Endpoint Security Sample Code will not run extenstion

is it intentional that the bundle ID has the Team ID appended, while launchctl list is asked to look for something with the Team ID prepended?

Yes, though I have tried it both ways. I am at a loss as to how to get this to work.

But it is not running/launched:

What does the following show?

% sudo launchctl list | grep SampleEndpointApp

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It finds nothing.

Hmmm. The EndpointSecurity man page suggests that you should end up with a .xpc service by default, but I haven’t tried that out in a long time.

If you do a ps ajxww does it show the ES sysex process?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It doesn't look like it:

ps ajxww|grep -i sysex|grep -v grep
root              6290     1  6290      0    0 Ss     ??    0:00.16 /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd

ps ajxww|grep -i endpoint|grep -v grep
root                75     1    75      0    0 Ss     ??    0:00.02 endpointsecurityd

I don't believe I have seen an ES man page, and that link you added doesn't take you there either.

I don't believe I have seen an ES man page, and that link you added doesn't take you there either.

Sadly, our man pages are not available online (r. 16512537) [1]. Hence my link to Reading UNIX Manual Pages, which explains how to read a man page. To summarise: Open Terminal and type:

% man EndpointSecurity

As to your main issue, let’s start with some basics: Have applied for, and been granted access to, the ES entitlement?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Don’t ask me why or I’ll start to whimper.

Yes, and I have enabled it in the identifier for this sample:

Yes, and I have enabled it in the identifier for this sample:

Cool.

In most cases the folks who grant you this additional capability only do so for development signing. Check the email you got from them to confirm that.

Have your configured the sample project for development signing? In Xcode, this means that Signing & Capabilities > Signing > Signing Certificate should be set to Development.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, it is correct. Here is the email I received:

Hello,

Your request to use Endpoint Security was approved.

You will need to enable two capabilities for your Bundle ID. Click Identifiers in the sidebar, then select the Mac App ID that you will use for Endpoint Security. Under Capabilities, enable System Extension. Under Additional Capabilities, enable Endpoint Security. Click Save in the top-right of the page, review the alert that appears, and confirm if you accept the changes. Then generate a new provisioning profile for your App ID by clicking Profiles in the sidebar and the Add button (+) in the upper-left corner.

Once your profile has been created, you'll need to configure your Xcode project for manual code signing. If your Xcode project doesn't already have an entitlements file, create a new property list file and change its extension from .plist to .entitlements. Add the keys and values of the entitlements used in your project to the .entitlements file, then follow the rest of the Xcode manual signing process.

For troubleshooting, see Technote 2415 Entitlements Troubleshooting and Debugging Entitlement Issues. If you need additional support, visit the Apple Developer Forums or submit a Technical Support Incident.

Best regards,

Apple Developer Relations

I am using the correct developer ID signing certificate for both the app and the extension: Having gone through this process three times now, with the same results, and I'm sure something is missing in the documentation. Obviously, someone has been able to run this prior to my attempts.

I am using the correct Developer ID signing certificate

Ah, that’s the issue. You can’t use a Developer ID signing identity for day-to-day development of a sysex. macOS requires that Developer ID sysexes be notarised.

For day-to-day development use an Apple Development signing identity. Such an identity can only be used for development — it’s tied to a specific set of machines — and so the sysex subsystem doesn’t enforce the notarisation rule.

Also, you shouldn’t be using Developer ID signing for day-to-day development. Developer ID signing identities are precious, and so not something you hand out to every developer on your team. See my posts on this thread for more background on this.

Finally, once you switch to Apple Development you’ll find that you can re-enable automatic code signing. Automatic code signing is compatible with additional capabilities set on your App ID. See the New Process section of Using the Multicast Networking Additional Capability for an example of this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have not been able to get past the build step even with the Apple developer ID:

Xcode produces this output:

Showing All Messages
CodeSign /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension (in target 'Extension' from project 'SampleEndpointApp')
  cd /Users/dburns/Downloads/MonitoringSystemEventsWithEndpointSecurity
  export CODESIGN_ALLOCATE\=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
   
  Signing Identity:   "Apple Development: Darrell Burns (Z28Q26L68P)"
  Provisioning Profile: "Mac Team Provisioning Profile: *"
             (122c0ef2-e0dd-46ba-aaf0-e328878c59ba)
   
  /usr/bin/codesign --force --sign B841650ADB2CD18298DB8682592DEE4D546B3A81 -o runtime --entitlements /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Intermediates.noindex/SampleEndpointApp.build/Debug/Extension.build/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension.xcent --timestamp\=none --generate-entitlement-der /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension

B841650ADB2CD18298DB8682592DEE4D546B3A81: no identity found
Command CodeSign failed with a nonzero exit code

Having verified that the signing identity is actually there, and valid, not sure what else to do:

Policy: X.509 Basic
 Matching identities
 1) EED3A8A1BF2EA9067467F2114813C5A0F50D5F01 "Developer ID Application: Fidelis Cybersecurity, INC (AMLU8U****)"
 2) 2059C6EC07FD91BB9AC933E5059BE41374E2103C "Apple Development: Darrell Burns (Z28Q26L68P)"
   2 identities found

 Valid identities only
 1) EED3A8A1BF2EA9067467F2114813C5A0F50D5F01 "Developer ID Application: Fidelis Cybersecurity, INC (AMLU8U****)"
 2) 2059C6EC07FD91BB9AC933E5059BE41374E2103C "Apple Development: Darrell Burns (Z28Q26L68P)"
   2 valid identities found

Is the problem that it needs to be notarized

I recommend against going down the Developer ID path, for the reasons I outlined above. For day-to-day development, use Apple Development.

