Hi, I want some advice on how to handle the OSSystemExtensionRequest.Result.willCompleteAfterReboot on my app. I have noticed that on some users macs when they update and the new System Extension is loaded the old one is deactivated and the new one is activated but does not start. I will only start after a reboot. Is there a way to avoid this so I don't have to force dozens of users in my organization to reboot after every update to my system extension? When i execute the command to list the extensions this is what I see. The new one is activated but it does not boot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 1231231231 com.organization.app.MyApp (2.0/1) MyApp [terminated waiting to uninstall on reboot] * * 1231231231 com.organization.app.MyApp (2.1/1) MyApp [activated enabled]

Hi, I a developing Network Extension for macos that runs constantly on my system. When I have a new update to release the extension downloads the pkg installer into the /tmp directory and executes it with sudo installer -pkg /tmp/installer.pkg -target / I have noticed that on some systems, mainly Catalina, when the installer is executed the extension is replaced and activated but the process never launches and after this happens I can't find a way to launch it aside from having the users reboot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 9A63A32J6B com.company.myapp.Agent (2.0/1) Agent [terminated waiting to uninstall on reboot] * * 9A63A32J6B com.company.myapp.Agent (2.1/1) Agent [activated enabled] As you can see it does say enabled and activated so I do not know what could be happening.

Hi, I am developing an Endpoint Security extension and I would like to get the full list of processes that ended up calling the process I receive in an event. For example if I receive a es_process_t I have this process audit token, I would like to get the parents audit token and then the parent's parent token and so on till I get the full list of processes. I hope i made myself clear :)

Hi, I was wondering if there is something similar to NSObject's value(forKey:) for structs. I need to get a structs attribute by name and I don't want to turn my structs into classes, inherit from NSObject and use @objc in my attributes as I think it doesn't look good. I also read that you can use Mirror and use the children property to iterate the attributes but given that performance is important in my case it doesn't look like a good option. Any help would be appreciated, thanks!

Hello, I wanted to hear some opinions on this problem I want to tackle. Currently at my job we have an Endpoint Security sysext app (swift) deployed on 10k+ macs and we are using a custom rule engine we developed to run some rules on the events received by the app. These rules are downloaded by the app. This works great but we wanted to dive into the world of ML and try to use it to detect more complex malware that may be more difficult to detect using rules. We thought of two options to approach this: Periodically collect events from all macs and send them to an api to be stored somewhere and perform the training in the cloud. Somehow, maybe using the ML frameworks provided in Swift, train the model IN the device rather than in the cloud. I know this is a very broad question but I just wanted to hear some suggestions. Thanks in advance.

Hi, I was wondering if it was possible to get a notification when there is a change to the forced defaults that my app uses. This forced defaults are sent via MDM using the com.apple.ManagedClient.preferences payload type. I've seen that UserDefaults.didChangeNotification is available but it only works if the change is made from inside the app and not if the payload gets updated by the MDM. class MySettings { private let defaults = UserDefaults(suiteName: "com.myapp.app.mysettings") init() { // Somehow register for notifications } func defaultsChanged() { // This would be called when the defaults change } }

Hi, Im new to SwiftUI and Im trying to implement some drag and drop functionality for some tabs in my application. Im using .draggable(_) and .dropDestination for this and the issue I have is that as I drag the view, the mouse cursor changes to the copy cursor with the green plus sign and I don't like it but I can't figure out how to avoid it. Any help would be appreciated.

Hi, i was wondering about the remoteHostname property of NEFilterSocketFlow that is available on macOS 11.0+. I have been doing some tests and I can never seem to get a value, it is always nil. I am looking at all flows from all apps. In what cases will this property show up?

Hi, I want to get all domain names that my mac queries. I think that NEDNSProxyProvider might be useful but I don't want to handle the flows and redirect them I only want the domain names for logging purposes. Can this be done?

Hi how could I tell in my OSSystemExtensionRequestDelegate if the request I receive is either an activation request or a deactivation one.    func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) {     guard result == .completed else {       return     } // Take different actions depending on activation/deactivation   }

Hi I am trying to implement XPC between my helper app and my network extension. It is giving me this error when I try to get the remoteObjectProxyWithErrorHandler Error Domain=NSCocoaErrorDomain Code=4097 "connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension" UserInfo={NSDebugDescription=connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension} Why could this be happening?

I have developed a Content Filter NE and I am seeing some flows that I don't understand so I wanted to see check if I am interpreting them correctly. # Example Flow bundle id: com.apple.opendirectoryd localEndpoint.hostname: My mac's IP localEndpoint.port: 55408 remoteEndpoint.hostname: Domain controller IP remoteEndpoint.port: 389 direction: inbound Looking at that flow what I understand is that the Domain Controller is generating traffic to my mac. Is this correct? I ask this because I thought DCs couldn't directly initiate a connection to a mac. I get this flow when trying to join my mac to the AD.

Hi I was wondering how I could get the code directory hash string of an app given its audit token. I would like to do this in Swift. Thanks.

Hi, could someone help me convert the cdhash property from es_process_t to a String in Swift. Thanks. var cdhash: (UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8)

Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.