Thank you very much. I will keep the temporary-exception for now as we are outside of App Store, and will try the IOS-style app group with a matching NSEndpointSecurityMachServiceName later on. Also, without a temporary-exception, prefixing the NSEndpointSecurityMachServiceName with group. was what I was missing :) Have a nice day :)

Also, regarding prefixing, given my container app bundle id is com.XXX.YYY and my ES extension bundle id is com.XXX.YYY.esextension, and my NSEndpointSecurityMachServiceName is {TEAM_ID}.com.XXX.YYY.status, with an app group both in the extension and the container app: <key>com.apple.security.application-groups</key> <array> <string>group.{TEAM_ID}.com.XXX.YYY</string> </array> Is this incorrect? because a group must start with group. and now it is a prefix of the XPC endpoint but it still blocks it with the same error (159).

Also, regarding prefixing, given my container app bundle id is com.XXX.YYY and my ES extension bundle id is com.XXX.YYY.esextension, and my NSEndpointSecurityMachServiceName is {TEAM_ID}.com.XXX.YYY.status, with an app group both in the extension and the container app: com.apple.security.application-groups group.{TEAM_ID}.com.XXX.YYY Is this incorrect?

Hey Quinn, thanks for answering. I will try prefixing the XPC endpoint with an app group ID. In the meanwhile regarding the other options, I think I don't understand them fully. Is disabling sandbox good practice? This app is distributed via MDM so as I understand it will work and solve it, but I don't know if it is the correct usage. Temporary exception works fine, but I think I don't understand temporary-exceptions properly, are apps with temporary exceptions allowed by Apple? I currently can notarize and launch them but should I ask apple for a non temporary mach lookup entitlement? because I see mixed usage of com.apple.security.temporary-exception.mach-lookup.global-name and com.apple.security.exception.mach-lookup.global-name, Are temporary exception allowed in production usage? Thanks, David.