Help

FDA enable for Admin By Request

rkelegha1
New Contributor II

Posted on ‎07-21-2023 04:16 AM

Hi All,

looking for some guidance - Im trying to enable Admin By Request have Full Disk Access across my mac fleet.

I have a PPPC that I have deployed and its says completed but on the mac (Ventura) When I check in in Security / Privacy -> Full Disk access , its not ticked .. 

 I have seen on the other app - that although on FDA is enabled - the mac UI may not be updated. 

 Here is the config that I have deployed as per ABR instructions..

macOS Client: IT Admin Manual (adminbyrequest.com)

Screenshot 2023-07-21 at 12.14.55.png

Im wondering if there is a way i can locally in terminal to see if the FDA is enabled or not ..

 

Any input be great!

 

Thanks

4 REPLIES 4

jamf-42
Valued Contributor II

Posted on ‎07-21-2023 04:56 AM

you can. you need to allow terminal full disk access (best to switch off after) then use this: 

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select client,auth_value from access where service = "kTCCServiceSystemPolicyAllFiles"'

Those with value 2 have full disk access, you will see terminal in the list. 

This is pretty good re Apple TCC database: 

https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive

0 Kudos

Bol
Valued Contributor

Posted on ‎07-21-2023 05:27 AM

No need for sudo but same result, this will just list apps by identifier if fde;

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
  'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'
com.apple.Terminal
com.microsoft.OneDrive-mac
org.tempel.findanyfile

 

0 Kudos

Bol
Valued Contributor

‎07-21-2023 06:15 AM - edited ‎07-21-2023 06:19 AM

Also export if needed;

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db <<!
.headers on
.mode csv
.output /tmp/TCC.csv 
SELECT datetime(last_modified, 'unixepoch', 'localtime'),client,auth_value from access; 
!

 And approved or denied;

defaults read ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist

 

0 Kudos

pkleiber
Contributor

Posted on ‎08-04-2023 05:06 AM

@rkelegha1 PPPC settings not shown in the GUI is unfortunately normal behaviour with Configuration Profiles and Setting Full Disk Access :(

We also use Admin By Request and have implemented the same Configuration profile.