Hi all,
We have received our Endpoint Security Client entitlement for our application from Apple.
However, upon applying and integrating to our endpoint app, we encountered the following error during execution in Big Sur beta:
Test Environment:
macOS Big Sur 11.0.1 Beta (SIP->ON)
System Log Error:
ASP: Security policy would not allow process: 1199, /Library/Application Support/test/bin/FamRTServicebig
/Library/Application Support/test/bin/FamRTServicebig signature not valid: -67050
Application (FamRTServicebig) Entitlements Config:
Executable=/Library/Application Support/test/bin/FamRTServicebig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<false/>
<key>com.apple.security.application-groups</key>
<array>
<string>realtime.scan</string>
</array>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/</string>
</array>
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array>
<string>/</string>
</array>
</dict>
</plist>
FamRTServicebig codesign options:
codesign --force --options runtime --deep --sign <cert> --entitlement /Path/FamRTService.entitlements /Path/FamRTServicebig
Questions:
By the way, when SIP is disabled, the program can run normally.
We have signed all our binaries with the same teamid.
What are the possible reasons which may have caused this problem?
Thanks in advance for your help.
We have received our Endpoint Security Client entitlement for our application from Apple.
However, upon applying and integrating to our endpoint app, we encountered the following error during execution in Big Sur beta:
Test Environment:
macOS Big Sur 11.0.1 Beta (SIP->ON)
System Log Error:
ASP: Security policy would not allow process: 1199, /Library/Application Support/test/bin/FamRTServicebig
/Library/Application Support/test/bin/FamRTServicebig signature not valid: -67050
Application (FamRTServicebig) Entitlements Config:
Executable=/Library/Application Support/test/bin/FamRTServicebig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<false/>
<key>com.apple.security.application-groups</key>
<array>
<string>realtime.scan</string>
</array>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/</string>
</array>
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array>
<string>/</string>
</array>
</dict>
</plist>
FamRTServicebig codesign options:
codesign --force --options runtime --deep --sign <cert> --entitlement /Path/FamRTService.entitlements /Path/FamRTServicebig
Questions:
By the way, when SIP is disabled, the program can run normally.
We have signed all our binaries with the same teamid.
What are the possible reasons which may have caused this problem?
Thanks in advance for your help.
OK. In that case you will need to repackage it. ES clients must be signed with the com.apple.developer.endpoint-security.client entitlement and that entitlement must be allowlisted by the client’s provisioning profile. For a sysex that happens automatically; for a launchd daemon you have to jump through some hoops. See Packaging a Daemon with a Provisioning Profile for an explanation of those hoops.FamRTService_big is a notarized ES client run as daemon
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"