EPSpy

Records supported EndpointSecurity.framework events into a JSON file.

Installing

Release binaries are signed with adhoc certificate and have the com.apple.developer.endpoint-security.client entitlement, so it is required that SIP and/or AMFI be disabled to run. It is recommended to run this tool in a VM.

To install EPSpy, download the latest release from the releases page. Extract to /Applications. Run the following command:

xattr -r -d com.apple.quarantine /Applications/EPSpy.app

To uninstall, delete EPSpy.app from /Applications.

Running

On first run record, the system will ask you to enable an extension. You can enable it right away in the notification:

or in Settings, under Login Items & Extensions:

Troubleshooting

The following error indicates that the login item has not been enabled.

If you click on the record button and nothing happens, including no error, it means you are trying to record on a machine that is SIP enabled. Disable SIP and try again.

Name		Name	Last commit message	Last commit date
Latest commit History 15 Commits
EPRecorder		EPRecorder
EPRecordingService		EPRecordingService
EPSpy.xcodeproj		EPSpy.xcodeproj
EPSpy		EPSpy
.gitignore		.gitignore
Error.png		Error.png
Notification.png		Notification.png
README.md		README.md
Screenshot.png		Screenshot.png
Settings.png		Settings.png
epspy.rb		epspy.rb
releaseVersion.sh		releaseVersion.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

EPSpy

Installing

Running

Troubleshooting

About

Uh oh!

Releases 2

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

EPSpy

Installing

Running

Troubleshooting

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 2

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages