For binary execution control on Endpoint Security — how granular are the code-signing matching rules, and what happens to a denied binary that's already running versus launched fresh?
For the consolidated privacy consent prompt — does app.settings replace the privacy preferences we manage today, or coexist with them? Knowing whether it's a clean migration or a parallel system would help our planning. Thanks!
The code-signing matching rules ensure that all of the criteria specified in the rule are satisfied. If both a denylist and an allowlist are specified, we apply the most restrictive form of the policy (e.g., if the same app is specified in the allowlist and in the denylist, then the denylist entry wins).
If a denied binary is already running before the Endpoint Security client is running, then a live process termination mechanism sweeps for denied process and terminates them. This can be observed after a policy is applied by the live processes being killed.
app.settings coexists with the privacy preferences.
