Thanks, Quinn! Yes, the executable is correctly entitled, has hardened runtime and no exceptions. Here is what I see in the console when i try to execute it from the terminal: amfid /Library/Application Support/Path/to/executable signature not valid: -67050 kernel proc 24873: load code signature error 4 for file “executable" kernel ASP: Security policy would not allow process: 24873, /Library/Application Support/Path/to/executable And the rest is a crash report generation which contains only this: Process:							 executable [24873] Path:									/Library/Application Support/Path/*/executable Identifier:						executable Version:							 ??? Code Type:						 X86-64 (Native) Parent Process:				??? [24872] Responsible:					 Terminal [20782] User ID:							 0 Date/Time:						 2020-10-09 19:38:06.356 -0700 OS Version:						Mac OS X 10.16 (20A5384c) Report Version:				12 Anonymous UUID:				BE0CE7B3-DC87-D815-8080-E239397792B1 Sleep/Wake UUID:			 4FC733F9-E1AF-4E83-A763-D37E3DB3757C Time Awake Since Boot: 97000 seconds System Integrity Protection: enabled Crashed Thread:				Unknown Exception Type:				EXC_CRASH (Code Signature Invalid) Exception Codes:			 0x0000000000000000, 0x0000000000000000 Exception Note:				EXC_CORPSE_NOTIFY Termination Reason:		Namespace CODESIGNING, Code 0x1 kernel messages: Backtrace not available Unknown thread crashed with X86 Thread State (64-bit): 	rax: 0x0000000000000000	rbx: 0x0000000000000000	rcx: 0x0000000000000000	rdx: 0x0000000000000000 	rdi: 0x0000000000000000	rsi: 0x0000000000000000	rbp: 0x0000000000000000	rsp: 0x00007ffedfe50c30 	 r8: 0x0000000000000000	 r9: 0x0000000000000000	r10: 0x0000000000000000	r11: 0x0000000000000000 	r12: 0x0000000000000000	r13: 0x0000000000000000	r14: 0x0000000000000000	r15: 0x0000000000000000 	rip: 0x000000011699e000	rfl: 0x0000000000000200	cr2: 0x0000000000000000 	 Logical CPU:		 0 Error Code:			0x00000000 Trap Number:		 0 Unknown thread instruction stream not available. Unknown thread last branch register state not available. Binary images description not available External Modification Summary: 	Calls made by other processes targeting this process: 		task_for_pid: 0 		thread_create: 0 		thread_set_state: 0 	Calls made by this process: 		task_for_pid: 0 		thread_create: 0 		thread_set_state: 0 	Calls made by all processes on this machine: 		task_for_pid: 6832793 		thread_create: 0 		thread_set_state: 0 I believe the following has some relevance to the issue. The executable is built and signed using macOS 10.11 SDK with minimum supported version macOS 10.7, so the signature contains both SHA-1 and SHA-256 entries. There are 2 processes launched from the binary, not sure how python implemented that, but the parent process might be fork()-ing itself in order to run interpreter or something like that ( Process: executable [24873] Parent Process: ??? [24872] Responsible: Terminal [20782]). and that's the child process is being killed. Could that be an issue ? And if so, is there any way to make OS accept it for launch? Any input greatly appreciated!

I have tried this on macOS 11.0 Beta 9 but the same behaviour is observed on 10.15.6 Catalina as well.

Yes I am running it from Terminal with SIP disabled. And if the container is written in C/C++/Obj-C, everything works. However if the container is a compiled python tool then it doesn't even get to run anything. It is killed on start-up! When i removed "endpoint-security" entitlement, the python tool is running but (apparently because of the lack of the entitlement) is failing to create es_client. Any ideas?

Thanks Quinn, Here is the crash log for python compiled and packaged as a daemon according to your other post https://developer.apple.com/forums/thread/129596 ES client. HelloWorld_2020-11-23-113814_my-Mac.crash - https://developer.apple.com/forums/content/attachment/a54191ff-28eb-460d-b0b5-876d7431b205 If I remove the endpoint-security entitlement then it loads without crash but apparently is not able to create ES client.

Thank you so much, Quinn, appreciate the hints

sudo profiles show -type enrollment

so on the computers that works ManagedClient logs 2 more lines which do not appear on the failing machines. Below is the output from a working machine. The last 2 lines do not appear in the ManagedClient logs from the failing machine. MCXCCacheGraph seems to be related to the reading from the cache which contain our settings but are not populated to /Managed Preferences/ 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.290523-0800 MCX_ConfigCoreData.profilesForAllUsersAsCPProfile return zero configuration profiles. 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291013-0800 MCX recomposite prefs for user 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291135-0800 MCX.hasProfileConfigInfoForUser checking installed configuration profiles... 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291172-0800 MCX_ConfigCoreData.profilesForUserAsCPProfile COMPUTER profiles 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291379-0800 MCX_ConfigCoreData.profilesForUserAsCPProfile return zero profiles. 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291410-0800 MCX.hasProfileProvisioningInfo checking installed provisioning profiles... 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291418-0800 MCX_ConfigCoreData.profilesForAllUsersAsCPProfile ALL provisioning profiles 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291451-0800 MCX_ConfigCoreData.cp_profilesForPredicate executeFetchRequest returned objects = 0 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.291475-0800 MCX_ConfigCoreData.profilesForAllUsersAsCPProfile return zero provisioning profiles. 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.301601-0800 MCX_ConfigCoreData.profilesForUserAsCPProfile COMPUTER profiles 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.301655-0800 MCX_ConfigCoreData.profilesForUserAsCPProfile return zero profiles. **3135: 0x7a09 ManagedClient ManagedClient 12:29:11.921744-0800 3135: 0x7a09 ManagedClient ManagedClient 12:29:11.921757-0800 MCX.getComputerInfoFromStartup: MCXCCacheGraph() == -2 ()** Any idea why the cache is skipped and how to make MCX look into the cached settings?