Glossary
Endpoint Security
Apple's modern user-space framework for security tooling on macOS — the supported replacement for kernel extensions, exposing ~80 curated system events to a privileged client.
Endpoint Security (ES) is the framework Apple provides for security products on macOS. It replaces the long-deprecated kernel-extension path with a user-space System Extension that subscribes to a curated event stream from the kernel.
In 2026, ES is the only practical way to ship a modern EDR on macOS that survives Gatekeeper, SIP, and Apple's deprecation schedule.
What it surfaces. Around 80 event types covering process lifecycle (EXEC, FORK, EXIT), file operations (OPEN, UNLINK, RENAME, MOUNT), credentials (SETUID, SUDO), persistence (BTM_LAUNCH_ITEM_ADD), and the most security-sensitive Mach traps — most notably AUTH_GET_TASK and NOTIFY_GET_TASK for task_for_pid.
What it doesn't. No event for read / write (volume), no event for raw Mach port traffic, no syscall arguments beyond what each event explicitly exposes. For anything beyond the curated set you fall back to DTrace or in-process instrumentation.
Two flavours per event. AUTH_* events block until your client responds — you can deny — but have a per-event deadline (usually 5s). NOTIFY_* events are fire-and-forget. Most syscall-mapped events exist in both flavours.
Requirements. You need a paid Apple Developer ID plus the Endpoint Security entitlement, which Apple grants case-by-case. Without it, es_new_client() returns ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED.
The framework headers live at <EndpointSecurity/EndpointSecurity.h>.