Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
n
natewalck
09/15/2021, 6:35 PMAs in, will one need to push an MDM profile to allow said extension 🙂
s
sharvil
09/15/2021, 7:01 PMHey @natewalck, the EndpointSecurity features need certain macOS permissions, namely root and Full Disk Access (inside System Preferences --> Privacy --> Full Disk Access). If these permissions are granted manually, there is no need for MDM.
n
natewalck
09/15/2021, 7:01 PMYep, that all makes sense. So this is an Endpoint agent but not a System Extension ?
s
sharvil
09/15/2021, 7:01 PMMDM just makes it easy to automatically grant these permissions via a PPPC payload config profile
n
natewalck
09/15/2021, 7:01 PMgiven that it runs its own launchd
Yep, I'm familiar with all that
s
sharvil
09/15/2021, 7:02 PMYes, it's currently is just EndpointSecurity
there is no SystemExtension yet
n
natewalck
09/15/2021, 7:02 PMit was funky to see a .app and not have a system extension ala Crowdstrike, Santa, etc
Are there plans for a system extension?
s
sharvil
09/15/2021, 7:03 PM.app is required so that osqueryd (which has es entitlements) can automatically pick up the corresponding provisioning profile
👍 1
Otherwise, folks would have to install the profile manually (https://github.com/osquery/osquery/blob/master/tools/deployment/macos_packaging/embedded.provisionprofile)
There are a lot of folks who would like to see the SystemExtension functionality too, and I would like to support that too, but it's not in the immediate roadmap
👍 1
We have also tried to capture and document all that stuff here (https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#auditing-processes-with-endpointsecurity), if there is anything there that you think needs improvement, please let me know!