[quote='869113022, ehale, /thread/807112?answerId=869113022#869113022, /profile/ehale'] @Afogh Yes, we have. If you keep "is-root" at the beginning of your list of rules (when needed), the system processes should be happier with that. [/quote] That is really nice to hear! We are still struggling with this problem. If I may ask how does your own custom rule look like? Is that a evaluate-mechanisms where you list your plugin?

@ehale Have you found any workarounds to the problem? Issue is still present in 26.2 RC...

[quote='867120022, shara7, /thread/806187?answerId=867120022#867120022, /profile/shara7'] This issue is a bug where CLI applications are not displayed in "Security and Privacy." [/quote] I believe it is a critical bug when it is related to security settings. You can't see what CLI applications you have given permissions.

[quote='866797022, Afogh, /thread/807112?answerId=866797022#866797022, /profile/Afogh'] Yes, I have reported a bug with this number: FB20987979 [/quote] @DTS Engineer Any update on this? Is this being fixed?

[quote='866786022, DTS Engineer, /thread/807112?answerId=866786022#866786022'] Have either of your filed a bug about this yet? If so, please post the bug number. [/quote] Yes, I have reported a bug with this number: FB20987979

[quote='866622022, ehale, /thread/807112?answerId=866622022#866622022, /profile/ehale'] @DTS Engineer I've discovered more information. The process /usr/libexe/mdmclient runs every so often to check if the machine is enrolled in MDM (I believe). This process seems to invoke our security agent plugin to check the right com.apple.ServiceManagement.daemons.modifywhich is the same right we are already modifying when this happens. I have tried to return early in our security agent's invoke method if it is the mdmclient process, but that didn't seem to work. I am going to see if I can return even earlier, or, ignore it altogether. [/quote] We are seeing the same thing. We can reproduce the SecurityAgent focus steal by killing the mdmclient process and making our Intune Company Portal app do a resync. @DTS Engineer Could we please get some feedback on this? This is affecting a lot of our Mac users.

Turns out I was too quick. The issue still occurs on the latest beta, unfortunately.

@ehale I'm testing on latest macOS 26.2 beta 3. I have not seen the focus issue yet. Have you tested on that?

[quote='866406022, DTS Engineer, /thread/807112?answerId=866406022#866406022'] What does it look like after your modifications? [/quote] { "class" => "evaluate-mechanisms" "comment" => "Preferences." "created" => 784744897.064658 "mechanisms" => [ 0 => "MyAuth:invoke" ] "modified" => 784745142.85089 "shared" => false "tries" => 10000 "version" => 0 }

[quote='866132022, DTS Engineer, /thread/807112?answerId=866132022#866132022'] What right is being authorised when this happens? Have you confirmed that the right is still set up the way you think it’s set up? If this is happening in managed environments then my experience is that such environments often have multiple security products installed. It’s easy to imagine these products fighting each other over how a specific right might be authorised. [/quote] It's the com.apple.ServiceManagement.daemons.modify right. We see it on MDM enrolled Macs with only our product installed, but on Macs not enrolled there is no issue. Seems like the SecurityAgent is doing something in the background on MDM Macs. Triggering the plugin should be fine, but taking focus when no UI is shown seems wrong

This is related to this: https://developer.apple.com/forums/thread/806187 This is totally broken on macOS 26.1.

We are seeing the same issue with our product, except we can see it on Sequoia as well. We see the issue when we are inserting into rights: com.apple.ServiceManagement.daemons.modify We are also adding a mechanism to com.apple.ServiceManagement.daemons.modify. I can't rule out that it also happens in Sequoia, but many of our users see the problem very often on Tahoe.

maartenweyns: Are you running any security software? Or software that has a SecurityAgent Plugin. Quinn: Our product contains a SecurityAgent plugin and is an essential part of our product. We do a lot of testing, but this issue seems to be hitting some customers depending on maybe their MDM setup and software installed on the Macs. Could you make help me some documentation on changes in 26.1? We do have an SFAuthorizationPluginView, but that is not even invoked for this issue

We have also noticed that if the full disk access is configured using a MDM profile the entry is not added to the TCC.db, but the binary will still have the permission. Something is really broken regarding TCC on 26.1.

Bug is still present in macOS 26.2 beta