Run SampleEndpointApp but got Automatic signing failed

You're talking about the Monitoring System Events with Endpoint Security sample code, right?

If so, note that it relies on the com.apple.developer.endpoint-security.client entitlement, which is controlled by a managed capability. That is, it’s a capability where you must request access from Apple. The link in the docs explains how to do that.

If your team doesn’t have this additional capability then you won’t be able to build and run the sample in the standard way. You’ll need to disable automatic signing in Xcode and use manual signing instead. And when it comes to testing, you’ll need to disable SIP and take additional steps beyond that. See this post for details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, I'm trying to run "Monitoring System Events with Endpoint Security sample code". By now, I disabled automatic signing in Xcode and use my private profile generated by apple site, build successfully. I read through this post and deleted both entitlements files of app and extension, codesign them. Then got error like this:

Failed to install the extension ❌ Invalid extension configuration in Info.plist and/or entitlements: does not appear to belong to any extension categories.

codesign -d --entitlements :- "/Applications/SampleEndpointApp.app"

Executable=/Applications/SampleEndpointApp.app/Contents/MacOS/SampleEndpointApp
warning: Specifying ':' in the path is deprecated and will not work in a future release
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>RKJVFVKFG3.com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3</string><key>com.apple.developer.system-extension.install</key><true/><key>com.apple.developer.team-identifier</key><string>RKJVFVKFG3</string><key>com.apple.security.files.user-selected.read-only</key><true/><key>com.apple.security.get-task-allow</key><true/></dict></plist>

codesign -d --entitlements :- "/Applications/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension"

Executable=/Applications/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension
warning: Specifying ':' in the path is deprecated and will not work in a future release
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>RKJVFVKFG3.com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension</string><key>com.apple.developer.team-identifier</key><string>RKJVFVKFG3</string><key>com.apple.security.get-task-allow</key><true/></dict></plist>

Your sysex still needs to claim the com.apple.developer.endpoint-security.client entitlement. Under normal circumstances that’d claim would need to be authorised by a provisioning profile, but that’s not what you’re aiming for in this case.

Unfortunately, Xcode is being too smart here. If you claim the entitlement and that claim isn’t back by a profile, Xcode refuses to build. Specifically, it shows the errors:

Provisioning profile "xyz" doesn't support the Endpoint Security capability.

Provisioning profile "xyz" doesn't include the com.apple.developer.endpoint-security.client entitlement.

It’s trying to protect you from a common error, but it doesn’t realise you have other plans )-:

I’m not aware of a good way around this. Most folks working on ES build outside of Xcode, and thus don’t encounter these roadblocks.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@DTS Engineer Could you please provide some example for how to build the project out of Xcode?

hello Eskimo, By now I build out of Xcode successfully, and code sign by command, but still failed.

SampleEndpointApp Info.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>$(DEVELOPMENT_LANGUAGE)</string>
	<key>CFBundleExecutable</key>
	<string>$(EXECUTABLE_NAME)</string>
	<key>CFBundleIconFile</key>
	<string></string>
	<key>CFBundleIdentifier</key>
	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>$(PRODUCT_NAME)</string>
	<key>CFBundlePackageType</key>
	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
	<key>CFBundleShortVersionString</key>
	<string>1.0</string>
	<key>CFBundleVersion</key>
	<string>1</string>
	<key>LSMinimumSystemVersion</key>
	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
	<key>NSHumanReadableCopyright</key>
	<string>Copyright © 2020 Apple. All rights reserved.</string>
	<key>NSMainStoryboardFile</key>
	<string>Main</string>
	<key>NSPrincipalClass</key>
	<string>NSApplication</string>
	<key>NSSupportsAutomaticTermination</key>
	<true/>
	<key>NSSupportsSuddenTermination</key>
	<true/>
</dict>
</plist>

Extention Info.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>$(DEVELOPMENT_LANGUAGE)</string>
	<key>CFBundleDisplayName</key>
	<string>Extension</string>
	<key>CFBundleExecutable</key>
	<string>$(EXECUTABLE_NAME)</string>
	<key>CFBundleIdentifier</key>
	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>$(PRODUCT_NAME)</string>
	<key>CFBundlePackageType</key>
	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
	<key>CFBundleShortVersionString</key>
	<string>1.0</string>
	<key>CFBundleVersion</key>
	<string>1</string>
	<key>LSMinimumSystemVersion</key>
	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
	<key>NSHumanReadableCopyright</key>
	<string>Copyright © 2020 Apple. All rights reserved.</string>
	<key>NSSystemExtensionUsageDescription</key>
	<string></string>
    
<!--    <key>NSExtension</key>-->
<!--    <dict>-->
<!--        <key>NSExtensionPointIdentifier</key>-->
<!--        <string>com.apple.endpoint-security</string>-->
<!--        <key>NSExtensionPrincipalClass</key>-->
<!--        <string>$(PRODUCT_MODULE_NAME).notify_demo</string>-->
<!--    </dict>-->
    
</dict>
</plist>

SampleEndpointApp entitlement:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
<!--	<key>com.apple.security.app-sandbox</key>-->
<!--	<true/>-->
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
	<key>com.apple.security.get-task-allow</key>
	<true/>
</dict>
</plist>

Extension entitlement:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.endpoint-security.client</key>
	<true/>
<!--	<key>com.apple.security.app-sandbox</key>-->
<!--	<true/>-->
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	<key>com.apple.security.get-task-allow</key>
	<true/>
</dict>
</plist>

xcodebuild -project SampleEndpointApp.xcodeproj -target SampleEndpointApp -configuration Debug CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO

warning: ONLY_ACTIVE_ARCH=YES requested with multiple ARCHS and no active architecture could be computed; building for all applicable architectures (in target 'Extension' from project 'SampleEndpointApp') warning: Extension isn't code signed but requires entitlements. It is not possible to add entitlements to a binary without signing it. (in target 'Extension' from project 'SampleEndpointApp') ** BUILD SUCCEEDED **

xcodebuild -project SampleEndpointApp.xcodeproj -target Extension -configuration Debug CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO

warning: ONLY_ACTIVE_ARCH=YES requested with multiple ARCHS and no active architecture could be computed; building for all applicable architectures (in target 'Extension' from project 'SampleEndpointApp') warning: Extension isn't code signed but requires entitlements. It is not possible to add entitlements to a binary without signing it. (in target 'Extension' from project 'SampleEndpointApp') ** BUILD SUCCEEDED **

codesign --force --sign "20D155DE40CCA613F631D6E3891B5D4390D1A921" --entitlements /Users/liqingsong/Downloads/MonitoringSystemEventsWithEndpointSecurity/SampleEndpointApp/SampleEndpointApp.entitlements SampleEndpointApp.app SampleEndpointApp.app: replacing existing signature

codesign --force --sign "20D155DE40CCA613F631D6E3891B5D4390D1A921" --entitlements /Users/liqingsong/Downloads/MonitoringSystemEventsWithEndpointSecurity/Extension/Extension.entitlements com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension: replacing existing signature

20D155DE40CCA613F631D6E3891B5D4390D1A921 is one my certification id( by the way, is GCL4D9JGCM my team id or certification id? ):

security find-identity -v -p codesigning ... 3) 20D155DE40CCA613F631D6E3891B5D4390D1A921 "Mac Developer: qingsong li (GCL4D9JGCM)" 3 valid identities found

When debugging code signing problems it’s better to look at the built binary rather than your source code. That is, rather than look at MyApp.entitlements, which is source code, look at the entitlements actually baked into the app’s code signature:

% codesign -d --entitlements - /path/to/MyApp.app

Likewise for the Info.plist:

% plutil -p /path/to/MyApp.app/Contents/Info.plist

And the provisioning profile:

% security cms -D -i MyApp.app/Contents/embedded.provisionprofile | plutil -p -

In terms of how you get this to build, here’s what I’d did:

1. Open the project in Xcode.

2. For both targets, in the Signing & Capabilities editor, set the Team popup to your team.

3. In the Extension target, remove the Endpoint Security capability.

4. Build the app.

This produces an app like this:

% codesign -d -vvv --entitlements - SampleEndpointApp.app 
…
Authority=Apple Development: Quinn Quinn (7XFU7D52S4)
…
[Dict]
	[Key] com.apple.application-identifier
	[Value]
		[String] SKMME9E2Y8.com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8
	[Key] com.apple.developer.system-extension.install
	[Value]
		[Bool] true
    …
% plutil -p SampleEndpointApp.app/Contents/Info.plist 
{
  … nothing special here …
}
% security cms -D -i SampleEndpointApp.app/Contents/embedded.provisionprofile | plutil -p -
{
  …
  "Entitlements" => {
    "com.apple.application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8"
    "com.apple.developer.system-extension.install" => 1
    "com.apple.developer.team-identifier" => "SKMME9E2Y8"
    "keychain-access-groups" => [
      0 => "SKMME9E2Y8.*"
    ]
  }
  …
}

And an extension like this:

% codesign -d -vvv --entitlements - SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension
…
Authority=Apple Development: Quinn Quinn (7XFU7D52S4)
…
[Dict]
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true
% plutil -p SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension/Contents/Info.plist 
{
  … standard stuff elided …
  "NSSystemExtensionUsageDescription" => ""
}
% ls -lh SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension/Contents/embedded.provisionprofile 
ls: SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension/Contents/embedded.provisionprofile: No such file or directory

Note that there’s no provisioning profile because the sysex doesn’t claim any restricted entitlements (com.apple.security.get-task-allow is unrestricted). Of course that’s the problem you’re trying to solve!

To fix this, you need to re-sign the extension and then re-sign the app. Let’s start with the extension.

% codesign -d --entitlements tmp.entitlements --xml SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension
Executable=/Users/quinn/Library/Developer/Xcode/DerivedData/SampleEndpointApp-ayhxblzmgtjjygbuxmwgcsgnoifh/Build/Products/Debug/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension
% plutil -p tmp.entitlements 
{
  "com.apple.security.get-task-allow" => 1
}

% /usr/libexec/PlistBuddy -c "Add :com.apple.developer.endpoint-security.client bool true" tmp.entitlements 
% plutil -p tmp.entitlements                                                                              
{
  "com.apple.developer.endpoint-security.client" => 1
  "com.apple.security.get-task-allow" => 1
}
% codesign -s "Apple Development: Quinn Quinn (7XFU7D52S4)" -f --preserve-metadata=identifier,flags,runtime --entitlements tmp.entitlements SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension
SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppSKMME9E2Y8.Extension.systemextension: replacing existing signature

And now the app:

% codesign -s "Apple Development: Quinn Quinn (7XFU7D52S4)" -f --preserve-metadata=identifier,entitlements,flags,runtime SampleEndpointApp.app                                                                                     
SampleEndpointApp.app: replacing existing signature

Now, I don’t have time to do a full end-to-end test of this stuff today. However, the above should get you an app that’s signed the same way as the app I used when doing the test in this post, which I’d expect to work.

Finally, a word of warning about this:

<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>

The sample does not require you to disable these hardened runtime security enhancements and I strongly encourage you not to do that. This is important for two reasons:

• Historically, the system required that ES clients have the hardened runtime fully enabled. If you used these entitlements it would reject your ES client. I believe that we’ve relaxed many of these restrictions, but I still recommend that you avoid these entitlements, especially as the sample app doesn’t need them.

• The library validation entitlement is a common source of Gatekeeper problems. You can get around those [1] but, again, it’s better to just avoid this entitlement entirely.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] See Resolving Gatekeeper Problems Caused by Dangling Load Command Paths.

