Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Enable Full Disk Access for Sensor on macOS 10.14.5 and Higher

EDR: How to Enable Full Disk Access for Sensor on macOS 10.14.5 and Higher

Environment

  • EDR Sensor: 6.2.6 and Higher
  • Apple macOS: 10.14.5 and higher

Objective

Allow the Sensor full disk access for Live Response capabilities 

Resolution

Full Disk Access can be granted to the Sensor on individual machines

Manually Allow Full Disk Access on Individual Machines
  1. On the affected machine, open System Preferences
  2. Select Security & Privacy
  3. Select Privacy tab
  4. Select Full Disk Access
  5. Click the Lock symbol in lower left to authenticate with Administrator credentials
  6. Click the Plus (+) symbol to add an application
  7. Navigate to  the appropriate application for your sensor and OS and click Open
6.2.6, 10.14-10.15:  /Applications/CbOsxSensorService
6.2.7-7.X, 10.14-10.15:  /Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService
7.X, 11.X: es-extension ( already be in default list, no navigation necessary, simply check the box)
  1. A restart is required for Full Disk Access to take affect
  2. Confirm setting after restart by confirming that the appropriate application appears in the list of applications with Full Disk Access

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
2068
Contributors