Endpoint security extension not being granted FDA since Ventura beta 9

Since Ventura Beta 9 our endpoint-client system extension seems to be failing due to lacking FDA TCC permission.

The same notarized app seems to had no issues running on Ventura beta8 or earlier.

es_new_client seems to be failing with ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED due to system extension not being granted FDA.

This causes our extension to fail early and take up cpu core + quite a bit of Logd spam:

error 18:24:37.120364+0200 com.vendor.endpoint Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access
error 18:24:37.120407+0200 kernel Task has not been granted user permission to connect

Any help or insight would be much appreciated. Have a nice day.

Sidenote: We have noticed that a new TCC policy type has appeared for our endpoint extension, kTCCServiceEndpointSecurityClient but we haven't found documentation regarding what it is for.

Accepted Answer

Apparently fixed in beta 10, will wait for confirmation and remove post.

So, to summarise:

  • 13.0b9 introduced this bug (r. 100223230).

  • We got a bunch of bug reports about this. Thanks folks!

  • My reading of the bug is that it’s fixed in 13.0b10.

  • That seems to have been born out by your experience.

The only weird part about this thread is the first time anyone has mentioned this on DevForums (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, we also used the kTCCServiceSystemPolicyAllFiles key in the TCC.db "access" table to verify if the user has been granted full disk access privileges for our extension using ES client. Now in beta 10 or extension is listed under key kTCCServiceEndpointSecurityClient. Does this also now signal that Full Disk Access has been granted?

Frank Fenn

Sophos Inc.

*shrug*

The format and location of the TCC database is not considered API, so it’s not something I’ve spent a lot of time looking at. Do you actually have code to read this when your product is deployed? Or are you just reading it internally while testing?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi All,

We are facing the same problem(FDA access gone for System Extension) post upgrading from Monterey 12.6 to Ventura 13.0 .

Thanks & Regards,

Mohmad Vasim

pruzinat wrote:

Yes please, give us an API to do this transparently so that we don't have to access SIP protected files in order to gain FDA and forego the rest.

If you’d like to see such support added in the future, I encourage you to file an enhancement request describing your requirements.  Please be clear about what you mean by “this” though. A request for an API to enable Full Disk Access will be rejected because the whole point of Full Disk Access is to put the user in charge of which programs are allowed to do what. OTOH, an API to return the status of Full Disk Access for your own program is more worthwhile.

Please post your bug number, just for the record.


MohmadVasim wrote:

We are facing the same problem(FDA access gone for System Extension) post upgrading from Monterey 12.6 to Ventura 13.0 .

Right. There are two interrelated problems here:

  • The one I discussed above (r. 100223230) which, AFAIK, is fixed.

  • A second problem, where Full Disk Access is dropped when you upgrade from macOS 12 to macOS 13.

There’s a different thread that’s dedicated to the second issue. I’ll post an update over there shortly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Endpoint security extension not being granted FDA since Ventura beta 9
 
 
Q