1. Whether the EndpointSecurity Client must be a system extension?
My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.
Having said that, running as root is a significant hurdle. You wrote:
Then, build a simple app [it] works well on other machine which SIP is enabled. (Root permission & approved by TCC)
By definition an “simple app” isn’t running as root. In a real setup you’d need to install this as a launchd daemon in order to get root privileges, and that presents challenges for getting your entitlement. For a daemon to use the EndpointSecurity entitlement, it must be packaged in an app-like structure in order to have a place to store the provisioning profile that whitelists those entitlements.
All-in-all, it’s going to be easier if you just use a system extension.
2. If we must package Endpoint Security as a system extension, and be contained in an app. Whether the containing app can be distributed in Mac App Store?
That’s the plan. To quote WWDC 2019 Session 702 System Extensions and DriverKit:
Once you've packaged your System Extension into an app, you can distribute that app directly to your users using Developer ID or through the Mac App Store, which has never been possible with Kernel Extensions.
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Thank you Eskimo for your kindly help!