Endpoint Security as a Daemon instead of Sys Ext.

Hi,


I found a way to create an App, that runs as a daemon as well, using the libEndopintSecurity.dylib to create a "es_new_client" and "es_subscribe" to events. It has the entitlement "com.apple.developer.endpoint-security.client". If I disable SIP, It seems to be fullly working, it get the ES EVENTS .. AUTH events too.


I have implemented as well the same App as by the guidelines, using hte wrapper App that holds the systemextension bundle within, using the system extension manager to to activate it, XPC to communicate, all good.


My question is, do I really have these two options ? I understand that once I would get the approval for the entitlement I could make the second approach to work with SIP. But can I make the first one work with SIP ? Is there any limitations for the first approach ? Could I deliver a solution based on on the first approach ?


Thanks.

Up vote post of Jon Gabilondo Down vote post of Jon Gabilondo
975 views
Posted by
Jon Gabilondo
Reply
Add a Comment

Replies

do I really have these two options ?

Yes.

Is there any limitations for the first approach ?

Yes. A couple of ES sysex benefits immediately spring to mind:

  • NSEndpointSecurityEarlyBoot
    — See the 
    EndpointSecurity
    man page for details.

  • SIP protection — This ensures that your ES sysex is only removed by the user (or site admin), as opposed to a 

    launchd
    daemon which can be removed by any code running as root.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Got it. Thanks!

Posted by
Jon Gabilondo
Up vote reply of Jon Gabilondo Down vote reply of Jon Gabilondo
Add a Comment