My enterprise app requires a launch daemon that provides services to support my Security agent plugin. I bundle everything in an App and install using AirWatch. This all used to work until something changed, either AirWatch or the MacOS version. Now the install fails because my SMAppService instance returns an error when .register is called: Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} If I install by opening my installer package as a user, the install always succeeds. The app is an enterprise app and is not distributed through the App Store. The app also installs a security extension. The security extension is installed and activated before any calls to SMAppService. I can't figure out what has changed in the last few months that would cause the error, or how to fix this. Any help or pointers would be appreciated.

The same code built in a regular Mac app (with UI) does get paired. The characteristic properties are [.read, .write, .notify, .notifyEncryptionRequired] The characteristic permissions are [.readEncryptionRequired, .writeEncryptionRequired] My service is primary. In the iOS app (central) I try to read the characteristic, but an error is reported: Error code: 5, Description: Authentication is insufficient.

Is this even possible? Instead of any pairing dialog appearing, my central code get the "Authentication is insufficient" error when reading the characteristic. My peripheral (in the macOS app) code uses the .notifyEncryptionRequired property and uses .readEncryptionRequired and .writeEncryptionRequired permissions. No descriptors are set, but I think they get added automatically since this characteristic notifies. 2900 and 2902 descriptors are set by the peripheral/CoreBluetooth. If the Mac and iPhone are using the same Apple ID does that affect pairing?

The SecurityPrivacyExtension crashes after 5-10 seconds. The tccd process also crashes frequently. Anyone else have this issue? My Mac is managed.

Testing my security agent plugin on Tahoe and find that when unlocking the screen, I now get an extra window that pops up over the SFAuthorizationPluginView that says "macOS You must enter a password to unlock the screen" with a Cancel (enabled) and OK button (disabled). See the attached photo. This is new with Tahoe. When unlocking the screen, I see the standard username and password entry view and I enter my password and click OK. That is when this new view appears. I can only click cancel so there is no way to complete authenticating.

Either processInfo.hostName should return the same info as UIDevice.name ("iPhone") or it should require the same entitlement that UIDevice.name does to return the actual result. If processInfo.hostName is intended to return the local Bonjour name, why does it need 'local network' permission? Why isn't the 'local network' permission documented for processInfo.hostName as this is hard to track down? Tested on iOS 18.5

I am having difficulty getting my container app with an embedded endpoint security extension to work on a virtual Mac. My virtual Mac has system integrity protection turned off. I have used spctl and System Settings to allow applications from anywhere. I am using the development entitlement profile to sign my container app. When I run my app, it crashes with Termination Reason: COODESIGNING 1 Taskgated Invalid Signature. I assume this has to do with the app being signed with my developer profile that contains a list of Macs that can run the software. How can test my endpoint security extension on a virtual Mac?

My question is: Do I need two App IDs? One for my launch daemon in order to sign it properly, allowing it to use the Endpoint Security framework. One for the container app. My understanding is that my existing launch daemon can perform the endpoint security requirements I need. So far, I have had just one App ID for my container app that lives in /Applications. I have applied for the endpoint security restricted entitlement and have this for development now. Do endpoint security items have go in Library/SystemExtension? Can my launch daemon live in Library/LaunchDaemons and still use the Endpoint Security framework?

Is this always possible using systemextensionsctl by root? Is there a way to prevent root from removing an Endpoint Security Extension? The use case is for a Mac managed by AirWatch.

I am using SFAuthorizationPluginView in my Security agent plugin. My code expects that its willActivate method be called. With normal screensaver unlock, this works fine. However if I enter an invalid password, then enter the correct password, I never get the willActivate call. I have reproduced this with Quinn's LoginUIAuthPlugin from the QAuthPlugins example code. My mechanisms look like this with LoginUIAuthPlugin: mechanisms HyprAuthPlugin:invoke builtin:authenticate,privileged PKINITMechanism:auth,privileged LoginUIAuthPlugin:login CryptoTokenKit:login I would like to be able to get my plugin working properly when the user had previously entered an invalid password.

Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module. I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.

There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement. There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .

I've tried getting LAContext and checking it, but it says it canEvaluatePolicy returns false for any biometric policy.

I have a security agent plugin that uses NSXPCConnection to communicate with a launch daemon. This works well, but I want to make sure the launch daemon has not been compromised. I added code to call setCodeSigningRequirement in my module that handles the client side of the NSXPCConnection. However, when used in the security agent plugin, remoteObjectProxyWithErrorHandler reports an error NSCocoaErrorDomain Code=4102 "The code signature requirement failed." If I call my xpc module from a test application, I do not receive an error and everything works as expected. I have tried different code signing requirements. Even with just "anchor apple generic" I still get the error. The console log shows two entries of interest com.apple.SecurityAgentHelper.arm64 default 09:13:29.677567-0500 SecurityAgentHelper-arm64 EOGSecurityServiceClient biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}

Issue happens with system.login.screensaver. After my SFAuthorizationPluginView sets a result allowing login, my view remains on screen for about eight seconds. What makes my view disappear? I notice that my plugin mechanism just gets a destroy call.