Full disk access profile doesn't seem to work

[Peter Thorn]

Hi

I am deploying a profile for Trend Micro, allowing some parts full disk access (via the Security & Privacy profile payload).

The profile is the attached. As seen on example 2, the profile is loaded (tilladt means allowed in Danish)

But as seen on example 1 the application/extension is in the list, but the checkbox is not checked.

And Trend Micro prompts the user for allowing access manually.

So: is it normal behaviour that the application/extension is in the list but checkbox not checked, if it has been assigned full disk access via the profile, or have I made a mistake somewhere?

Thanks,

Peter

PS. This is also an issue/a question regarding other apps, not only Trend. I am just in doubt how it should work in general, as I seem to get mixed results, and this time it annoys me too much

Trend Full disk rettigheder.mobileconfig

[Josh Levitsky]

While I don't know that I have an answer (and perhaps another customer will) I did see this https://success.trendmicro.com/dcx/s/solution/000277823?language=en_US and was wondering if the profiles published there are helpful. They also show FileWave specific info. I didn't get to dig in to this but was hoping maybe that would be helpful. It's also important to make sure the profile hits the device before the software does or likely you'll get prompted still since Apple devices like these profiles to be present before the app launches. 

[Pierre-Nicolas]

As far as I know, there is a disconnect between Preferences / Security & Privacy and the profile itself.

I tried on macOS Ventura - deploying a terminal app (Alacritty) and a TCC profile to grant full disk access.

While the profile / management details confirms the value is accepted:

But Preferences say differently:

Doing this, the terminal app I deployed could access all folders (tried as well with Desktop), which I could not before I sent the profile.

So I would not rely on Preferences / Privacy and Security pane, only on Profile details.

 

[Peter Thorn]

On 10/21/2022 at 6:22 PM, Josh Levitsky said:

While I don't know that I have an answer (and perhaps another customer will) I did see this https://success.trendmicro.com/dcx/s/solution/000277823?language=en_US and was wondering if the profiles published there are helpful. They also show FileWave specific info. I didn't get to dig in to this but was hoping maybe that would be helpful. It's also important to make sure the profile hits the device before the software does or likely you'll get prompted still since Apple devices like these profiles to be present before the app launches. 

Thank you, @Josh Levitsky. The Trend site (including the one you're referring to) is unfortunately not complete, in my experience. What they write is almost covering the standard Trend Micro installation (I have another giant profile for that...) but when you have to enable XDR (their basecamp pkg) information is missing. I also have a preflight requirement script to check if the profile is installed. But thank you for giving it a shot

[Peter Thorn]

20 hours ago, Pierre-Nicolas said:

As far as I know, there is a disconnect between Preferences / Security & Privacy and the profile itself.

I tried on macOS Ventura - deploying a terminal app (Alacritty) and a TCC profile to grant full disk access.

While the profile / management details confirms the value is accepted:

But Preferences say differently:

Doing this, the terminal app I deployed could access all folders (tried as well with Desktop), which I could not before I sent the profile.

So I would not rely on Preferences / Privacy and Security pane, only on Profile details.

 

Thanks @Pierre-Nicolas This replicate my experience. I haven't been able to find documentation that supports it, but your explanation makes absolutely sense (because other apps that I have allowed full disk access seems to get it even though they doesn't look like that in Privacy & Security, as your screenshot also shows).

I guess I have to try and reach out to Trend support again.

[Sean]

This is expected behaviour.  The privacy settings viewed through System Preferences are the settings that would be in place if there is no profile applied; these are the user's personal settings.  As such, if a profile is deployed through MDM to override these settings, the System Preferences won't alter what is viewed, since the MDM Profile settings are applied by the system.  You should expect the MDM Profile settings to be active though.  This experience has been the case since Apple introduced TCC/PPPC Privacy Profiles.  It means the user has visibility of their settings if the Profile were removed.