es_graphical_session_id without endpoint security framework

IN endpoint security events related to user login/logout activity (as well in lock/unlock and remote session attach/detach) there is a graphical session identifier which is a 32 bit integer

typedef struct { es_string_token_t username; ** es_graphical_session_id_t graphical_session_id;** } es_event_lw_session_login_t;

Documentation describes it as an opague number

  • @brief es_graphical_session_id_t is a session identifier identifying a on-console or off-console graphical session.
  • A graphical session exists and can potentially be attached to via Screen Sharing before a user is logged in.
  • EndpointSecurity clients should treat the graphical_session_id as an opaque identifier and not assign
  • special meaning to it beyond correlating events pertaining to the same graphical session. Not to be confused with the audit session ID.

*/ typedef uint32_t es_graphical_session_id_t;

Question: is there a way to get this graphical session identifier outside of endpoint security framework, for ex. from process id or audit token? Is there an API for that?

I think you’ve answered your own question here. The doc comments make it clear that you should not try to correlate these values with similar values seen in other APIs.

If you poke around the system enough you’ll find that this value comes from a namespace defined by Core Graphics [1], however, that’s an implementation detail. If you try to correlate this value with any Core Graphics value, your code might fail as the Endpoint Security implementation evolves.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] To be clear, this namespace isn’t part of the Core Graphics API. However, Core Graphics is a complex low-level system, and there are places where it’s implementation details ‘leak’.

Thank you so much, Quinn, appreciate the hints

es_graphical_session_id without endpoint security framework
 
 
Q