ES API can block opening device, but not blocking the access in process.

The extension target is a module to create a example camera, and the ExampleMyUSB is a driverkit according to overriding-the-default-usb-video-class-extension Extension Info.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CMIOExtension</key> <dict> <key>CMIOExtensionMachServiceName</key> <string>$(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)</string> </dict> </dict> </plist> ExampleMyUSB Info.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IOKitPersonalities</key> <dict> <key>ExampleMyUSB</key> <dict> <key>CFBundleIdentifierKernel</key> <string>com.apple.kpi.iokit</string> <key>IOClass</key> <string>IOUserService</string> <key>IOMatchCategory</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>IOProviderClass</key> <string>IOUserResources</string> <key>IOResourceMatch</key> <string>IOKit</string> <key>IOUserClass</key> <string>ExampleMyUSB</string> <key>IOUserServerName</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>IOProbeScore</key> <integer>100000</integer> <key>idVendor</key> <integer>1452</integer> <key>idProduct</key> <integer>34068</integer> <key>IOProviderMergeProperties</key> <dict> <key>CameraAssistantBundleID</key> <string>com.lqs.example.ExampleCam.Extension</string> </dict> </dict> </dict> <key>OSBundleUsageDescription</key> <string></string> </dict> </plist>```

My project like following: ExampleCam is the main app, which install CMIO extension and USB driver extension. The ExampleCam.entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.driver-extension.install</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)com.lqs.example.ExampleCam</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> </plist> If I use the line: com.apple.developer.driver-extension.install, I can't run the app as the picture 2. But If I delete it, I got the error picture 1: picture 1: picture 2: ContentView.swift: // // ContentView.swift // ExampleCam // // import SwiftUI import SystemExtensions import Logging struct ContentView: View { @State private var logs: [String] = [] @State private var extensionDelegate: ExtensionDelegate? var body: some View { VStack { Image(systemName: "globe") .imageScale(.large) .foregroundStyle(.tint) Text("Hello, world!") // 日志显示区域 ScrollView { Text(logs.joined(separator: "\n")) .frame(maxWidth: .infinity, alignment: .leading) .padding() } // 按钮区域 HStack { Button("Start USB Driver Extension") { startCameraExtension() } Button("Stop USB Driver Extension") { stopCameraExtension() } } .padding() } .padding() } // MARK: - Private Methods private func startCameraExtension() { guard let identifier = Self.extensionBundle().bundleIdentifier else { return } let logString = "identifier \(identifier)" logger.info("\(logString)") logs.append(logString) let activationRequest = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: identifier, queue: .main ) extensionDelegate = ExtensionDelegate(logs: $logs) activationRequest.delegate = extensionDelegate OSSystemExtensionManager.shared.submitRequest(activationRequest) } private func stopCameraExtension() { guard let identifier = Self.extensionBundle().bundleIdentifier else { return } let logString = "identifier \(identifier)" logger.info("\(logString)") logs.append(logString) let deactivationRequest = OSSystemExtensionRequest.deactivationRequest( forExtensionWithIdentifier: identifier, queue: .main ) extensionDelegate = ExtensionDelegate(logs: $logs) deactivationRequest.delegate = extensionDelegate OSSystemExtensionManager.shared.submitRequest(deactivationRequest) } private static func extensionBundle() -> Bundle { let extensionsDirectoryURL = URL( fileURLWithPath: "Contents/Library/SystemExtensions", relativeTo: Bundle.main.bundleURL ) let extensionURLs: [URL] do { extensionURLs = try FileManager.default.contentsOfDirectory( at: extensionsDirectoryURL, includingPropertiesForKeys: nil, options: .skipsHiddenFiles ) } catch let error { fatalError("fatal 1 \(error)") } // 专门查找 ExampleMyUSB.dext guard let extensionURL = extensionURLs.first(where: { url in url.lastPathComponent.contains("ExampleMyUSB.dext") }) else { fatalError("fatal 2: ExampleMyUSB.dext not found") } guard let extensionBundle = Bundle(url: extensionURL) else { fatalError("fatal 3 \(extensionURL.absoluteString)") } return extensionBundle } } // MARK: - Extension Delegate class ExtensionDelegate: NSObject, OSSystemExtensionRequestDelegate { @Binding var logs: [String] init(logs: Binding<[String]>) { self._logs = logs } func request( _ request: OSSystemExtensionRequest, actionForReplacingExtension existing: OSSystemExtensionProperties, withExtension ext: OSSystemExtensionProperties ) -> OSSystemExtensionRequest.ReplacementAction { let logString = "\(#function): (request: \(request.identifier))" logger.trace("\(logString)") DispatchQueue.main.async { self.logs.append(logString) } return .replace } func requestNeedsUserApproval(_ request: OSSystemExtensionRequest) { let logString = "\(#function): (request: \(request.identifier))" logger.trace("\(logString)") DispatchQueue.main.async { self.logs.append(logString) } } func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) { let logString = "\(#function): (request: \(request.identifier), result: \(result.rawValue))" logger.trace("\(logString)") DispatchQueue.main.async { self.logs.append(logString) } } func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) { let logString = "\(#function): (request: \(request.identifier), error: \(error))" logger.trace("\(logString)") DispatchQueue.main.async { self.logs.append(logString) } } } #Preview { ContentView() }

