Hello, I am having some issues with running an XPC server on an endpoint security and connecting to it from the sandboxed host application. I tried doing the following: setting xpc server in endpoint security extension entitlements: <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.security.xpc.server</key> <true/> Adding the mach service with the plist: <dict> <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.system-extension-endpoint-security</string> <key>NSExtensionPrincipalClass</key> <string>$(PRODUCT_MODULE_NAME).ESFExtension</string> </dict> <key>NSEndpointSecurityMachServiceName</key> <string>[TEAMID]com.[UNIQUE_ID]</string> </dict> </plist> Putting a mach-lookup in sandboxed host application entitlements <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.exception.mach-lookup.global-name</key> <array> <string>[TEAMID]com.[UNIQUE_ID]</string> </array> </dict> Creating the server in the system extension using xpc_connection_create_mach_service(_service_name.c_str(), dispatch_get_main_queue(), XPC_CONNECTION_MACH_SERVICE_LISTENER); with _service_name being the same as in the mach-lookup entitlement. And connecting to it in the host app with: xpc_connection_create_mach_service([self.serviceName UTF8String], dispatch_get_main_queue(), 0); My problem is I get an xpc error 159 (sandbox restriction) in the lookup (libxpc.dylib) [com.apple.xpc:connection] [0x600001a7db30] failed to do a bootstrap look-up: xpc_error=[159: Unknown error: 159] I tried putting the sysex and the host app in the same app group, and it didn't help and I also read this is bad practice to have an app group between a sandboxed app and a system extension so I removed it. I tried adding a temporary-exception and with it, the code works properly. I tried with the XPC_CONNECTION_MACH_SERVICE_PRIVILEGED flag but it still didn't work. Is it possible to have an XPC connection between a ES sysex and it's host app? Should the service name have a prefix of the bundle name or does it must have a certain pattern? Do I need to add some capability in the Certificates, Identifiers & Profiles? Thanks for helping.