Mac Silicon Ventura - To enable a system extension, it is from now necessary to modify the security settings in the recovery environment

Since Ventura (Mac M1 only), Endpoint Security extensions have lost the rights to launch:

=> es_new_client returns ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED

It is needed to reboot in Recovery mode, go to Startup Security Utility and select "Allow user management of kernel extensions from identified developers".

Is this something that will be fixed soon? (we can't ask our customers to do that)

Up vote post of chrilarc Down vote post of chrilarc
2.9k views
Posted by
chrilarc
Reply
Add a Comment

Replies

ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED

Consider the docs for this error:

This error indicates the app lacks Transparency, Consent, and Control (TCC) approval from the user.

This is a known bug in macOS 13 (r. 100857507). I’m going to link to this thread. I’ll post an update there forthwith.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for your answer, but I'm not sure this is exactly the same issue. The workaround doesn't seem to work on M1 Macs: "Workaround: Go to System Settings > Privacy & Security > Full Disk Access, select the security product, use the minus (-) button to remove, and then use the plus (+) button to re-add the affected security product. A system restart might be required to restore expected functionality."

Posted by
chrilarc
Up vote reply of chrilarc Down vote reply of chrilarc
Add a Comment

Are you trying to test your ES client during development? Or are you hitting this issue during deployment?

Is the ES client a daemon? Or a system extension?

Do you have access to the ES entitlement (com.apple.developer.endpoint-security.client)?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

The extension has been in production for several months, it was working on Monterey, Big Sur, Catalina. It's a system extension. The entitlement:

<key>Entitlements</key>
<dict>
	<key>com.apple.developer.endpoint-security.client</key>
	<true/>
			<key>com.apple.developer.system-extension.install</key>
	<true/>
			<key>com.apple.application-identifier</key>
	<string>XXXXXXXXXX.AAA.BBBBBBBBB.CCCC.DDDDDDDDDDDD.EEEEEEEEE</string>
			<key>keychain-access-groups</key>
	<array>
			<string>XXXXXXXXXX.*</string>
	</array>
			<key>com.apple.developer.team-identifier</key>
	<string>XXXXXXXXXX</string>
</dict>
Posted by
chrilarc
Up vote reply of chrilarc Down vote reply of chrilarc
Add a Comment

For those reading along at home, I’ll be helping chrilarc in a different context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment