endpoint security entitlement issue

Hello,

I want to create daemon process that are using endpoint security profile i created this daemon and compiled using xcode in app like structure same as below link

https://developer.apple.com/forums/thread/129596

singed with developer profile with endpoint security entitlement and done notarization

but when i run application on device it gives me error and
and when i install provision profile that are downloded from apple developer site application works fine using launchctl

please suggest me what i am doing wrong is anything need to do for provision profile to load in mac os machine
how can i deploy application with provision profile.
Thank you.

Answered by pratikpgharnikar in 661057022
```

[IMPORTANT Make sure to load the job into the global context by running launchctl using sudo.


```
Yes. I am running the daemon by adding plist job in /Library/LaunchDaemons through launchctl using sudo.

I packaged the daemon as application and signed it with xcode manual signing process. (filled the details Team, Bundle ID, Provisioning Profile...)
When I run my application on my development machine with provisioning file already installed in system prefrences->Profiles, application runs fine but when i remove profile application did not run.
i am using xcode 12.3

and my app structure is
./sampleOnAccess.app/
./sampleOnAccess.app//Contents
./sampleOnAccess.app//Contents/CodeSignature
./sampleOnAccess.app//Contents/
CodeSignature/CodeResources
./sampleOnAccess.app//Contents/MacOS
./sampleOnAccess.app//Contents/MacOS/sampleOnAccess
./sampleOnAccess.app//Contents/embedded.provisionprofile
./sampleOnAccess.app//Contents/Info.plist
./sampleOnAccess.app//Contents/PkgInfo

is any build settings i am missing in xcode or for provision profile?



but when i run application on device it gives me error

What do you mean by “application” in this context? If you’ve packaged a daemon as an application then you can’t just run it like an application. You still have to launch the daemon as a daemon, by configuring a launchd property list and then loading the job.

IMPORTANT Make sure to load the job into the global context by running launchctl using sudo. If you run the daemon directly from Terminal it ends up running in the user context (even if you use sudo) and that won’t work.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Accepted Answer
```

[IMPORTANT Make sure to load the job into the global context by running launchctl using sudo.


```
Yes. I am running the daemon by adding plist job in /Library/LaunchDaemons through launchctl using sudo.

I packaged the daemon as application and signed it with xcode manual signing process. (filled the details Team, Bundle ID, Provisioning Profile...)
When I run my application on my development machine with provisioning file already installed in system prefrences->Profiles, application runs fine but when i remove profile application did not run.
i am using xcode 12.3

and my app structure is
./sampleOnAccess.app/
./sampleOnAccess.app//Contents
./sampleOnAccess.app//Contents/CodeSignature
./sampleOnAccess.app//Contents/
CodeSignature/CodeResources
./sampleOnAccess.app//Contents/MacOS
./sampleOnAccess.app//Contents/MacOS/sampleOnAccess
./sampleOnAccess.app//Contents/embedded.provisionprofile
./sampleOnAccess.app//Contents/Info.plist
./sampleOnAccess.app//Contents/PkgInfo

is any build settings i am missing in xcode or for provision profile?



Are you sure that embedded.provisionprofile is a Developer ID provisioning profile?

You can confirm this by dumping the profile (command below) and looking for the ProvisionsAllDevices key.

Code Block
% security cms -D -i sampleOnAccess.app/Contents/embedded.provisionprofile


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Hi All,

I have read all these posts, and I have confirmed that I have the developer entitlement, and it is present in the provisioning profile. When I look at the console, I get a very confusing set of log entries;

21:57:40.918215+1030	debug	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	entitlements: {
    "com.apple.developer.endpoint-security.client" = 1;
    "com.apple.developer.team-identifier" = **********;
}
21:57:40.918256+1030	debug	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	codeInfoIdentifier: com.macrj.endpointapp.extension
21:57:40.918448+1030	error	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	com.macrj.endpointapp.extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client
21:57:40.918476+1030	error	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	Disallowing: com.macrj.endpointapp.extension

I have managed to overcome a lot of hurdles to get to this point, but this one is a little confusing; any assistance would be appreciated.

It looks like you’re claiming just two entitlements: com.apple.developer.endpoint-security.client and com.apple.developer.team-identifier. That won’t work, because there’s no way for the system to connect your claim to the provisioning profile that authorises that claim. To set up that connection you must also claim the com.apple.application-identifier entitlement.

