Sample code for System Extensions and Endpoint Security?

Is anyone aware of sample code for System Extensions and Endpoint Security? For example, in the SOTU presentation it was mentioned that System Extensions along with Endpoint Security cover 75% of use cases. What use cases are the new APIs designed to cover? How can Endpoint Security be leveraged to replace the kauth API? How do these extensions fit within the context of their host app? Is there an Xcode project template to create them?


When will the developer documentation be updated to provide more detail?


Thanks!

Replies

Additional question:


Do you really need to embed System Extensions in an application (.app)?

According to the WWDC 2019 System Extensions and DriverKit, yes.

https://developer.apple.com/videos/play/wwdc2019/702/
Specifically, just like other system extensions (e.g. FinderSync), they must be embedded in an app. There is no such thing as a stand-alone system extension.


But, your question is still valid 🙂

Fresh from the WWDC: Endpoint Protection System Extension almost mimics kauth interface and is designed to repalce it. Host app activates System Extension, and it is macOS who is handling it after that. Extension is started whenever required, for example if it has special should-be-launch-at-system-startup key in the Info.plist, system will block all events and wait for all relevant extensions to load. Obviously it is up to extension developer to decide what to do with those events, but if extension will be blocking events for too long or crashing, system will disable it. And yes, it should be embedded specificatly in the .app bundle and not in, for example, .xpc bundle.

Do you happen to know where is the example code ? Or did they distribute it?

Hi,


Is there any lead to create Endpoint Security System Extension embadded with application?

Please guide if you have any further details.


Thanks

Is there any lead to create Endpoint Security System Extension embadded with application?

I was able to get this going with only a minimal amount of pain. See this thread for details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Sample code is available now. Please follow : https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security.

Also Xcode 12 has native template for Endpoint Security System Extension target.
Neither the link to sample code ( mentioned in a reply) nor the X12.0 beta has the template for EP sec Api use.

Can someone confirm this ?

Thanks,
Prokash

X12.0 beta [does not have] the template for EP sec Api use.

Yes it does. Be aware that this is a target template, not a project template. So you need to start by creating an app from one of the project templates, and then you’ll be able to create an ES sysex using the Endpoint Security Extension template.

I tested this in Xcode 12.0b3 (haven’t had a chance to download b4 yet).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Thanks much Eskimo !

I was able to compile using Xcode beta 3 and 4 of 12.0

I'm not sure if the App that embeds the extension should be in Application folder, if so is it /Applications ??

When I try to launch under Xcode, I'm able to see in the UI the launching is successful. BUT SEE signature problem. Not sure why though !. When I check the signature

psinha@Prokash.Sinha:~/GITS/MonitoringSystemEventsWithEndpointSecurity/Build/Products/Debug$ codesign -dvvvv com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/

Executable=/Users/psinha/GITS/MonitoringSystemEventsWithEndpointSecurity/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension

Identifier=com.example.apple-samplecode.SampleEndpointApp.Extension

Format=bundle with Mach-O thin (x86_64)

CodeDirectory v=20500 size=772 flags=0x10000(runtime) hashes=14+5 location=embedded

VersionPlatform=1

VersionMin=659200

VersionSDK=720896

Hash type=sha256 size=32

CandidateCDHash sha256=c093346dc496a58da0bc8f61450b972d8819ca6d

CandidateCDHashFull sha256=c093346dc496a58da0bc8f61450b972d8819ca6d29de431d3e6c4c9c1a52ca01

Hash choices=sha256

CMSDigest=c093346dc496a58da0bc8f61450b972d8819ca6d29de431d3e6c4c9c1a52ca01

CMSDigestType=2

Page size=4096

CDHash=c093346dc496a58da0bc8f61450b972d8819ca6d

Signature size=4739

Authority=Apple Development: Prokash Sinha (XQ47TT249Y)

Authority=Apple Worldwide Developer Relations Certification Authority

Authority=Apple Root CA

Signed Time=Aug 6, 2020 at 12:06:27 PM

Info.plist entries=22

TeamIdentifier=C489D5E8E8

Runtime Version=11.0.0

Sealed Resources version=2 rules=13 files=1

Internal requirements count=1 size=220
Ideally I would be happy if I could get the DAEMON ( that I can install using launchctl ) working with SIP enabled.

After registering ( it become silent ). Hope this one is working for someone ( with SIP enabled )