We deployed our Carbon Black Sensors with Jamf. During the deployment we made sure to enable Full Disk Access for the Carbon Black Sensor services. However, when we look on one of our endpoints, the Full Disk Access check boxes in the macOS Security & Privacy section do not show as enabled. How can we make sure these settings are enabled?
VMware Carbon Black Cloud
VMware Carbon Black EDR
It is important to understand that this is normal behavior when deploying policies via an MDM solution like Jamf. The check boxes in the Full Disk Access settings will not display check marks unless a local admin user manually places a check mark next to each application service. In order to confirm if the Sensor has the correct permissions it needs, you will need to check the Sensor's status in the Carbon Black console and in the Red Canary console.
If the Full Disk Access settings have been successfully applied, the Sensor should be actively checking in and operating without any errors showing in the Carbon Black or Red Canary consoles. In Red Canary you can go to the "Endpoints" page find one of the affected endpoints, click on the hostname to enter the Endpoint details page, and then make sure you do not see any errors.
The Sensors should also be sending valid telemetry (i.e processes, child processes, network connections, filemod, and modload telemetry).
In Carbon Black EDR you can check if the correct telemetry is being sent by performing the following steps:
- Open the Carbon Black EDR console and click on the "Sensors" field on the right menu bar.
- Locate one of your affected endpoints
- Click on the hostname of the endpoint (this will take you into the Sensor details page).
- Click on the "Processes" link to enter the "Process Search" page.
- While in the "Process Search" page, check to make sure you are seeing Filmod, Modload, and Netconns telemetry.
When a deploying your Sensor policies via Jamf, or any MDM solution, the Full Disk Access settings in the macOS Security & Privacy section will not show with the check boxes selected. This is normal. The ONLY time these check boxes will show as enabled is when a local admin user manually enables them.