For more background on how this works, see TN3125 Inside Code Signing: Provisioning Profiles.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you Quinn, for your assistance. The results of using 'security cms' commands inspecting the compiled binary are below.
I am unsure why macOS does not acknowledge them.

App

	<dict>
				
				<key>com.apple.developer.system-extension.install</key>
		<true/>
				
				<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>app-proxy-provider</string>
				<string>content-filter-provider</string>
				<string>packet-tunnel-provider</string>
				<string>dns-proxy</string>
				<string>dns-settings</string>
		</array>
				
				<key>com.apple.application-identifier</key>
		<string>5P65THB9R3.com.macrj.endpointapp</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>5P65THB9R3.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>ZJ259UQ467</string>
				
				<key>com.apple.developer.endpoint-security.client</key>
		<true/>

	</dict>

Extension

	<dict>
				
				<key>com.apple.developer.usernotifications.time-sensitive</key>
		<true/>
				
				<key>com.apple.application-identifier</key>
		<string>5P65THB9R3.com.macrj.endpointapp.extension</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>5P65THB9R3.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>ZJ259UQ467</string>
				
				<key>com.apple.developer.endpoint-security.client</key>
		<true/>

	</dict>

Further to my testing. I downloaded the SampleCode, added the new extensionBundleId to the viewcontroller, add my team to codeSign, selected the notify_demo.c file and complied. Ran app and Installed extension. Only made the required changes to compile. The same error code comes up in the logs.

15:57:13.537163+1100	debug	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	codeInfoIdentifier: com.example.apple-samplecode.SampleEndpointAppZJ259UQ467.Extension
15:57:13.537476+1100	error	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	com.example.apple-samplecode.SampleEndpointAppZJ259UQ467.Extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client
15:57:13.537585+1100	error	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	Disallowing: com.example.apple-samplecode.SampleEndpointAppZJ259UQ467.Extension

I am unsure why macOS does not acknowledge them.

Because the system doesn’t know that this profile applies to your app. To tell it that, you have to sign your app with the com.apple.application-identifier entitlement. This allows the system to file your profile and use that to authorise your app’s entitlement claims. Likewise for your sysex.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn, I appreciate the assistance and your patience. And I apologise, but I am still missing something. I have checked (see replies above), and both the app and extension have the com.apple.application-identifier entitlement as per the instructions you gave above with security cms -D -i etc. This shows me that it has been signed with the application-identifier entitlement. Correct?

Additionally, I am trying to read the logs to further understand the problem. The logs are also showing the application-identifier entitlement. What else could be going wrong?

`21:45:43.492074+1100	info	amfid	<Missing Description>	amfid	Entering OSX path for /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/MacOS/com.macrj.endpointapp.extension
21:45:43.492636+1100	debug	Security	dirval	amfid	entering /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension
21:45:43.492700+1100	debug	Security	dirval	amfid	entering /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents
21:45:43.492727+1100	debug	Security	dirval	amfid	leaving /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents
21:45:43.492748+1100	debug	Security	dirval	amfid	leaving /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension
21:45:43.492985+1100	debug	Security	unixio	amfid	open(/Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/MacOS/com.macrj.endpointapp.extension,0x0,0x1b6) = 3
21:45:43.493027+1100	debug	Security	unixio	amfid	open(/Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/MacOS/com.macrj.endpointapp.extension,0x0,0x1b6) = 4
21:45:43.493177+1100	debug	Security	machorep	amfid	6563 signing bytes in 5 blob(s) from /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/MacOS/com.macrj.endpointapp.extension(x86_64)
21:45:43.493227+1100	debug	Security	cfloadfile	amfid	failed to fetch /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/_CodeSignature/CodeRequirements-1 error=-10
21:45:43.495776+1100	debug	Security	unixio	amfid	open(/Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/Info.plist,0x0,0x1b6) = 3
21:45:43.496146+1100	debug	Security	staticCode	amfid	0x7fbb6ee080f8 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>ZJ259UQ467.com.macrj.endpointapp.extension</string><key>com.apple.developer.endpoint-security.client</key><true/><key>com.apple.developer.team-identifier</key><string>ZJ259UQ467</string><key>com.apple.security.get-task-allow</key><true/></dict></plist>
21:45:43.496210+1100	debug	Security	notarization	amfid	Extracting ticket from bundle: /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension
21:45:43.496315+1100	debug	Security	cfloadfile	amfid	failed to fetch /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/_CodeSignature/CodeRepSpecific error=-10
21:45:43.496383+1100	debug	Security	cfloadfile	amfid	failed to fetch /Library/SystemExtensions/EFD29454-7AEC-43CF-85F6-6C189072A965/com.macrj.endpointapp.extension.systemextension/Contents/_CodeSignature/CodeTopDirectory error=-10
21:45:43.501909+1100	debug	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	entitlements: {
    "com.apple.developer.endpoint-security.client" = 1;
    "com.apple.developer.team-identifier" = ZJ259UQ467;
}
21:45:43.501959+1100	debug	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	codeInfoIdentifier: com.macrj.endpointapp.extension
21:45:43.502396+1100	debug	Network	connection	Core Sync	nw_endpoint_handler_add_write_request [C395 IPv4#902f09ec:443 ready parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns)] connected_child_handles_requests 0
21:45:43.502233+1100	error	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	com.macrj.endpointapp.extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client
21:45:43.502265+1100	error	ConfigurationProfiles	ProvisioningProfiles	taskgated-helper	Disallowing: com.macrj.endpointapp.extension

