Locking the Endpoint Security Extension toggle via MDM profile – is it possible?

[moneymaker1-svj]

Hi everyone,
I'm running Santa 2026.3 on a supervised MacBook Pro M4 (macOS 15 Sequoia, SIP enabled), enrolled via Apple Business Manager/DEP with ManageEngine MDM.
My goal is to make the Santa Endpoint Security Extension fully tamper-resistant via MDM profiles. I've deployed the following profiles, all verified active via profiles show:

Santa App Blocker (com.northpolesec.santa) – Lockdown mode, allowlist, block rules ✅
Santa Privacy / FDA (com.apple.TCC.configuration-profile-policy) – SystemPolicyAllFiles for com.northpolesec.santa, com.northpolesec.santa.daemon, com.northpolesec.santa.bundleservice – toggles in FDA are greyed out ✅
Santa Service Management (com.apple.servicemanagement) – background activity toggle is greyed out ✅
Santa Endpoint Security Lock (com.apple.system-extension-policy) – NonRemovableFromUISystemExtensions: ZMCG7MLDV9 → com.northpolesec.santa.daemon, AllowUserOverrides: false ✅

The problem:
The toggle for "Santa Endpoint Security Extension" under Login Items & Extensions → Endpoint Security is not greyed out and is functionally effective – toggling it off puts Santa into terminated waiting to uninstall on reboot.
I've confirmed that NonRemovableFromUISystemExtensions is being read correctly by the system. The issue appears to be that macOS 15 does not honor this key for Endpoint Security Extensions specifically (it works fine for Network Extensions like LuLu).
What I've investigated:
The toggle corresponds to the kTCCServiceEndpointSecurityClient TCC service. After checking Apple's official PPPC payload documentation and the apple/device-management GitHub repo, kTCCServiceEndpointSecurityClient is not listed as a supported service key for the com.apple.TCC.configuration-profile-policy payload. This means there is apparently no supported MDM mechanism to lock this specific toggle.
My questions:

Has anyone found a way to grey out / lock the Endpoint Security Extension toggle via MDM profile on macOS 15?
Is there an undocumented profile key that handles kTCCServiceEndpointSecurityClient?
Is this a known macOS 15 regression for NonRemovableFromUISystemExtensions on ES extensions specifically, or is it by design?

Any insight appreciated.

[russellhancox]

Your MDM is misconfigured or doing something incorrectly.

I just set up a Sequoia VM and enrolled it in our Iru instance with a System Extension profile that prevents user removal from UI. The policy on the machine looks like this:

admin@Manageds-Virtual-Machine ~ % plutil -convert xml1 -o - /Library/Managed\ Preferences/com.apple.system-extension-policy.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AllowUserOverrides</key>
	<true/>
	<key>AllowedSystemExtensions</key>
	<dict>
		<key>ZMCG7MLDV9</key>
		<array>
			<string>com.northpolesec.santa.daemon</string>
			<string>com.northpolesec.santa.netd</string>
		</array>
	</dict>
	<key>NonRemovableFromUISystemExtensions</key>
	<dict>
		<key>ZMCG7MLDV9</key>
		<array>
			<string>com.northpolesec.santa.daemon</string>
			<string>com.northpolesec.santa.netd</string>
		</array>
	</dict>
	<key>PayloadUUID</key>
	<string>7acbb5da-ae66-59d7-bb88-15d8310d7b36</string>
</dict>
</plist>

System preferences shows the toggle disabled as you would expect:

Clicking on this disabled toggle does nothing.