Some apps supposedly have built-in functions which are supposed to report whether the app itself believes it has full disk access and will then either indicate this or go straight to a process of requesting the user grant such access.
The main app I am having an issue with is called Scribe and is an app which automates installing updated corporate email signatures for Apple Mail on a Mac.
I have previously created a PPPC Configuration Profile in Jamf Pro and verified this has been successfully pushed out to my Mac. System Preferences → Privacy & Security does show an entry saying this has been configured via a Profile and is enabled, i.e. is clicked to the right and is ‘blue’.
It should be noted that my own experience is that the TCC database if queried, only lists apps that have been enabled locally and not apps enabled via a Configuration Profile. In this case Scribe is listed in the TCC database and whilst I cannot remember for certain, it is highly likely I did enable it manually before getting round to creating a companywide Configuration Profile for all users.
Here for comparison is how to query the TCC db and what it reported in my case.
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
> 'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'
/usr/libexec/sshd-keygen-wrapper
com.jamfsoftware.Composer
com.philandro.anydesk
com.scribe-mail.scribeSince I have not had a signature change for some time and until I do there is no obvious way to otherwise test whether full disk access is working, I was hoping to get feedback from other people.
Is it simply likely to be that whatever method Scribe uses to verify full disk access at fault? Is it possible that Apple has blocked whatever method is being used?
Note: Unlike normal preference plists, in this case for PPPC it does not seem there is an official and standardised method which automatically search the entire hierarchy of settings. For preference plists this means it is possible to use a single command and search user local, system wide and managed preferences and correctly prioritise them in the event of an overlap. (Managed preferences have the highest priority.)
In my case both System Preferences → Privacy & Security and the TCC db indicate it should have full disk access.
Whilst in this case despite it reporting in its setting it does not have full disk access, I feel it is actually working. However I have encountered other apps which when launched check for required full disk access and will not let you proceed until it is granted. If there is now an endemic problem due to an Apple change then such an app would be unusable. (As far I can tell having looked at developer discussions - there is no official api to test for this access, the general advice is for the app to try using it and if the operation fails conclude it does not have access, despite the fact this not check for other possible causes.)
