What is the impact of not approving Full Disk Access (FDA) MacOS
Article ID: 284997
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
What is the impact of not approving Full Disk Access (FDA) MacOS
Environment
- Carbon Black Cloud Sensor: All Sensor Versions
- Apple macOS: 11.0 (Big Sur) and Higher
Resolution
- The application may be restricted in reading or writing data to certain directories or files. This could affect its ability to save or retrieve user data.
- 3.8 and newer sensor, installs and, due to the error, will explicitly enter sensor bypass with “Bypass (Extension Error)” displayed in the console.
- Enabling the bypass mode removes all policy enforcement on the device. This applies whether Bypass Mode was enabled by an administrator or the sensor remains in Bypass Mode due to one of the reasons detailed in the Bypass Reasons section.
- Searchable State listed here How to Find macOS Sensors Where Full Disk Access (FDA) Has Not Been Granted can be seen in the console.
- If the below state is also existing with the above FDA sensorStates flag then SysEXT failed to initialize and entered bypass due to the missing FDA for SysEXT binary.
sensorStates:“DRIVER_INIT_ERROR”
- Repmgr not granted FDA: results in the following features restricted: background scan, Live Response, Cert Allow Listing
- SysEXT not granted FDA: on newer macOS versions, the operating system fails to initialize SysEXT security subsystems, effectively disabling the core security features.
Additional Information
- Apple’s Endpoint Security Framework requires clients attaching to the framework to be granted FDA.
- Solution is to deploy correct FDA Policy as in the KB How to Enable Full Disk Access for Sensor on macOS 10.14.5 and Higher
- Mac Endpoint in "Bypass", even after all manual approval steps in documentation are followed
Feedback
Yes
No
Powered by
