We have found the cause of the issue. Below are our current entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>app-proxy-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)xxxxxx</string> </array> <key>com.apple.security.get-task-allow</key> <false/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> </dict> </plist> We discovered that com.apple.developer.endpoint-security.client and com.apple.security.cs.allow-unsigned-executable-memory are in conflict. Currently, our approach is to download wasm files from the server to the local machine and load them dynamically at runtime, so we cannot package the wasm files into the Contents/Resources directory inside the app bundle. Could you please advise how to resolve this problem?

When I use the com.apple.security.cs.allow-unsigned-executable-memory entitlements, after the notarization, I met these errors when I launch the App: AMFI: When validating /Applications/xxxx.app/Contents/MacOS/xxx: Hardened Runtime relaxation entitlements disallowed on System Extensions mac_vnode_check_signature: /Applications/xxxx.app/Contents/MacOS/xxxx: code signature validation failed fatally: When validating /Applications/xxxx.app/Contents/MacOS/xxxx: Hardened Runtime relaxation entitlements disallowed on System Extensions ASP: Security policy would not allow process: 85453, /Applications/xxxx.app/Contents/MacOS/xxxx By the way: We found that signing a wasm file writes the signature into the file’s extended attributes. In this case, when the wasm is loaded, is the memory considered to be signed?

@DTS Engineer it reports: WebAssembly (wasm) binary module version 0x1000d

Yes,status bar items

RestartDevice MDM command  will popup a dialog that inform user to restart , NotifyUser But If set this to false, the machine will be restarted immediately. Is there a way that not restart the machine,but only RebuildKernelCache?