Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Andrea
03/03/2022, 6:29 PMAnyone can point me to some good tutorial/guide/docs about how to codesign package up and distribute a Mac application running as Daemon that is using Endpoint Security? I have the entitlement already. I managed to run a sample app (the one on the Apple dev site) with SIP enabled. Distribution is the next step. I have read that giving the app Full Access Disk and permission to run can be automated ? it looks like the only source is Apple docs which are somewhat lacking of details most of the time. Appreciate any help
m
Mike Myers
03/04/2022, 12:04 AMIt's a big hassle, giving Full Disk Access automatically to an executable can only be done on machines enrolled in an MDM, and in that case the MDM administrator sends out a configuration profile with just the syntax
For distribution, you'll have to sign it with a distribution certificate, which they call a Developer ID Application [Signing] Key
Then you have to notarize the signed application, which produces a "ticket" that you then "staple" to the signed application
The last time I figured all of this out there were not even Apple docs on the entitlements or notarization steps
a
Andrea
03/04/2022, 6:22 PMThank you mike.
the thing is I have tried to sign the app and the extension of this sample app here (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) with the Developer ID and the correct bundle id for app and extension, and had a proper Developer profile etc. and nothing was working. I couldn't install the extension even.
Do you know by any chance if I can use Xcode to do the automated signing with the Developer ID? If you look at the picture. is there a way of having "automatically manage signing" enabled and having the signing certificate my Developer ID certificate?
m
Mike Myers
03/04/2022, 8:03 PMYea, to get it working you (or the account owner for the Apple ID team) have to request the endpoint security client entitlement for your Apple ID organization, and then you can automate signing with the Developer ID in Xcode. For osquery, we use Cmake to automate the xcode tools without using the IDE, but it's still needed to have Xcode installed. I wish that the workflow for this were public, but it handles keys as GitHub Secrets so it's all on a private repo
a
Andrea
03/05/2022, 11:16 AMSorry forgot to mention: I have entitlements, we have a Developer ID certificate. Tried un-checking "Automatically manage signing" and setting up a dev profile on the website and sign it but nothing works properly 😕 Anyway thanks for the suggestion. I ll have a look to the cmake configuration in osquery and try to figure out I am missing something. And I will try to figure out how to configure XCode with my DEv id certificate
m
Mike Myers
03/08/2022, 5:14 PMhttps://github.com/trailofbits/sinter/tree/master/packaging a couple of years ago we pushed through all of these problems and automated a build process in Cmake. This is what gave us the understanding used to do it again for osquery last year
a
Andrea
03/09/2022, 2:31 PMAh yeah saw that during my research.
Well good news I managed to do codesign, notarise etc.. the articles that gave me a breakthrough are: https://www.appcoda.com/distribute-macos-apps/ (notarisation), https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/ (notarytool which is far superior to alttool) and https://www.appcoda.com/distribute-macos-apps/ (distributing outside Apple store)
Also I have a script that automates everything. if anyone needs it just ping me.
Thanks @Mike Myers
m
Mike Myers
03/09/2022, 5:18 PMYou solved it? Great, this is a major headache and took us a lot longer to puzzle out
a
Andrea
03/10/2022, 9:00 AMyeah I would say 85% solved. only the packaging (codesign it and notarise it ) is left to do. yeah agree. I guess we can thank Apple's business model for our headache 😄
hey @Mike Myers, I actually have a follow up question about the MDM configuration/provision file described at the link you kindly shared the other day https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#full-disk-access . I am not very familiar with MDM software, so I am wondering how is it possible for me generating/find that kind of information described at the link? I am talking about these fields in particular:
<key>PayloadDescription</key>
<string>osqueryd</string>
<key>PayloadDisplayName</key>
<string>osqueryd</string>
<key>PayloadIdentifier</key>
<string>BDBD19F2-A35A-4AEC-9E96-3CA7E2994666</string>
<key>PayloadOrganization</key>
<string>Trail of Bits</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>89121197-3B5F-4502-BB8C-4331261D3B8C</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>m
Mike Myers
03/16/2022, 9:03 PMThere's a different way to generate a profile like this in each MDM, but, to get the information for the fields, you run a terminal command on the osqueryd executable. The command is in the wiki page above, but the fields you need to come up with are
PayloadOragnizationCodeRequirementCodeRequirementcodesign -dr - /opt/osquery/lib/osquery.app/Contents/MacOS/osquerydidentifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3522FA9PXF"I believe some of those identifiers are GUIDs, and arbitrarily generated by the MDM when it crafts a configuration profile of this kind.
Like
<key>PayloadIdentifier</key>
<string>BDBD19F2-A35A-4AEC-9E96-3CA7E2994666</string>a
Andrea
03/17/2022, 1:44 PMexactly what I wanted to hear! 😄 thank you!
👍 1