How to run application as root permission?

Question

trinhtran OP

Created 4d

Replies 3

Boosts 0

Participants 2

Hi,

I’m able to view the activity log using the macOS application integrated with Endpoint Security Entitlement in Xcode by setting Debug Process As: root. However, after archiving the application into a .app using a Developer ID Application certificate and sending it to my friend, they encountered the error ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED during client initialization when running the application.

Could you please guide me on how to resolve this issue? Specifically, what is the correct technical approach to make the application run as root?

Thanks

Boost

Answer 1

DTS Engineer OP

Apple

4d

Specifically, what is the correct technical approach to make the application run as root?

There’s no supported way to run an app as root, where app is defined as something with a GUI that the user launches from the Finder.

There are two standard ways to package an ES (Endpoint Security) client:

As a system extension embedded within an app
As a launchd daemon

Both of these run as root by virtue of how they’re installed. The sysex approach is generally easier, and it supports a few additional features, but a lot of ES clients ship as a launchd daemon because they’re part of a wider product that already has a bunch of other daemons.

The path to distributing your ES client depends on how its packaged. You need to make a decision about that. Once you’ve done so, reply back here and I can advise you on your distribution options.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

trinhtran OP

1d

Hi Eskimo

Thank you for the detailed explanation. I’ve decided to proceed with implementing the Endpoint Security client as a launchd daemon.

Could you please guide me on the steps to implement this approach?

0

Answer 3

DTS Engineer OP

Apple

1d

OK, cool.

There are three requirements listed in the ES headers:

/// The caller is not properly entitled to connect.
ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED,
/// The caller lacks Transparency, Consent, and Control (TCC) approval from the user.
ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED,
/// The caller is not running as root.
ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED,

For the first, you must sign your daemon with the ES entitlement (com.apple.developer.endpoint-security.client). That’s a bit of a pain, but it’s specifically documented in Signing a daemon with a restricted entitlement.

For the second, the user must enable Full Disk Access for your daemon.

Note If you’re deploying to a managed environment, the site manager can do that via the com.apple.TCC.configuration-profile-policy payload.

The third isn’t a challenge. All launchd daemons run as root by default.

Finally, as to how you debug your ES client, see this post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0