my env: macos15.5 intel i5

Hello Kevein, Thanks for your reply. Multiline ES clients are generally built as LaunchDaemons and the API includes a specific option that ensure the ES client is launched during early boot, before ANY other 3rd party (non-apple signed) code is allowed to execute. That allows an ES client to ensure that an attacker cannot get "infront" of it and that's particularly true of something relatively "high level" like camera access. Yes, I got it. Maybe I didn't introduce the case clearly. The case is that before I run the ES extension, the 3rd party video meeting app has opened the build-in camera and using it. At this moment, I start the extension and it can't block the app access the cam because ES_EVENT_TYPE_AUTH_IOKIT_OPEN only controls the 3rd app open the camera, but not has opened it. Multiline Having looked into this further and given your concerns about race conditions with other clients, I don't believe this approach is viable. Got it, so it's impossible to "hide" the build-in camera and let the 3rd party apps switch to my usb camera automatically by CMIO, is it right?

hi apples, I want to know whether it’s permitted by apple’s privacy to realize the following two requirements: When a third-party video conferencing app is not in a meeting, ensure the app defaults to using the USB device (Camera/Mic/Speaker). When a third-party conferencing app is in a meeting, ensure the app automatically switches to the USB device (Camera/Mic/Speaker).

After I created tmp entitlements for SampleEndpointApp also, now it works. % /usr/libexec/PlistBuddy -c "Add :com.apple.developer.endpoint-security.client bool true" tmp.entitlements % plutil -p tmp.entitlements Thank you very much!

Hi Eskimo, Thanks for you step by step introductions. I executed the same operations but still got error: Begin installing the extension 🔄 Failed to install the extension ❌ Missing entitlement com.apple.developer.system-extension.install `security cms -D -i SampleEndpointApp.app/Contents/embedded.provisionprofile | plutil -p -` { "AppIDName" => "XC com example apple-samplecode SampleEndpointAppRKJVFVKFG3" "ApplicationIdentifierPrefix" => [ 0 => "RKJVFVKFG3" ] ... "Entitlements" => { "com.apple.application-identifier" => "RKJVFVKFG3.com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3" "com.apple.developer.system-extension.install" => 1 "com.apple.developer.team-identifier" => "RKJVFVKFG3" "keychain-access-groups" => [ 0 => "RKJVFVKFG3.*" ] } "ExpirationDate" => 2026-05-21 17:00:08 +0000 "IsXcodeManaged" => 0 "Name" => "SampleEndpointAppUI" "Platform" => [ 0 => "OSX" ] "PPQCheck" => 0 "ProvisionedDevices" => [ 0 => "00008132-000121E822F8801C" 1 => "00006030-000279A822D9001C" ] "TeamIdentifier" => [ 0 => "RKJVFVKFG3" ] ... } codesign -d -vvv --entitlements - SampleEndpointApp.app Executable=/Users/liqingsong/Library/Developer/Xcode/DerivedData/SampleEndpointApp-ghrlccqjrckpnhfqwjcwcivydyne/Build/Products/Debug/SampleEndpointApp.app/Contents/MacOS/SampleEndpointApp Identifier=com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3 Format=app bundle with Mach-O thin (arm64) ... Authority=Mac Developer: qingsong li (GCL4D9JGCM) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=May 23, 2025 at 22:16:22 Info.plist entries=24 TeamIdentifier=RKJVFVKFG3 Runtime Version=15.4.0 Sealed Resources version=2 rules=13 files=8 Internal requirements count=1 size=212 Is it because this command didn't add entitlement for app? % codesign -s "Apple Development: Quinn Quinn (7XFU7D52S4)" -f --preserve-metadata=identifier,entitlements,flags,runtime SampleEndpointApp.app codesign -d -vvv --entitlements - SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension/ Executable=/Users/liqingsong/Library/Developer/Xcode/DerivedData/SampleEndpointApp-ghrlccqjrckpnhfqwjcwcivydyne/Build/Products/Debug/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension Identifier=com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension Format=bundle with Mach-O thin (arm64) ... Authority=Mac Developer: qingsong li (GCL4D9JGCM) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=May 23, 2025 at 22:15:44 Info.plist entries=22 TeamIdentifier=RKJVFVKFG3 Runtime Version=15.4.0 Sealed Resources version=2 rules=13 files=0 Internal requirements count=1 size=224 [Dict] [Key] com.apple.developer.endpoint-security.client [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true