Xcode produces this output:

The problem here seems to be that you have multiple Apple Developer certificates available in your keychain, but only one Apple Development signing identity. Specifically, Xcode seems to have found a certificate with the hash B841650ADB2CD18298DB8682592DEE4D546B3A81 but that certificate has no matching private key and thus isn’t a signing identity. You have another certificate, with the hash 2059C6EC07FD91BB9AC933E5059BE41374E2103C, that has a match private key and thus forms a signing identity.

If you’re unsure about the distinction between certificates and digital identities, see Certificate Signing Requests Explained.

Run Keychain Access, search for Apple Development, and then flip between the Certificates and My Certificates. I expect that you’ll see two in the former and one in the latter. The one you want is the one in the latter. It should be safe to delete the other one.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you. I was able to fix the signing, and build the sample. I deployed it following the instructions at Monitoring System Events with Endpoint Security.

It is still not working!

2022-06-24 10:03:41.336276-0700 0x2afd13a  Error       0x0                  10092  0    taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension
2022-06-24 10:03:41.336858-0700 0x2afd136  Default     0x0                  58495  0    amfid: /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension signature not valid: -67671
2022-06-24 10:03:41.336976-0700 0x2afd31d  Default     0x0                  0      0    kernel: mac_vnode_check_signature: /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: code signature validation failed fatally: When validating /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension:
2022-06-24 10:03:41.337005-0700 0x2afd31d  Default     0x0                  0      0    kernel: proc 10165: load code signature error 4 for file "com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension"
2022-06-24 10:03:41.337947-0700 0x2afd31e  Default     0x0                  0      0    kernel: com.example.apple-samplecode.Sam[10165] Corpse allowed 1 of 5
2022-06-24 10:03:43.610407-0700 0x2afd13d  Default     0x0                  74723  0    ReportCrash: Formulating fatal 309 report for corpse[10165] com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi
2022-06-24 10:03:43.612784-0700 0x2afd13d  Default     0x0                  74723  0    ReportCrash: Unable to find store record for 'file:///Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/': Error Domain=NSOSStatusErrorDomain Code=-10811 "kLSNotAnApplicationErr: Item needs to be an application, but is not" UserInfo={_LSLine=175, _LSFunction=_LSFindBundleWithInfo_NoIOFiltered}
2022-06-24 10:03:43.628775-0700 0x2afd13d  Default     0x0                  74723  0    ReportCrash: com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension is not a MetricKit client
2022-06-24 10:03:43.629125-0700 0x2afd13d  Default     0x0                  74723  0    ReportCrash: (CoreAnalytics) [com.apple.CoreAnalytics.stability-event:event-send] Sending event: com.apple.stability.crash {"bundleID":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension","bundleVersion":"1","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"81CBD9E8-3A8D-4A7A-88CF-628648696D26","logwritten":0,"process":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"}
2022-06-24 10:03:43.630773-0700 0x2afd1fc  Default     0x0                  221    0    analyticsd: [com.apple.CoreAnalytics.stability-event:event-recv] Received event: com.apple.stability.crash {"bundleID":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension","bundleVersion":"1","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"81CBD9E8-3A8D-4A7A-88CF-628648696D26","logwritten":0,"process":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"}
2022-06-24 10:03:43.631178-0700 0x2afd1fc  Default     0x0                  221    0    analyticsd: [com.apple.CoreAnalytics.stability-event:event-aggregated] Aggregated. Transform: StabilityC

It seems the extension is signed...can you help me figure out what is wrong here?

Executable=/Library/SystemExtensions/34B35D7A-4544-4CE1-BEB1-E32288BBEFA4/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension
Identifier=com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension
Format=bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=814 flags=0x10000(runtime) hashes=13+7 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=786688
Hash type=sha256 size=32
CandidateCDHash sha256=6db8ab895938ee314fbfc13c499039a686e16ed8
CandidateCDHashFull sha256=6db8ab895938ee314fbfc13c499039a686e16ed8028605163e830d7fd01d3806
Hash choices=sha256
CMSDigest=6db8ab895938ee314fbfc13c499039a686e16ed8028605163e830d7fd01d3806
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=16384
Executable Segment flags=0x1
Page size=4096
CDHash=6db8ab895938ee314fbfc13c499039a686e16ed8
Signature size=4796
Authority=Apple Development: Darrell Burns (Z28Q26L68P)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jun 24, 2022 at 9:20:55 AM
Info.plist entries=22
TeamIdentifier=AMLU8UA7F6
Runtime Version=12.1.0
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=232
sh-3.2# codesign -vvv com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension 
com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: valid on disk
com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: satisfies its Designated Requirement