Hi Eskimo, Thanks for you step by step introductions. I executed the same operations but still got error:

Begin installing the extension 🔄
Failed to install the extension ❌
Missing entitlement com.apple.developer.system-extension.install 

`security cms -D -i SampleEndpointApp.app/Contents/embedded.provisionprofile | plutil -p -`

{
  "AppIDName" => "XC com example apple-samplecode SampleEndpointAppRKJVFVKFG3"
  "ApplicationIdentifierPrefix" => [
    0 => "RKJVFVKFG3"
  ]
 ...
  "Entitlements" => {
    "com.apple.application-identifier" => "RKJVFVKFG3.com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3"
    "com.apple.developer.system-extension.install" => 1
    "com.apple.developer.team-identifier" => "RKJVFVKFG3"
    "keychain-access-groups" => [
      0 => "RKJVFVKFG3.*"
    ]
  }
  "ExpirationDate" => 2026-05-21 17:00:08 +0000
  "IsXcodeManaged" => 0
  "Name" => "SampleEndpointAppUI"
  "Platform" => [
    0 => "OSX"
  ]
  "PPQCheck" => 0
  "ProvisionedDevices" => [
    0 => "00008132-000121E822F8801C"
    1 => "00006030-000279A822D9001C"
  ]
  "TeamIdentifier" => [
    0 => "RKJVFVKFG3"
  ]
...
}

codesign -d -vvv --entitlements - SampleEndpointApp.app

Executable=/Users/liqingsong/Library/Developer/Xcode/DerivedData/SampleEndpointApp-ghrlccqjrckpnhfqwjcwcivydyne/Build/Products/Debug/SampleEndpointApp.app/Contents/MacOS/SampleEndpointApp
Identifier=com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3
Format=app bundle with Mach-O thin (arm64)
...
Authority=Mac Developer: qingsong li (GCL4D9JGCM)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=May 23, 2025 at 22:16:22
Info.plist entries=24
TeamIdentifier=RKJVFVKFG3
Runtime Version=15.4.0
Sealed Resources version=2 rules=13 files=8
Internal requirements count=1 size=212

Is it because this command didn't add entitlement for app?

% codesign -s "Apple Development: Quinn Quinn (7XFU7D52S4)" -f --preserve-metadata=identifier,entitlements,flags,runtime SampleEndpointApp.app

codesign -d -vvv --entitlements - SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension/

Executable=/Users/liqingsong/Library/Developer/Xcode/DerivedData/SampleEndpointApp-ghrlccqjrckpnhfqwjcwcivydyne/Build/Products/Debug/SampleEndpointApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension
Identifier=com.example.apple-samplecode.SampleEndpointAppRKJVFVKFG3.Extension
Format=bundle with Mach-O thin (arm64)
...
Authority=Mac Developer: qingsong li (GCL4D9JGCM)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=May 23, 2025 at 22:15:44
Info.plist entries=22
TeamIdentifier=RKJVFVKFG3
Runtime Version=15.4.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=224
[Dict]
	[Key] com.apple.developer.endpoint-security.client
	[Value]
		[Bool] true
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true

After I created tmp entitlements for SampleEndpointApp also, now it works.

% /usr/libexec/PlistBuddy -c "Add :com.apple.developer.endpoint-security.client bool true" tmp.entitlements % plutil -p tmp.entitlements

Thank you very much!

I’m glad you got it working.

By way of explanation, com.apple.developer.system-extension.install is a restricted entitlement, meaning that:

• It must be authorised by a provisioning profile.

• It’s not managed, that is, you don’t need to apply to Apple to use it. Anyone can enable it from Xcode or the Developer website.

In the sample the app target includes the System Extension capability in the Signing & Capabilities editor. That causes Xcode to:

• Sign the app to claim the entitlement.

• Embed a provisioning profile that authorises that claim.

In my command to re-sign the app I have this:

% codesign … --preserve-metadata=identifier,entitlements,flags,runtime …                                                                                   

which should preserve the entitlement claim that Xcode added. I’m not sure why it wasn’t working in your case.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"