Due to Apple's Transparency, Consent, and Control (TCC) framework, macOS restricts which applications can access protected system locations. Without Full Disk Access (FDA), the Endpoint Agent can only scan unprotected areas of the disk, leaving large portions of the system invisible to it.
Granting FDA removes these restrictions and allows the agent to scan all disk locations, ensuring threats cannot hide in protected directories. FDA must be granted on endpoints running the following versions of macOS:
- Tahoe 26
- Sequoia 15
- Sonoma 14
- Ventura 13
- Monterey 12
- Big Sur 11
This article details how to remotely grant FDA with a Mobile Device Management (MDM).
Grant FDA using MDM
NOTICE - The FDA settings in the macOS Security & Privacy section do not display when FDA is granted using MDM
- Download the mobileconfig files at the bottom of the article. Both are required:
- Malwarebytes_Protection_profile_general.mobileconfig
- Threatdown Protection - Malicious Web Access Control (MWAC).mobileconfig
- Upload the profiles to your MDM.
- Deploy the profiles to your Mac endpoints. Refer to your MDM provider’s user guide for instructions on deploying configuration profiles.
For instructions on manually granting FDA, see Grant Full Disk Access on Mac devices in OneView.