I'm working on a system extension leveraging endpoint security entitlement. However, while in development, is there a way to continue working and testing locally without having the endpoint security entitlement approved or needing the extension signed.
I got these errors running a build: Provisioning profile "Mac Team Provisioning Profile: "com.xxxxx.extension" doesn't include the com.apple.developer.endpoint-security.client entitlement.
There are two issues here:
-
Building your code.
-
Running the result.
Lemme start with the second point, because you need to know what to build before you try to build it. And for that, I want to direct you to this thread. In summary:
-
You should be able to develop without this entitlement, simply by disabling SIP.
-
That’s not working, which means you need to claim the entitlement.
-
And then further nobble trusted execution on your VM [1] to avoid the need for a provisioning profile to authorise that claim.
The middle point point brings us to your Xcode question. The problem here is that Xcode is trying to do the right thing. The ES entitlement, com.apple.developer.endpoint-security.client, is restricted, meaning that it must be authorised by a provisioning profile. Xcode has noticed that your profile doesn’t authorise the entitlement and is complaining.
The last time I looked into this it was possible to stop Xcode from complaining by switching to manual signing. However, I just tried this with Xcode 16.1 and I can’t make it work. Even with manual signing, Xcode detects the unauthorised entitlement claim and refuses to build.
Unfortunately I can’t see a good way around this other than to re-sign your sysex (and the app it’s embedded with) before each test. That’s not a lot of fun )-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] You can do this on a real Mac but, sheesh, I wouldn’t. If you’re gonna disable SIP, it’s best to do that on a VM. If you have to use a real Mac, use a ‘victim’ machine.
