Hey all, I'm having some issues with getting EndpointSecurity to work with launchd/plist. this is my plist file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
  <key>KeepAlive</key>
  <true/>
  <key>Disabled</key>
  <false/>
  <key>Label</key>
  <string>io.osquery.agent</string>
  <key>ProgramArguments</key>
  <array>
    <string>/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd</string>
    <string>--config_path=/private/var/osquery/osquery.conf</string>
    <string>--disable_events=false</string>
    <string>--disable_endpointsecurity=false</string>
    <string>--enable_file_events=true</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>ThrottleInterval</key>
  <integer>60</integer>
</dict>
</plist>

I run

sudo launchctl load /var/osquery/io.osquery.agent.plist

followed by

sudo launchctl start io.osquery.agent.plist

. The process starts & i get other results from fim & snapshot queries, however the EndpointSecurity events do not get generated. Additionally, If I run the daemon directly with the following, the endpointsecurity events get logged

sudo /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --config_path=/private/var/osquery/osquery.conf --disable_events=false --disable_endpointsecurity=false --enable_file_events=true

Anyone seen this before or see any red flags with my launchd approach?

Yep! We have tried to document this here: https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#full-disk-access Please let us know if those can be improved!