hello Eskimo, By now I build out of Xcode successfully, and code sign by command, but still failed. SampleEndpointApp Info.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>$(DEVELOPMENT_LANGUAGE)</string> <key>CFBundleExecutable</key> <string>$(EXECUTABLE_NAME)</string> <key>CFBundleIconFile</key> <string></string> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>$(PRODUCT_NAME)</string> <key>CFBundlePackageType</key> <string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string> <key>CFBundleShortVersionString</key> <string>1.0</string> <key>CFBundleVersion</key> <string>1</string> <key>LSMinimumSystemVersion</key> <string>$(MACOSX_DEPLOYMENT_TARGET)</string> <key>NSHumanReadableCopyright</key> <string>Copyright © 2020 Apple. All rights reserved.</string> <key>NSMainStoryboardFile</key> <string>Main</string> <key>NSPrincipalClass</key> <string>NSApplication</string> <key>NSSupportsAutomaticTermination</key> <true/> <key>NSSupportsSuddenTermination</key> <true/> </dict> </plist> Extention Info.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>$(DEVELOPMENT_LANGUAGE)</string> <key>CFBundleDisplayName</key> <string>Extension</string> <key>CFBundleExecutable</key> <string>$(EXECUTABLE_NAME)</string> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>$(PRODUCT_NAME)</string> <key>CFBundlePackageType</key> <string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string> <key>CFBundleShortVersionString</key> <string>1.0</string> <key>CFBundleVersion</key> <string>1</string> <key>LSMinimumSystemVersion</key> <string>$(MACOSX_DEPLOYMENT_TARGET)</string> <key>NSHumanReadableCopyright</key> <string>Copyright © 2020 Apple. All rights reserved.</string> <key>NSSystemExtensionUsageDescription</key> <string></string> <!-- <key>NSExtension</key>--> <!-- <dict>--> <!-- <key>NSExtensionPointIdentifier</key>--> <!-- <string>com.apple.endpoint-security</string>--> <!-- <key>NSExtensionPrincipalClass</key>--> <!-- <string>$(PRODUCT_MODULE_NAME).notify_demo</string>--> <!-- </dict>--> </dict> </plist> SampleEndpointApp entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <!-- <key>com.apple.security.app-sandbox</key>--> <!-- <true/>--> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist> Extension entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> <!-- <key>com.apple.security.app-sandbox</key>--> <!-- <true/>--> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist> xcodebuild -project SampleEndpointApp.xcodeproj -target SampleEndpointApp -configuration Debug CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO warning: ONLY_ACTIVE_ARCH=YES requested with multiple ARCHS and no active architecture could be computed; building for all applicable architectures (in target 'Extension' from project 'SampleEndpointApp') warning: Extension isn't code signed but requires entitlements. It is not possible to add entitlements to a binary without signing it. (in target 'Extension' from project 'SampleEndpointApp') ** BUILD SUCCEEDED ** xcodebuild -project SampleEndpointApp.xcodeproj -target Extension -configuration Debug CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO warning: ONLY_ACTIVE_ARCH=YES requested with multiple ARCHS and no active architecture could be computed; building for all applicable architectures (in target 'Extension' from project 'SampleEndpointApp') warning: Extension isn't code signed but requires entitlements. It is not possible to add entitlements to a binary without signing it. (in target 'Extension' from project 'SampleEndpointApp') ** BUILD SUCCEEDED ** codesign --force --sign "20D155DE40CCA613F631D6E3891B5D4390D1A921" --entitlements /Users/liqingsong/Downloads/MonitoringSystemEventsWithEndpointSecurity/SampleEndpointApp/SampleEndpointApp.entitlements SampleEndpointApp.app SampleEndpointApp.app: replacing existing signature codesign --force --sign "20D155DE40CCA613F631D6E3891B5D4390D1A921" --entitlements /Users/liqingsong/Downloads/MonitoringSystemEventsWithEndpointSecurity/Extension/Extension.entitlements com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension: replacing existing signature 20D155DE40CCA613F631D6E3891B5D4390D1A921 is one my certification id( by the way, is GCL4D9JGCM my team id or certification id? ): security find-identity -v -p codesigning ... 3) 20D155DE40CCA613F631D6E3891B5D4390D1A921 "Mac Developer: qingsong li (GCL4D9JGCM)" 3 valid identities found

