Enable FDA for Rapid7 InsightIDR on Mac os 15.1.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-26-2024 09:00 AM
We are trying to implement full disk access for Rapid7 on mac with Mac os 15.1 with help of a Jamf Configuration Profile.
We followed the exact steps recommended by the software vendor (Rapid7) from the below link https://docs.rapid7.com/insight-agent/mac-installation/#use-an-mdm-for-configuration
We have double checked with path of the ir_agent, which is as to be default /opt/rapid7/ir_agent/ir_agent
Tried in couple of machines with mac os 15.1 and 14.5, but still we see from the GUI that the ir_agent FDA is not enabled using the toggle button.
Can someone suggest how can we get this working or any way to understand why this doesn't work. Any help would be appreciated here. Let us know if you need additional information.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-26-2024 09:26 AM
We see the same behavior. I would also like to know why this doesn't get enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-27-2024 03:53 AM
Hi @dlbrabb
It seems like the GUI on the mac os is misleading us that FDA is not enabled from the system preferences but in the background it works and provides FDA to Rapid7. (I'm not sure)
I was reading this article which a deep drive on TCC database.
https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
You can enable full disk access for terminal so that it can read the SIP and use the below command to share the output.
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep -i ir_agent
This was mine
kTCCServiceSystemPolicyAllFiles|/opt/rapid7/ir_agent/ir_agent|1|0|4|1|??
||0|UNUSED||0|1732692916|||UNUSED|1732692916
I'm not sure what to make out of the output. Didn't figure how to decode this to validate if FDA is enabled for Rapid7.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2024 10:31 AM - edited 11-26-2024 10:31 AM
Is the product working correctly? The Full Disk Access preference pane will reflect user-granted permissions, not what is granted via MDM.
Test it on a fresh Mac that Rapid7 wasn't installed on before you pushed the configuration profile.
