When I looked up documentation of NEDNSSettingsManager I noticed below point for NEDNSSettingsManager.dnsSettings: This property can be set to either an NEDNSOverHTTPSSettings object or an NEDNSOverTLSSettings object. So I preferred MDM option given we do have a managed environment. Do you think standard DNSSettings still should work? I can give it a try in that case.

[quote='878875022, DTS Engineer, /thread/818199?answerId=878875022#878875022'] if your product is deployed in a managed environment, you can instruct the site admin to include these search domains. [/quote] Yes, we are looking for a solution for managed environments. Can you please share more details about this? Any sample payload? I looked up documentations and could not find any payload to always apply search domains without applying secure DNS settings or settings limited to specific Wi-Fi or network. We want to just push few DNS search domains to all managed machines for any type of network they connect to at any location without enforcing secure DNS.

So if I understand correctly, Transparent proxy can also prevent the switch to secure DNS by blocking discovery of designated resolvers over SVCB? Just like DNS proxy extension? Or do I need to add DNS proxy extension just to prevent the switch?

Thank you Quinn. I am not well versed with ES clients. Can you please let me know which ES auth event could be used to deny this access? The closest I could find was ES_EVENT_TYPE_AUTH_PROC_CHECK. Meanwhile I will try to get the result of fs_usage.

Apologies for late response. You’re creating an ES client, right? No, Its a generic LaunchDaemon. No entitlements. I’d like to check that this isn’t tied to the context in which you’re running The issue is happening with a third party app in a customer's environment. So we are not able to deploy any test code. In the most recent encounter, we noticed below trace in console logs. This binary is in /Library/Application Support, not in /Applications. Console logs I do not see any clear reason why we get Unix error exception: 1, operation not permitted. Can you help understand whats the reason of the error in this case?

@DTS Engineer There is no App Sandbox in this case. Also, the directory where this third party daemon is located (within Applications) is readable to everyone. So, in what case can the SecStaticCodeCreateWithPath API fail with this error and is there way this can be simulated/reproduced?

I am getting same unauthorized error today with whatever I try to post in reply to my own post and here its working on other posts. Very strange. Editing my own profile is throwing unauthorized error and here I am able to edit this reply as many times as I want. :D

Thank you for the response Quinn. So, is there any way we get hostname as well as IP of the remote endpoint of a flow? I can see there is hostname on NWHostEndpoint which is documented to return hostname or address. Is there a way to know when it returns IP and when returns hostname? And is there a way to get both? Also, AFAIK, the TCP flow for a hostname is created only after hostname is resolved. So, after domain resolution, would remote endpoint hostname will be domain or IP?

Thank you Quinn for the detailed answer. Few more questions: On a machine with FileVault enabled, on reboot, what happens to an authorization plugin whose mechanism is added to authorization db before loginwindow:login? Would the plugin still be invoked after pre-boot login? Would login window appear again after the plugin has finished since loginwindow:login is listed after the plugin? How does pre-boot login work for users who need authentication with AD server? Would they be prompted for AD login again after pre-boot login? (Assuming no third party authorization plugin exists)

One important point I just noticed is that PreLoginAgents do not run on machine start/restart when FileVault is enabled on the machine (which is quite common). This breaks the requirement of displaying the UI on login screen in most of cases. People usually either Lock Screen or Restart machine and PreLoginAgent cannot be displayed in either of these cases. Is there a better way? Should we instead use SFAuthorizationPluginView to display this UI beside the macOS login screen?

Thank you for your response Quinn. Few questions about PreLoginAgents: What's the best way to enable or disable them? For example if a feature flag is enabled in thin client, we would want to display the PreLoginAgent and not otherwise. One way I could think of is to place and remove the PreLoginAgent from /Library/PrivilegedHelperTools/ directory based on feature flag. Is there any better way? Can we make this decision inside the agent? Can a PreLoginAgent make an XPC connection to a LaunchDaemon? Can a PreLoginAgent read files from root directories like /Library/Application Support/?

Thank you for your help Quinn. It would be great if Security APIs could also mention the extension causing the failure, in error message. Unable to parse known extension; is not very clear error, IMO.

Thanks @const_void for your response. I was looking for a technical way for MDM providers to implement this policy to control whether users are allowed to disable SIP or not. I looked through Apple's list here and could not find anything about controlling SIP. So wanted to understand whether it's even possible or not. Major MDM providers like JAMF and Intune, do provide an option to create smart groups based on whether SIP is enabled or not. But is there a way to prevent users from disabling SIP. In certain cases, we can not block access to users because some of them are education bodies who control the machines via MDM, not just employees.