com.apple.developer.endpoint-security.client Entitlement issue

Hi experts.

Im trying to interact with the Endpoint Security API, via a console app. But when executed I get the ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED message.


SIP is desabled and ive added the com.apple.developer.endpoint-security.client to my project entitlement file


What Im I missing?


Thanks.

Replies

What’s a “console app”? Is this a command-line tool that you’re running from Terminal? Or a GUI app that has some sort of management console function?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo.

Thanks for the reply.

Yes its a command line app 🙂

And I just figured it out.

Adding the Entitlement to Code Signing Entitlements did the trick.


Guess I just needed more coffee


Cheers,

Be aware that this could present some challenges in deployment. If SIP is enabled, this entitlement must be whitelisted by a provisioning profile and there’s no place to put that profile in a ‘*****’ command-line tool. If you plan to deploy as a

launchd
daemon rather than a system extension, I think you’ll need to place your daemon into a bundle structure so that it can pick up the provisioning profile from there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Jemk,


This is the trick, I was missing ...


Got it running...

Hi Eskimo,


I've few questions ---


1) Could you please point me to a doc or something about creating a System Extension using xcode 11.X. We can follow the other option you mention ( i.e. have a launchd daemon as a bundle ...)


2) I've not found much documentation(s) about the Endpoint Security framework ( yea, understand you all just released Catalina - thx ). So for now, As a POC, I wanted to debug using lldb ( either command line or attached process to Xcode workspace), but have seen some timeout coming from inside the framework ( while at a bp ). Is there any place we can put the timeout to infinte or something large ?


Thanks,

P

So for now, As a POC, I wanted to debug using lldb ( either command line or attached process to Xcode workspace), but have seen some timeout coming from inside the framework ( while at a bp ). Is there any place we can put the timeout to infinte or something large ?

Doing this is tricky, for the same reason that kernel extensions require two-machine debugging: The system needs your EndpointSecurity extension to respond promptly in order to make meaningful progress. I generally resolve this problem by avoiding the debugger, using a combination of unit tests to debug my core code and logging to debug my interactions with the OS.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks much, Eskimo !


One other question is - Are you folks goint to provide a System Extension work space any time soon ? Better yet, if we get some document about how to create one --- All I know is to create a driver externsion ( new one, not the I/O Kit), and on the entitlement canvas, add System Extension -- but that does not add any template code or anything as far as I know...


I remember you mentioned that another option is a launchd type daemon ( so we can get rid off the SIP being disabled ).


-Prokash

Are you folks goint to provide a System Extension work space any time soon ?

I’m presuming by “you folks” you’re referring to Apple as a whole. If so, I can’t discuss The Future™. If you’d like to make a formal request for such a thing, please file an enhancement request.

I’d appreciate you posting your bug number here, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


Could you please elaborate on this ? I have a built launchDaemon and want to apply the endpoint security extension entitlements I downloaded from my apple dev account.


So far I've tried:

1) download the provisioning profile from dev console.

2) extract the entitlements into a '.entitlements' file, via 'security cms -D -i securitytool.provisionprofile > securitytool.entitlements

3) applying that entitlements with 'codesign --entitlements securitytool.entitlements -f -s "[APPLICATION_ID]" [BINARY]


Result:

es_new_client() is getting back 'ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED'


Please could you tell me step by step how to add valid entitlements to a built launch daemon ? (I build offline on a different machine)


NOTE - I have asked this in its own thread : https://forums.developer.apple.com/message/407976#407976


Best Regards,

Rob

I look forward to Eskimo's response, but I finally threw in the towel and wrapped my endpoint security extension in a GUI app. That is how I could add the privisioning profile to the system extension. Basically I started with a network system extension, ripped out the network parts, and replaced them with the endpoint system extension.


A related question I have is how are people distributing these system extensions in enterprises?


So far I've needed to have the user (me) confirm that the extension is loaded (for both network and endpoint extensions) and then confirm again when the network extension wrapper app connects to the network extension.


Can JAMF or related tools avoid requiring the end user from having to go through these steps in an enterprise?


Thanks,

Todd

For reference, eskimo has responded in the new thread that I posted in the last comment