According to Apple's development documentation, if I want to install an Endpoint Security system extension, I need to develop a host app that must be installed in the Applications directory. Now, I want to create an ES extension to protect users from accessing certain folders. However, I don't want a custom app to pop up asking the user to allow the installation of the ES extension. (To clarify, it's fine if the system authorization request dialog pops up, but I don't want the host app's UI to appear.) Is there any way to do this?

I downloaded a P12 file (containing a private key) from the company server, and retrieved the private key from this P12 file using a password : private func loadPrivateKeyFromPKCS12(path: String, password: String) throws -> SecKey? { let p12Data: Data do { p12Data = try Data(contentsOf: fileURL) } catch let readError { ... } let options: [CFString: Any] = [ kSecImportExportPassphrase: password as CFString ] var items: CFArray? let status = SecPKCS12Import(p12Data as CFData, options as CFDictionary, &items) guard status == errSecSuccess else { throw exception } var privateKey: SecKey? let idd = identity as! SecIdentity let _ = SecIdentityCopyPrivateKey(idd, &privateKey) return privateKey } However, when I use this private key to call SecKeyCreateSignature for data signing, a dialog box always pops up to ask user to input the Mac admin password. What confuses me is that this private key is clearly stored in the local P12 file, and there should be no access to the keychain involved in this process. Why does the system still require the user's login password for signing? Is it possible to perform silent signing (without the system dialog popping up) in this scenario?

I've developed a Endpoint Security system extension, which will be installed in a container APP. I use XPC to send message from container APP to the ES client, it works fine. I have developed an Endpoint Security system extension that will be installed in a container app. I utilize XPC to send messages from the container app to the ES client, and it functions properly. However, when I attempt to send messages from the ES client to the container app, it always displays an error: 'Couldn’t communicate with a helper application.'. I have removed the sandbox capability of the container app and also employed the same app group for both the ES client and the container app. When an XPC client is connected, I use the following code in the ES client to establish two-way communication. - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCProtocol)]; NXFileGuardXPCService *xpcService = [NXFileGuardXPCService sharedInstance]; newConnection.exportedObject = xpcService; // To APP container client (As remote interface) newConnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCClientProtocol)]; [newConnection activate]; self.containerAPPConnection = newConnection; return YES; } But it always fails. How can I deal with this error?

I'm developing an APP on Mac. There will be some template sensitive file be decrypte during the user using it. I don't want my client see these files by Finder or Terminal, so I tried to mount a file system and store the decrypted folder under the filessystem, then don't return the contents of decrypted folder when filesystem call contentsOfDirectory. It works under my filesystem. But when user directly access these files by Finder(not from my filesystem mounted path), the files are still here can be seen by the user. Is there anyway to make my files hide from Finder? Such as Finder extension, or some special folder Mac offered to store these sensitive files?

I'm writing an app on macOS that stores passwords in the Keychain and later retrieves them using SecItemCopyMatching(). This works fine 90% of the time. However, occasionally, the call to SecItemCopyMatching() fails with errSecAuthFailed (-25293). When this occurs, simply restarting the app resolves the issue; otherwise, it will consistently fail with errSecAuthFailed. What I suspect is that the Keychain access permission has a time limitation for a process. This issue always seems to arise when I keep my app running for an extended period.

I'm finding a way to hook vnode operations, following is a snippet of the code: IOReturn FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void) { // // register our listener // this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback this ); // give a cookie to callback if( NULL == this->VnodeListener ){ DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) ); return kIOReturnInternalError; } return kIOReturnSuccess; } Here use kauth_listen_scope to get the newly created vnode object, then will hook on it. But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity. So is there any other way to get the newly created vnode object?

I'm developing a system that uses an ES extension to control user file openings on Mac. When a user tries to open a file, the ES extension can either allow or deny the user from opening it. However, the policy for allowing/denying users to open files is managed by my normal Mac app. Therefore, the ES extension needs to proactively communicate with the normal app. Initially, I wanted to create an XPC service in my regular app, but according to the documentation, XPC services are managed by launchd and cannot be created by regular apps. So if I want my ES extension to communicate with the regular app proactively, what IPC method can I use?