I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal? If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature." I have tried with automatic and manual signing but nothing seems to work.

We’re encountering issues with a system extension that subscribes to multiple events. Some users are experiencing performance problems when running our extension alongside other system extensions like Microsoft Defender and Crowdstrike, which seem to generate a high volume of events. However, on certain Macs with an identical setup, there are no performance issues, making it difficult to pinpoint the cause. Has anyone found ways to improve compatibility with other system extensions? Currently, we’re ignoring and caching events from other extensions to avoid unnecessary processing. The specific ES events contributing to the issue seem to be: • ES_EVENT_TYPE_AUTH_EXEC • ES_EVENT_TYPE_AUTH_OPEN I realize this is a broad question, but the documentation for endpoint security extensions is quite limited. Any insights or suggestions would be greatly appreciated!

It seems it is not possible to give a CLI app (non .app bundle) full disk access in macOS 26.1. This seems like a bug and if not that is a breaking change. Anybody seeing the same problem? Our application needs full disk access for a service running as a LaunchDaemon. The binary is located in a /Library subfolder.

We have a custom SecurityAgentPlugin that is triggered by multiple authorizationdb entries. Some customers report that the SecurityAgent process takes window focus even though no UI or windows are displayed. Our plugin explicitly ignores the _securityAgent user and does not show any UI for that user. However, in macOS 26.1, it appears that the plugin still causes the SecurityAgent to take focus as soon as it is triggered. Is this a change in macOS 26.1 or a bug? Can we do anything to prevent "focus stealing"?