Title
#macos
a

Andrea

03/03/2022, 6:29 PM
Anyone can point me to some good tutorial/guide/docs about how to codesign package up and distribute a Mac application running as Daemon that is using Endpoint Security? I have the entitlement already. I managed to run a sample app (the one on the Apple dev site) with SIP enabled. Distribution is the next step. I have read that giving the app Full Access Disk and permission to run can be automated ? it looks like the only source is Apple docs which are somewhat lacking of details most of the time. Appreciate any help
Mike Myers

Mike Myers

03/04/2022, 12:04 AM
It's a big hassle, giving Full Disk Access automatically to an executable can only be done on machines enrolled in an MDM, and in that case the MDM administrator sends out a configuration profile with just the syntax
12:10 AM
For distribution, you'll have to sign it with a distribution certificate, which they call a Developer ID Application [Signing] Key
12:11 AM
Then you have to notarize the signed application, which produces a "ticket" that you then "staple" to the signed application
12:12 AM
The last time I figured all of this out there were not even Apple docs on the entitlements or notarization steps
a

Andrea

03/04/2022, 6:22 PM
Thank you mike.
6:25 PM
the thing is I have tried to sign the app and the extension of this sample app here (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) with the Developer ID and the correct bundle id for app and extension, and had a proper Developer profile etc. and nothing was working. I couldn't install the extension even.
6:31 PM
Do you know by any chance if I can use Xcode to do the automated signing with the Developer ID? If you look at the picture. is there a way of having "automatically manage signing" enabled and having the signing certificate my Developer ID certificate?
Mike Myers

Mike Myers

03/04/2022, 8:03 PM
Yea, to get it working you (or the account owner for the Apple ID team) have to request the endpoint security client entitlement for your Apple ID organization, and then you can automate signing with the Developer ID in Xcode. For osquery, we use Cmake to automate the xcode tools without using the IDE, but it's still needed to have Xcode installed. I wish that the workflow for this were public, but it handles keys as GitHub Secrets so it's all on a private repo
a

Andrea

03/05/2022, 11:16 AM
Sorry forgot to mention: I have entitlements, we have a Developer ID certificate. Tried un-checking "Automatically manage signing" and setting up a dev profile on the website and sign it but nothing works properly 😕 Anyway thanks for the suggestion. I ll have a look to the cmake configuration in osquery and try to figure out I am missing something. And I will try to figure out how to configure XCode with my DEv id certificate
Mike Myers

Mike Myers

03/08/2022, 5:14 PM
https://github.com/trailofbits/sinter/tree/master/packaging a couple of years ago we pushed through all of these problems and automated a build process in Cmake. This is what gave us the understanding used to do it again for osquery last year
a

Andrea

03/09/2022, 2:31 PM
Ah yeah saw that during my research.
2:36 PM
Well good news I managed to do codesign, notarise etc.. the articles that gave me a breakthrough are: https://www.appcoda.com/distribute-macos-apps/ (notarisation), https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/ (notarytool which is far superior to alttool) and https://www.appcoda.com/distribute-macos-apps/ (distributing outside Apple store)
2:36 PM
Also I have a script that automates everything. if anyone needs it just ping me.
2:39 PM
Thanks @Mike Myers
Mike Myers

Mike Myers

03/09/2022, 5:18 PM
You solved it? Great, this is a major headache and took us a lot longer to puzzle out
a

Andrea

03/10/2022, 9:00 AM
yeah I would say 85% solved. only the packaging (codesign it and notarise it ) is left to do. yeah agree. I guess we can thank Apple's business model for our headache 😄
6:10 PM
hey @Mike Myers, I actually have a follow up question about the MDM configuration/provision file described at the link you kindly shared the other day https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#full-disk-access . I am not very familiar with MDM software, so I am wondering how is it possible for me generating/find that kind of information described at the link? I am talking about these fields in particular:
<key>PayloadDescription</key>
   <string>osqueryd</string>
   <key>PayloadDisplayName</key>
   <string>osqueryd</string>
   <key>PayloadIdentifier</key>
   <string>BDBD19F2-A35A-4AEC-9E96-3CA7E2994666</string>
   <key>PayloadOrganization</key>
   <string>Trail of Bits</string>
   <key>PayloadType</key>
   <string>com.apple.TCC.configuration-profile-policy</string>
   <key>PayloadUUID</key>
   <string>89121197-3B5F-4502-BB8C-4331261D3B8C</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
   <key>Services</key>
is it something that the MDM software does or me as distributor should provide the configuration file?
Mike Myers

Mike Myers

03/16/2022, 9:03 PM
There's a different way to generate a profile like this in each MDM, but, to get the information for the fields, you run a terminal command on the osqueryd executable. The command is in the wiki page above, but the fields you need to come up with are
PayloadOragnization
(your organization distributing the profile, I believe, but it's a freeform field) and
CodeRequirement
9:03 PM
CodeRequirement
is derived from
codesign  -dr - /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
The resulting output includes (at least at the time the wiki was written) the string
identifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3522FA9PXF"
which
9:06 PM
I believe some of those identifiers are GUIDs, and arbitrarily generated by the MDM when it crafts a configuration profile of this kind.
9:07 PM
Like
<key>PayloadIdentifier</key>
   <string>BDBD19F2-A35A-4AEC-9E96-3CA7E2994666</string>
This is not something specific to osquery. It's probably a choice of the MDM software. You could probably even use this exact ID, but, probably better if not everyone did that
a

Andrea

03/17/2022, 1:44 PM
exactly what I wanted to hear! 😄 thank you!