I have checked (see replies above), and both the app and extension have the com.apple.application-identifier entitlement

Hmmm. I think I’ll need to see the full output from both your code signature and your profile. Please do this:

% codesign -d -vvv --entitlements - /path/to/your.systemextension
% security cms -D -i /path/to/your.systemextension/Contents/embedded.provisionprofile | plutil -p

and post the results.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks again Quinn. Here are the outputs.

micheal-laptop:SystemExtensions michealcumming$ codesign -d -vvv --entitlements - ./com.macrj.endpointapp.extension.systemextension/
Executable=/Applications/MDEndpointApp.app/Contents/Library/SystemExtensions/com.macrj.endpointapp.extension.systemextension/Contents/MacOS/com.macrj.endpointapp.extension
Identifier=com.macrj.endpointapp.extension
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=779 flags=0x10000(runtime) hashes=13+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=5466ea31139b1abd9b1d255065fada9a3b461cf4
CandidateCDHashFull sha256=5466ea31139b1abd9b1d255065fada9a3b461cf4c5fe9e0c9b4c6b39cb7aa4c9
Hash choices=sha256
CMSDigest=5466ea31139b1abd9b1d255065fada9a3b461cf4c5fe9e0c9b4c6b39cb7aa4c9
CMSDigestType=2
Launch Constraints:
	None
CDHash=5466ea31139b1abd9b1d255065fada9a3b461cf4
Signature size=4789
Authority=Apple Development: Micheal CUMMING (A234YBYRB9)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=15 Dec 2022 at 21:26:28
Info.plist entries=22
TeamIdentifier=ZJ259UQ467
Runtime Version=13.1.0
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=196
[Dict]
	[Key] com.apple.application-identifier
	[Value]
		[String] ZJ259UQ467.com.macrj.endpointapp.extension
	[Key] com.apple.developer.endpoint-security.client
	[Value]
		[Bool] true
	[Key] com.apple.developer.team-identifier
	[Value]
		[String] ZJ259UQ467
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true
micheal-laptop:SystemExtensions michealcumming$ 

and I could not make the plutil -p command work so just the security output minus the data;

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>Xcode: Mac Wildcard AppID</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>ZJ259UQ467</string>
	</array>
	<key>CreationDate</key>
	<date>2022-12-12T06:08:48Z</date>
	<key>Platform</key>
	<array>
		<string>OSX</string>
	</array>
	<key>IsXcodeManaged</key>
	<true/>
	<key>DeveloperCertificates</key>
	<array>
		<data> ... </data>
	</array>

	<key>DER-Encoded-Profile</key>
	<data> ... </data>
										
	<key>Entitlements</key>
	<dict>
				
				<key>com.apple.application-identifier</key>
		<string>ZJ259UQ467.*</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>ZJ259UQ467.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>ZJ259UQ467</string>
				
				<key>com.apple.developer.ubiquity-kvstore-identifier</key>
		<string>ZJ259UQ467.*</string>
				
				<key>com.apple.developer.ubiquity-container-identifiers</key>
		<array>
				<string>ZJ259UQ467.*</string>
		</array>

