As in will one need to push an MDM profile to allow said ext

Question

As in will one need to push an MDM profile to allow said extension slightly smiling face

sharvil · Answer

Hey < natewalck> the EndpointSecurity features need certain macOS permissions namely root and Full Disk Access inside System Preferences gt Privacy gt Full Disk Access If these permissions are granted manually there is no need for MDM

natewalck · Answer

Yep that all makes sense So this is an Endpoint agent but not a System Extension

sharvil · Answer

MDM just makes it easy to automatically grant these permissions via a PPPC payload config profile

natewalck · Answer

given that it runs its own launchd

natewalck · Answer

Yep I m familiar with all that

sharvil · Answer

Yes it s currently is just EndpointSecurity

sharvil · Answer

there is no SystemExtension yet

natewalck · Answer

it was funky to see a app and not have a system extension ala Crowdstrike Santa etc

natewalck · Answer

Are there plans for a system extension

sharvil · Answer

app is required so that osqueryd which has es entitlements can automatically pick up the corresponding provisioning profile

sharvil · Answer

Otherwise folks would have to install the profile manually <https github com osquery osquery blob master tools deployment macos packaging embedded provisionprofile>

sharvil · Answer

There are a lot of folks who would like to see the SystemExtension functionality too and I would like to support that too but it s not in the immediate roadmap

sharvil · Answer

We have also tried to capture and document all that stuff here <https osquery readthedocs io en latest deployment process auditing auditing processes with endpointsecurity> if there is anything there that you think needs improvement please let me know