Apple added requirements for a Security framework extension in macOS 10.14+ when deploying software remotely. Full Disk Access must also be granted on the endpoint so the endpoint agent can scan all disk locations for threats. Due to Apple's Transparency, Consent, and Control (TCC) feature, the endpoint agent cannot access sensitive folders for potential threats until FDA is granted.
When deploying the Endpoint Agent, you must allow our security extension and grant FDA for the following versions of macOS:
- Sequoia 15
- Sonoma 14
- Ventura 13
- Monterey 12
- Big Sur 11
- Catalina 10.15
- Mojave 10.14
Normally, end users must manually go to their Mac Settings to grant these permissions which allow the endpoint agent to function properly. This article describes how you can remotely deploy the Endpoint Agent to your Macs and bypass these prompts.
Requirements
Your Mac endpoints must have a User Approved Mobile Device Management (UAMDM) configured. You can enroll devices with Apple Business Manager to make use of the Apple Automated Device Enrollment feature.
Note: An MDM profile loaded remotely via SSH or similar does not qualify as a UAMDM.
Activate security framework extension and grant full disk access
Create a Privacy Preferences Policy Control profile (PPPCP) to grant FDA and approve the security framework extension. Deploy the PPPCP using a UAMDM.
NOTICE - The FDA settings in the macOS Security & Privacy section do not display when FDA is granted using UAMDM.
Upload and deploy PPPCP using UAMDM
- Download the attached file for your macOS Mojave 10.14, Catalina 10.15, Big Sur 11, Monterey 12, Ventura 13, Sonoma 14, and Sequoia 15 endpoints:
- Malwarebytes_Protection_profile_general.mobileconfig
- Upload the file to your UAMDM.
- Save and deploy your PPPCP by UAMDM as a device profile.