@eskimo Your guidance on above reply is appreciated.

@eskimo In continuation to above reply... Actually my application is trying to validate files on basis of certificate revocation status. Could you please suggest proper way to test such application ?

We visited developer account portal and revoked the developer/installer certificate by clicking on 'Revoke' button. After revocation we received certificate revocation communication e-mail from apple. So I think as per your comment, we have involved 'Apple Product Security' in revocation process. Let us know if we are missing anything.

@mdolan Thanks for quick response. Local drive attributes are as below (Using mount command) /dev/disk1s1 on / (apfs, local, read-only, journaled) pen drive attributes are as below (Using mount command) /dev/disk3s1 on /Volumes/dheeraj2 (apfs, local, nodev, nosuid, journaled, noowners) Both of them are not having noatime option set.

Hi Quinn, Is there any parameter in System Extension Event message which will suggest that it is retry event by system with extra privileges ? In case we have such indicator then there is no need of raising bug to Apple.

Hi Quinn, I verified and found that, the extra 2 ES_EVENT_TYPE_AUTH_CLONE events which are triggered when we deny first ES_EVENT_TYPE_AUTH_CLONE event, are coming from process "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper". Any further help to avoid extra 2-3 ES_EVENT_TYPE_AUTH_CLONE events will be appreciated.