FDA config for Crowdstrike

I'm not sure that you have the correct identifier there. Ive got...

This is ours, Was having issues on catalina with using the bundleid and switched to Path, was also having issues without falconctl added with the same entitlement.

Also, you won't see the approval reflected in System Preferences. Check it with:

plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plist

@patgmac (or anyone else), have you seen any nice gui apps built around plutil anywhere? If I can chisel out some time, I'd like to build something that makes the output easier to read at a glance. It may be a long time until I get to it though.

That plutil command doesn't seem to work on Catalina, I get an Operation Not Permitted error even when running as root.

the plutil -p works for me just fine and I have several MDM Overrides in my configs. @patgmac is 100% correct, you cannot trust the GUI as Apple has not properly implemented that yet. The only way to be certain is to check the overrides file

Ah, Figured out my issue, I didn't have iTerm set to have Full Disk Access.

@patgmac So then after running the plutil command this output is saying that falcond has Full Disk Access?

"/Library/CS/falcond" => { "kTCCServiceSystemPolicyAllFiles" => { "Allowed" => 1 "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = X9E956P446" "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 35365034 34360000 } "Identifier" => "/Library/CS/falcond" "IdentifierType" => "path" "StaticCode" => 0