I'm confuse about the loading condition of Finder Sync Extension. I want to run the Finder sync as a user agent service, so I use a command line tool project and added a Finder sync extension target in the project. But when I debug the extension in Xcode, select Finder to run, the init method of Finder sync class never called, I also check the Activity Monitor, there is no the Finder sync extension. But if I use a Cocoa APP, the Finder sync extension will load as normal. So what's the condition to run a Finder Sync Extension in Finder?

I'm trying to display overlay on screen by following code: NSRect windowRect = [[NSScreen mainScreen] frame]; self.overlayWindow = [[NSWindow alloc] initWithContentRect:windowRect styleMask:NSWindowStyleMaskBorderless backing:NSBackingStoreBuffered defer:NO screen:[NSScreen mainScreen]]; [self.overlayWindow setReleasedWhenClosed:YES]; [self.overlayWindow setBackgroundColor:[NSColor colorWithCalibratedRed:0.0 green:1.0 blue:0.0 alpha:0.1]]; [self.overlayWindow setAlphaValue:1.0]; [self.overlayWindow setOpaque:NO]; [self.overlayWindow setIgnoresMouseEvents:NO]; [self.overlayWindow makeKeyAndOrderFront:nil]; self.overlayWindow.ignoresMouseEvents = YES; self.overlayWindow.level = NSScreenSaverWindowLevel; self.overlayWindow.collectionBehavior = NSWindowCollectionBehaviorCanJoinAllSpaces | NSWindowCollectionBehaviorCanJoinAllApplications; But when other APP enter full screen, the overlay disappears even I set the collectionBehavior with option NSWindowCollectionBehaviorCanJoinAllApplications. Is it possible to display a overlay on top of all other APPs?

My role is developer in a development team. Now I want to distribute my Mac App to others by "Direct Distribution". I asked our team holder to apply for the Developer ID Application certification and Developer ID Installer certification, then import these certifications to my development Mac. But when I try to package my App, there is an error: [team id] does not have permission to create "Developer ID" provisioning profile. What is "Developer ID" provisioning profile? Should I ask my team holder to create a corresponding profile on Apple Developer site or should our team need subscribe to some Apple development service ?

I'm developing a file access control system. In order to protect the file content copied out, I'm finding a way to deny user copy file content to other files. I know there are data transmission between the copied application and pboard service by XPC. But I don't know how to interrupt the data transmission. Or I can do something to stop the copied data send to the Clipboard. So is there any way to prevent the contents of a file being copied?

I'm developing a encrypte&decrypt filesystem on Mac. I use MacFuse to realize this filesystem and mount it under a folder. By doing this I can hook the open file method when user are trying to open the encrypted file(such as A.rtf) under the mounted folder. Then I will decrypt A.rtf and generate a new decrypted file, let's call it as B.rtf. In the hooked open file method, I will return B.rtf file descriptor so that the user can open the decrypted file. All works fine, until I opend the encrypted file once and copy it. It seems Mac system directly using the decrypted cache data when doing copy, so the decrypted content will be copied. I tried add fcntl(fd, F_NOCACHE, 1); fcntl(fd, F_NODIRECT, 1) after int fd = open([p UTF8String], mode);, but it not work. So is there a way to clearly tell the Mac system, do not cache my data when open files?

I'm currently trying to develop a transparent data encryption(TDE) system on MacOS 12.6.8. Our company has its own file encryption format. In order to facilitate safe and convenient file transfer between Windows and Mac platforms, we need to develop a TDE system on the Mac platform (on the Windows platform, we have developed such a system based on the Minifilter framework). I tried to implement this system using a MacFuse based file system and the Endpoint Security system extension, but found that this did not allow complete control of files on the Mac system. For example, when you use Finder to copy an encrypted file, the decrypted data will be copied out. I'm guessing this might be due to Finder or some other system process cache. By referring to the current product introductions of other companies, I learned that the current TDE systems on Mac systems are all based on kernel extension. But I noticed that Apple no longer encourages kernel extension development, and the Mac kernel has fewer and fewer APIs open to development. So I would like to ask is it still feasible to develop a TDE system based on the kernel extension?

I'm a bit confuse on the file permission between root and admin account. I'm developing the background user agent process, and I created the agent plist file with the permission R&W for my admin account. When I tried to load my agent process with launchd, it said the plist file permission is not right. Only after I change the plist file owner to root chown root my.plist, did everything work. From the above situation, it seems that the root user cannot access files that are only authorized to the admin user. Admin account also can't access files authorized only to root, unless you add sudo or enter the password when the request admin password box pops up. But by sudo or password, it just temporarily converts your account from admin to root account. So am I right in my speculation?

I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client. I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call. If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?

I'm using XPC to do IPC with an agent service. I use NSXPCConnection initWithMachServiceName to create the connection and active it. Then I get the agent service remote object proxy with method remoteObjectProxyWithErrorHandler. But when the agent service unloaded, I can also get the remote proxy without any error. Is there anyway to check XPCConnection really connect to a XPC server?

I'm using the ES framework to control files created by handling the event ES_EVENT_TYPE_AUTH_CREATE, but when a file is created by replacing the same name file, ES_EVENT_TYPE_AUTH_CREATE won't be reported. I've searched and tried the event ES_EVENT_TYPE_AUTH_EXCHANGEDATA, but it didn't work. Which event should I monitor for 'creating a file' by replacing a file with the same name?

When the user opens the "Save As" dialog, the Open and Save Panel Service will be launched by the system. Now I want to monitor the "Save As" operation in a user program, so is there an Endpoint Security event that I can use to monitor when the Open and Save Panel Service is launched? I've tested the ES_EVENT_TYPE_AUTH_EXEC event, but it did not work.

I have developed an Endpoint Security extension which works with my normal Mac APP. For now, there are two independent projects, one is ES extension project, and the other is my normal APP. I want to distribute my APP as a pkg, so I need the ES extension in the package. I wonder to know what is the best way to package the ES extension with my normal APP? Should I add an Endpoint Security target in my normal APP project and copy the codes from ES project? Then, when user launch my APP, at some point, I need register the ES extension by OSSystemExtensionRequest?

I'm try to monitor all processes by ES client. But I found the process name is different from the Activity Monitor displayed. As shown in the picture below, there are ShareSheetUI(Pages) and ShareSheetUI(Finder) processes in Activity Monitor, but I can only get the same name ShareSheetUI, I thought of many ways to display the name in parentheses, but nothing worked, so there is a way to display the process name like Activity Monitor?

When I'm using Endpoint Security to monitor the file creation behavior of Keynote, I've noticed that when I choose to export a Keynote file as an HTML file, ES only triggers the ES_EVENT_TYPE_NOTIFY_CREATE notification for the index.html file, and the ES_EVENT_TYPE_AUTH_CREATE is not triggered. I've double - checked my code many times, and I'm pretty sure there's no error in it. Does ES only call the notification event without calling the authorization event under certain circumstances? Or is this a bug in ES?

Will the ES_EVENT_TYPE_NOTIFY_OPEN event be called back when the user has already returned es_respond_flags_result(client, msg, 0, false) in ES_EVENT_TYPE_AUTH_OPEN? I believe the ES_EVENT_TYPE_NOTIFY_OPEN event should not be triggered if the user has already denied the open operation in the ES_EVENT_TYPE_AUTH_OPEN response handler. However, during my testing, ES_EVENT_TYPE_NOTIFY_OPEN was still being called even after I blocked the open process. Is this behavior correct?