BigSur

Hi!
I'm trying to run SampleEndpointApp (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) on my machine with SIP disabled, but have no success in that. In system logs I can see the following messages:
Code Block
... taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.example.apple-samplecode.SampleEndpointApp.Extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client
... taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.example.apple-samplecode.SampleEndpointApp.Extension
... amfid: /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension signature not valid: -67671
... kernel: mac_vnode_check_signature: /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension: code signature validation failed fatally: When validating /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension
...kernel: proc 5040: load code signature error 4 for file "com.example.apple-samplecode.SampleEndpointApp.Extension"

As far as I understand it wants that my signature I used to sign the app and extension doesn't have proper entitlement?

But https://developer.apple.com/system-extensions/ says: "…you can test system extensions on your Mac by temporarily turning off System Integrity Protection."

So in theory I should be able to run ES extension on my machine.

I'm on BigSur 11.3 if that matters.

Could you please help me to understand what I could do improperly and how to fix that?

Thanks in advance,
Aleksandr
Answered by OmarIkram in 675295022
Hi Aleksandr,

Assuming you've not been granted the necessary entitlements and want to test Endpoint Security and System Extensions. You will need to boot into Recovery mode and do the following from the terminal:

If you just want to test Endpoint Security directly in a stand-alone binary, you will need to disable SIP:
Code Block
csrutil disable

As you're using a System Extension. You will also need to disable AMFI on your test machine:
Code Block
nvram boot-args="amfi_get_out_of_my_way=0x1"

Just use caution when doing so, because of the inherited risk from
disabling these system protections (i.e. do so at your own risk!).

I've discussed this a bit more here:
https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba#gistcomment-3504906

Hope that helps,
Omar
Accepted Answer
Hi Aleksandr,

Assuming you've not been granted the necessary entitlements and want to test Endpoint Security and System Extensions. You will need to boot into Recovery mode and do the following from the terminal:

If you just want to test Endpoint Security directly in a stand-alone binary, you will need to disable SIP:
Code Block
csrutil disable

As you're using a System Extension. You will also need to disable AMFI on your test machine:
Code Block
nvram boot-args="amfi_get_out_of_my_way=0x1"

Just use caution when doing so, because of the inherited risk from
disabling these system protections (i.e. do so at your own risk!).

I've discussed this a bit more here:
https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba#gistcomment-3504906

Hope that helps,
Omar
Hi Omar,
Thank you very much!
Disabling AMFI has helped me to run extension under Parallels Desktop.
Can not run endpoint security system extension with SIP disabled on BigSur
 
 
Q