Apple added requirements for a Security framework extension in macOS 10.15+ when deploying software remotely. Full Disk Access must also be granted on the endpoint so the endpoint agent can scan all disk locations for threats. Due to Apple's Transparency, Consent, and Control (TCC) feature, the endpoint agent cannot access sensitive folders for potential threats until FDA is granted.
When deploying the Endpoint Agent, you must allow our security extension and grant FDA for the following versions of macOS:
- Sonoma 14
- Ventura 13
- Monterey 12
- Big Sur 11
- Catalina 10.15
Normally, end users must manually go to their Mac Settings to grant these permissions which allow the endpoint agent to function properly. This article describes how you can remotely deploy the Endpoint Agent to your Macs and bypass these prompts.
Requirements
Your Mac endpoints must have a User Approved Mobile Device Management (UAMDM) configured. You can enroll devices with Apple's Device Enrollment Program.
An MDM profile loaded remotely via SSH or similar does not qualify as a UAMDM.
Activate security framework extension and grant full disk access
Create a Privacy Preferences Policy Control profile (PPPCP) to grant FDA and approve the security framework extension. Deploy the PPPCP using a UAMDM.
NOTICE - The FDA settings in the macOS Security & Privacy section do not display when FDA is granted using UAMDM.
Upload and deploy PPPCP using UAMDM
- Download the attached file for your macOS Catalina (10.15), macOS Big Sur (11.x), macOS Monterey (12.x), macOS Ventura (13.x), macOS Sonoma (14.x) endpoints:
- Malwarebytes_Protection_profile_10_15.mobileconfig
- Upload the file to your UAMDM.
- Save and deploy your PPPCP by UAMDM as a device profile.
