Enable FDA for Rapid7 InsightIDR on Mac os 15.1.1

Animesh
New Contributor II

We are trying to implement full disk access for Rapid7 on mac with Mac os 15.1 with help of a Jamf Configuration Profile.

We followed the exact steps recommended by the software vendor (Rapid7) from the below link https://docs.rapid7.com/insight-agent/mac-installation/#use-an-mdm-for-configuration
We have double checked with path of the ir_agent, which is as to be default /opt/rapid7/ir_agent/ir_agent
Tried in couple of machines with mac os 15.1 and 14.5, but still we see from the GUI that the ir_agent FDA is not enabled using the toggle button. 

Can someone suggest how can we get this working or any way to understand why this doesn't work. Any help would be appreciated here. Let us know if you need additional information.
Thank you!

3 REPLIES 3

dlbrabb
New Contributor III

We see the same behavior.  I would also like to know why this doesn't get enabled.

Animesh
New Contributor II

Hi @dlbrabb 
It seems like the GUI on the mac os is misleading us that FDA is not enabled from the system preferences but in the background it works and provides FDA to Rapid7. (I'm not sure) 

Something ever similar which we see in a few AV, a thread from Jamfnation about Crowdstrike

I was reading this article which a deep drive on TCC database. 
https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive

You can enable full disk access for terminal so that it can read the SIP and use the below command to share the output. 
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep -i ir_agent

This was mine 
kTCCServiceSystemPolicyAllFiles|/opt/rapid7/ir_agent/ir_agent|1|0|4|1|??
                                    ||0|UNUSED||0|1732692916|||UNUSED|1732692916

I'm not sure what to make out of the output. Didn't figure how to decode this to validate if FDA is enabled for Rapid7. 



jtrant
Valued Contributor

Is the product working correctly? The Full Disk Access preference pane will reflect user-granted permissions, not what is granted via MDM.

Test it on a fresh Mac that Rapid7 wasn't installed on before you pushed the configuration profile.