The layout I'm looking at: • A daemon which queries various things, and at times decides it's time to log in (or log back in) • An application that handles the logging in, configuration, etc., which registers a custom url scheme • A LaunchAgent which would get an XPC (or just mach message, I suppose) from the daemon, and sends an open-url request for the custom url scheme, eg x-kithrup:login?reason=ihateyou All of that is pretty straightforward to me! But... on a mac, can I tell who sent the request? That is, can my application see that it was my LaunchAgent that made the open-url request? On iOS, it looks like I can, as the UIApplicationDelegate has a method that passes in a sourceApplication. But the NSAppleEventDescriptors confused me a lot.

The main question I have, honestly, is how do I do that? Or what do I do? The goal, of course, is to allow IT to deploy our product to macs. Our product has a network system extension, and the ability to install without asking user permission is very attractive. But... I'm not sure how to get started! My software-trained mind thinks that I should be able to write up my own provisioning file, but then I read the specifications and the part of my mind that keeps me from doing too many stupid things starts kicking the other part below the table. Is there a good resource for this from a developer's perspective? A tool that can create sample files for me, or documentation that can tell me what files and information I need to provide to someone using, say, JAMF?

I'm trying to get the URL used to launch an application. (Quinn helped me do the other part of this -- getting information about who sent the event -- in a TSI.) In the will-finish-launching method in the app delegate, I do:         eventManager.setEventHandler(self, andSelector: #selector(handleGetURLEvent(_:withReplyEvent:)), forEventClass: AEEventClass(kInternetEventClass), andEventID: AEEventID(kAEGetURL)) And that does work: it launches the application if it's not running, and switches over to it if it is running. But... when I try to use keyDirectObject to get the URL it doesn't work -- I get nil as the result. But if I iterate through the event's items... I find the item.         #if false         let url = event.attributeDescriptor(forKeyword: keyDirectObject)         print(url)         #else         let count = event.numberOfItems         print("\(count) items")         for index in 1...count {             let keyword = event.keywordForDescriptor(at: index)             if keyword == keyDirectObject {                 if let d = event.atIndex(index), let str = d.stringValue {                     url = URL(string: str)                     break                 }             }         }         #endif Later on (and this was due to Quinn), I have         guard let aeAuditToken = event.attributeDescriptor(forKeyword: keySenderAuditTokenAttr) and that works, so I don't think I'm asking for the URL incorrectly. Any ideas?

I have several executables, and I want them to be able to trust each other, since they grew up together and have had many bonding adventures together. When getting an XPC (or AppleEvents, thank you Quinn 😄) from another process, is there an easy way to find out if the other process is signed the same way the receiving process is? The code signing identity is easy to check, but of course it's also pretty easy to forge. (So this would be a variant, I think, of a question I asked a few months ago, how to see if a process is "properly" signed [which, as I said then, means it's got a valid code signature, and that is anchored "properly," which is to say something that would pass gatekeeper]. Only easier, because I really just want to say "here is my SecCode, here is this other process', are they both comparable?) Although I guess another thing would be to see if they're both in the same app group?

I'm specifically thinking about a transparent proxy provider, since that's what we're using, so what happens if: Process /Applications/Foo.app/Contents/MacOS/Foo opens a connection to, say, google port 443 After getting the connection set up, it then fork&execs /bin/sh (or whatever 😄). Does a new flow get created? Or does it continue to use the existing one?

I'm beating my head against Apple here and it hurts. We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all. Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)

I've finally been installing our bundle into /Applications, and have noticed that this causes a crash report dialogue to come up whenever one of the components crashes. Which, at this point, is still fairly often (that's what asserts in debug builds are for!). But I really don't want to keep manually dismissing those windows; is there a way to stop them from coming up? (I mean, I still want the crash reports created and logged, but I have my own scripts that go through there to get new ones and cleanup the old ones.)

I've got a preference that requires the app to restart to take effect, so I would like to quit it. Using NSApp.terminate(nil) doesn't do it. Everything I can search for seems to be talking about iOS (and being able to relaunch the app would be good for iOS, if that's a doable thing?).

I mean, I could do a readdir on /Library/SystemExtensions/, but that won't really tell me which ones are active. I could parse the output of systemextensionsctl list but that doesn't seem particularly good.

This specifically seems to happen when my network extension is spawned by launchd, but has not actually been connected. (That is my conclusion based on the evidence: ps shows the process existing, but the logs show that main() hasn't run yet, let alone the proxy provider's init(). Without being able to debug launchd, I would say the situation is that launchd has said "yes this XPC port exists, when you try to connect to it I will send it on over to the extension, and thereafter you two will happily communicate directly," but the process hasn't gotten around to accepting XPC connections.) This seems to be most likely to happen when the extension crashes, or I kill -9 it to see how it handles respawning. I have a little CLI tool that talks (over XPC, of course) to the extension, mainly to say "Hi are you alive?" If the extension is not loaded, the XPC connection fails, as expected, and my tool says "NOT YET." If it is loaded and running, the XPC connection succeeds, as expected, and I get back a response of true. So my first question is: is this expected behaviour? My second question is: is there a way to do an XPC connection with a timeout?

Despite updating to the most recent Xcode repeatedly, I was never able to add a swift package using Xcode -- it would get stuck at validation and never get past that. I filed a feedback (and may have asked here? can't find it) and never heard back. Today, I managed to figure it out, by creating a project on one machine (where it worked), and checking it out on one that didn't work. And when I tried to launch Xcode on the second machine... it told me that it couldn't use swift packages with a legacy build setting. I changed that (long, long, long set) preference, and... suddenly it worked. In case anyone else is as stubborn and ludditious as I am, and find this useful.

I can use /usr/bin/security to install a root CA, and to delete it (based on the file)... but how do I check to see if it's installed already? Surely there is a way to do this, other than security find-certificate -a | fgrep my.ca.name? Ideally from the shell level, but if I have to write a program I can (in which case I believe it'd be a relatively easy, albeit annoying because I hate writing certificate code, task)...

I was trying to figure out how to monitor keychain events, and wrote:         dispatch_async(dispatch_get_main_queue(), ^{             OSStatus kr = SecKeychainAddCallback(MyKeychainEventCallback, kSecEveryEventMask, NULL);             printf("Got result %d\n", kr);         });         dispatch_main(); However, the callback never gets called. I put the same code into a simple GUI app (invoked from the didFinishLaunching method), and it does work. So presumably this is something run-loop related. But I can't seem to figure it out -- so what am I doing wrong?

For a variety of reasons, some of which are no doubt due to poor life decisions, I don't want my application to start automatically on restart. Is there a way to exempt myself from that?

Our TPP excludes our own processes from oversight, which makes some things very easy. Only I just found out that when our app uses a WKWebView... it's very securely shuffled off into its own process. With its own signing identifier. And a ppid of launchd. How could I tell that a com.apple.WebKit.Networking process is related to our process? (I note that the Endpoint Security Framework has added a "responsible" audit token, presumably for this sort of situation.)