Title
#macos
n

natewalck

09/15/2021, 6:35 PM
As in, will one need to push an MDM profile to allow said extension 🙂
s

sharvil

09/15/2021, 7:01 PM
Hey @natewalck, the EndpointSecurity features need certain macOS permissions, namely root and Full Disk Access (inside System Preferences --> Privacy --> Full Disk Access). If these permissions are granted manually, there is no need for MDM.
n

natewalck

09/15/2021, 7:01 PM
Yep, that all makes sense. So this is an Endpoint agent but not a System Extension ?
s

sharvil

09/15/2021, 7:01 PM
MDM just makes it easy to automatically grant these permissions via a PPPC payload config profile
n

natewalck

09/15/2021, 7:01 PM
given that it runs its own launchd
7:01 PM
Yep, I'm familiar with all that
s

sharvil

09/15/2021, 7:02 PM
Yes, it's currently is just EndpointSecurity
7:02 PM
there is no SystemExtension yet
n

natewalck

09/15/2021, 7:02 PM
it was funky to see a .app and not have a system extension ala Crowdstrike, Santa, etc
7:02 PM
Are there plans for a system extension?
s

sharvil

09/15/2021, 7:03 PM
.app is required so that osqueryd (which has es entitlements) can automatically pick up the corresponding provisioning profile
7:05 PM
There are a lot of folks who would like to see the SystemExtension functionality too, and I would like to support that too, but it's not in the immediate roadmap
7:17 PM
We have also tried to capture and document all that stuff here (https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#auditing-processes-with-endpointsecurity), if there is anything there that you think needs improvement, please let me know!