Enterprise-Grade Network & Tamper Protection. Zero User Friction.
CoreFilter helps secure macOS fleets with policy enforced through a Network Extension and managed configuration—no local interface for users to bypass. Built for MDM-driven rollout and operations.
Intelligent network filtering
Evaluate outbound flows against your ruleset—by bundle ID, hostnames (FQDN), IP ranges, and ports—on the in-memory policy snapshot. Verdicts are computed synchronously on the hot path (no disk I/O in the evaluation path) to keep decisions responsive while the daemon and extension stay in sync via XPC.
Regulatory-grade auditing & SIEM integration
Architecture treats audit as first-class: structured events are written to an in-memory buffer before other cross-feature work proceeds. Batches can be delivered to an HTTPS SIEM endpoint you configure (for example Splunk HEC-style URLs). Failed deliveries are retried from a dedicated queue so outages do not silently drop accountability.
Endpoint security & tamper protection
Subscribes to Apple’s Endpoint Security framework to observe events such as system extension unload attempts, sensitive path unlink operations, and unexpected code execution. Intended reactions include denying the action, emitting audit records, and driving extension re-registration workflows—reducing the chance of quiet tampering on enrolled Macs.
Health-based traffic gating
Compliance signals such as FileVault status, OS baseline, and MDM enrollment feed health checks. When violations are detected, the daemon is designed to move into a gating posture (restrictive snapshot to the Network Extension). Note: wiring from health state to the live gating push is still being completed in the product—treat enforcement timelines as roadmap-dependent for your pilot.
Zero-touch MDM deployment
No install wizard for end users: policies and app configuration arrive through Apple Managed App Configuration from Jamf Pro, Kandji, Microsoft Intune, or compatible UEM. Default-deny policy stance is recommended in the configuration schema so new enrollments do not accidentally fall open.
Frequently Asked Questions
IT pushes the app and Managed App Configuration through your MDM. Users are not prompted through a standalone installer wizard; configuration is delivered over the air alongside your existing macOS management workflows.
Structured entries are buffered in the daemon and emitted in batches to the HTTPS SIEM endpoint you configure in MDM (see Configuration Schema). If the endpoint is unreachable, batches are held for retry rather than discarded silently.
Tamper-related Endpoint Security events are intended to be denied where the platform allows, logged to audit, and paired with extension re-registration logic. Exact behavior depends on OS build and entitlement posture—validate in your environment during pilot.
Scheduled and on-demand health checks evaluate signals like FileVault, OS version, and MDM enrollment. The design calls for pushing a restrictive policy snapshot when violations persist; confirm gating end-to-end with your team before promising a go-live date.
The configuration plist is consumed from Managed App Configuration; the internal docs reference Jamf Pro, Kandji, and Microsoft Intune as delivery vehicles. Any UEM that supports Apple’s managed app config model should be able to host the same payload.
No. CoreFilter is positioned as an invisible control plane service: policy, telemetry, and remediation signals are administrator-driven, which reduces casual bypass through a local console.