Mac Endpoint security - Prevent users from deleting keychain items

Question

I am trying out Endpoint security System extension to prevent users from deleting my app data. I used "ES_EVENT_TYPE_AUTH_UNLINK" to stop users from deleting app files.

I am trying to figure out how I can stop user from deleting keychain item.

Answer 1

Unfortunately, there is no official way to do what you want with Endpoint Security: there is just no such event, related to any keychain action.

You can file a request to Apple with desired new event in Endpoint Security, to make it doable in official way, but they almost always don't care about such requests.

It may be possible, though, to achieve what you want with indirect methods, but it will require a lot of additional efforts from you.

The files of user keychain are usually stored into ~/Library/Keychain. There is, e.g., login.keychain-db file, which is most probably a sql-lite database, where all the keychain data is stored.

It is worth to say, that in my case I'm unable to just open it, because my sql viewer says it is password-protected.

So what you can do, is to create a backup of keychain file with state that you consider as OK, and then listen in Endpoint Security for the write events for the current keychain file.

You wont be able to deny such event, but what you can do, is to lock the keychain file right after this operation (that's it, using Endpoint Security, you should deny for some time any other file operation with keychain database file), and search for your keychain items, which you know for sure you want to be present in the keychain.

You will need to do this from user context, and Endpoint Security runs in the root context, so this is the place where you need an agent (if you use ES aa libs in daemon) / UI app (if you use ES as system extension) and IPC between them.

If the search result is positive, it means that user does not deleted the record you want, so you can unlock keychain file and be happy.

Otherwise, I suggest you to just restore the keychain file from backup (you can allow operations from your app in ES, since you know that you need it), so effectively it would looks like user has not deleted your records from keychain.

It may be a problem, if in this moment the keychain file would be in use. (the Keychain app may hold the file descriptor) If it is so, I would suggest to call the normal API and just manually readd needed items to the keychain from agent.

This may require from you to parse the backup keychain file, or to store your items separately in other place, but it could be overcomed.

This scheme could possibly work for some time, without any guaranties, and could be broken by Apple in any time they want.