@DTS Engineer Could you please provide some example for how to build the project out of Xcode?

codesign -d --entitlements :- "/Applications/SampleEndpointApp.app" Executable=/Applications/SampleEndpointApp.app/Contents/MacOS/SampleEndpointApp warning: Specifying ':' in the path is deprecated and will not work in a future release <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>RKJVFVKFG3.com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3</string><key>com.apple.developer.system-extension.install</key><true/><key>com.apple.developer.team-identifier</key><string>RKJVFVKFG3</string><key>com.apple.security.files.user-selected.read-only</key><true/><key>com.apple.security.get-task-allow</key><true/></dict></plist> codesign -d --entitlements :- "/Applications/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension" Executable=/Applications/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension warning: Specifying ':' in the path is deprecated and will not work in a future release <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>RKJVFVKFG3.com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension</string><key>com.apple.developer.team-identifier</key><string>RKJVFVKFG3</string><key>com.apple.security.get-task-allow</key><true/></dict></plist>

Yes, I'm trying to run "Monitoring System Events with Endpoint Security sample code". By now, I disabled automatic signing in Xcode and use my private profile generated by apple site, build successfully. I read through this post and deleted both entitlements files of app and extension, codesign them. Then got error like this: Failed to install the extension ❌ Invalid extension configuration in Info.plist and/or entitlements: does not appear to belong to any extension categories.

I have the same problem. Xcode created a profile automatically, but it still failed: Automatic signing failed Xcode failed to provision this target. Please file a bug report at https://feedbackassistant.apple.com and include the Update Signing report from the Report navigator. Provisioning profile "Mac Team Provisioning Profile: *" doesn't include the com.apple.developer.endpoint-security.client entitlement.

Case ID: 102599635466

The follow is my test program: FakeISPFilter % tree . ├── FakeISPFilter │ ├── FakeISPFilter.cpp │ ├── FakeISPFilter.hpp │ ├── Info.plist │ └── main.cpp └── FakeISPFilter.xcodeproj ├── project.pbxproj ├── project.xcworkspace │ ├── contents.xcworkspacedata │ ├── xcshareddata │ │ └── swiftpm │ │ └── configuration │ └── xcuserdata │ └── lqs.xcuserdatad │ └── UserInterfaceState.xcuserstate └── xcuserdata └── lqs.xcuserdatad └── xcschemes └── xcschememanagement.plist FakeISPFilter.hpp: #include <IOKit/IOService.h> class FakeISPFilter : public IOService { OSDeclareDefaultStructors(FakeISPFilter) public: virtual bool start(IOService* provider) override; virtual void stop(IOService* provider) override; virtual IOService* probe(IOService* provider, SInt32* score) override; }; FakeISPFilter.cpp #include <IOKit/IOLib.h> #include "FakeISPFilter.hpp" #define super IOService OSDefineMetaClassAndStructors(FakeISPFilter, IOService) bool FakeISPFilter::start(IOService* provider) { IOLog("FakeISPFilter: ISP Camera filtered!\n"); // not call super::start(), so hidden build-in camera return true; } void FakeISPFilter::stop(IOService* provider) { IOLog("FakeISPFilter: ISP Camera filter stopped.\n"); super::stop(provider); } IOService* FakeISPFilter::probe(IOService* provider, SInt32* score) { IOLog("FakeISPFilter: probe called!\n"); if (score) *score = 100000; // use the higher priority to replace build-in camera driver return this; } main.cpp #include <IOKit/IOLib.h> ======================================== Info.plist