@Afogh Yes, we have. If you keep "is-root" at the beginning of your list of rules (when needed), the system processes should be happier with that.

@DTS Engineer I've discovered more information. The process /usr/libexe/mdmclient runs every so often to check if the machine is enrolled in MDM (I believe). This process seems to invoke our security agent plugin to check the right com.apple.ServiceManagement.daemons.modifywhich is the same right we are already modifying when this happens. I have tried to return early in our security agent's invoke method if it is the mdmclient process, but that didn't seem to work. I am going to see if I can return even earlier, or, ignore it altogether.

[quote='866406022, DTS Engineer, /thread/807112?answerId=866406022#866406022'] What does it look like after your modifications? [/quote] Ours after modification is: { "class" => "rule" "comment" => "Used by <company> to evaluate ad hoc rules." "created" => 780002118.985772 "k-of-n" => 1 "modified" => 785095658.311386 "rule" => [ 0 => "com.<company>.AdHoc" 1 => "com.<company>.original.com.apple.ServiceManagement.daemons.modify" ] "version" => 0 }

Have you found a workaround for this? Nope, we haven't. Our situation (simplified) looks like this: restart machine, we are using a script to tell us which application is currently active when an app opens, we are inserting into 'com.apple.ServiceManagement.daemons.modify' (the rights will be removed when the app closes) this app has the focus & remains open within 3-5 mins, the application SecurityAgent with path '/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle' takes the focus (I am unable to reply back to your comment OP)

We are seeing the same issue with our product, except we can see it on Sequoia as well. We see the issue when we are inserting into rights: com.apple.ServiceManagement.daemons.modify