	</dict>
	<key>ExpirationDate</key>
	<date>2023-12-12T06:08:48Z</date>
	<key>Name</key>
	<string>Mac Team Provisioning Profile: *</string>
	<key>ProvisionedDevices</key>
	<array>
		<string>43A3B49E-BC46-5646-8303-9415F06497EA</string>
	</array>
	<key>TeamIdentifier</key>
	<array>
		<string>ZJ259UQ467</string>
	</array>
	<key>TeamName</key>
	<string>MACRJ PTY LIMITED</string>
	<key>TimeToLive</key>
	<integer>365</integer>
	<key>UUID</key>
	<string>349e3364-e1f0-46e3-8822-9bde3e0ba378</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist>micheal-laptop:Contents michealcumming$ 

Hi Quinn,

Further to the above, I created a DeveloperID Applications Certificate and signed the app and extension with these and was hopeful that I had worked out where I was going wrong. However, it still has the same unsatisfied entitlements error disallowing the extension. And these profiles are installed on my mac.

Executable=/Applications/MDEndpointApp.app/Contents/Library/SystemExtensions/com.macrj.endpointapp.extension.systemextension/Contents/MacOS/com.macrj.endpointapp.extension
Identifier=com.macrj.endpointapp.extension
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=779 flags=0x10000(runtime) hashes=13+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=9cacd40cb45bf4036e1764b6736f26eaf9dec721
CandidateCDHashFull sha256=9cacd40cb45bf4036e1764b6736f26eaf9dec72142c77f089b6387acf48edd4d
Hash choices=sha256
CMSDigest=9cacd40cb45bf4036e1764b6736f26eaf9dec72142c77f089b6387acf48edd4d
CMSDigestType=2
Launch Constraints:
	None
CDHash=9cacd40cb45bf4036e1764b6736f26eaf9dec721
Signature size=4676
Authority=Developer ID Application: MACRJ PTY LIMITED (ZJ259UQ467)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=18 Dec 2022 at 20:46:56
Info.plist entries=22
TeamIdentifier=ZJ259UQ467
Runtime Version=13.1.0
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=224
[Dict]
	[Key] com.apple.application-identifier
	[Value]
		[String] 5P65THB9R3.com.macrj.endpointapp.extension
	[Key] com.apple.developer.endpoint-security.client
	[Value]
		[Bool] true
	[Key] com.apple.developer.team-identifier
	[Value]
		[String] ZJ259UQ467
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true
micheal-laptop:MDEndpointApp.app michealcumming$ 

and

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>Endpoint Extension</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>5P65THB9R3</string>
	</array>
	<key>CreationDate</key>
	<date>2022-12-18T09:34:05Z</date>
	<key>Platform</key>
	<array>
		<string>OSX</string>
	</array>
	<key>IsXcodeManaged</key>
	<false/>
	<key>DeveloperCertificates</key>
	<array>
		<data>...</data>
	</array>

	<key>DER-Encoded-Profile</key>
	<data>...</data>
										
	<key>Entitlements</key>
	<dict>
				
				<key>com.apple.developer.usernotifications.time-sensitive</key>
		<true/>
				
				<key>com.apple.application-identifier</key>
		<string>5P65THB9R3.com.macrj.endpointapp.extension</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>5P65THB9R3.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>ZJ259UQ467</string>
				
				<key>com.apple.developer.endpoint-security.client</key>
		<true/>

	</dict>
	<key>ExpirationDate</key>
	<date>2040-12-13T09:34:05Z</date>
	<key>Name</key>
	<string>EndpointApp Extension Developer ID Profile</string>
	<key>ProvisionsAllDevices</key>
	<true/>
	<key>TeamIdentifier</key>
	<array>
		<string>ZJ259UQ467</string>
	</array>
	<key>TeamName</key>
	<string>MACRJ PTY LIMITED</string>
	<key>TimeToLive</key>
	<integer>6570</integer>
	<key>UUID</key>
	<string>199da2dc-655d-4aa5-b4bb-510409427b39</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist>micheal-laptop:MDEndpointApp.app michealcumming$ 

I could not make the plutil -p command work

The -p option is new (in macOS 13, IIRC). On older system I use this alias:

% alias plcat
plcat='plutil -convert xml1 -o -'

Consider this output from your profile:

<key>com.apple.application-identifier</key>
<string>ZJ259UQ467.*</string>

This is a wildcard profile. Additional capabilities only work for a profile generated from an explicit App ID, because you apply the capability to the App ID itself and that flows through to the profile.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

endpoint security entitlement issue
 
 
Q