FDA via Jamf and Apple’s PPPC utility

Jamf is a software company that supplies one of the most well-known and popular Mobile Device Management (MDM) software solutions used to manage Apple devices. Using Jamf, and following the steps below, you can silently grant full disk access to AIR responder’s remotely.

Full Disk Access (FDA) on macOS can be activated by importing a Privacy Preferences Policy Control (PPPC) config file instead of manually providing permission options via the Jamf UI.

Why is FDA required?

AIR (and all other platforms) will only achieve complete macOS data acquisitions if FDA is enabled. Typically some of the artifacts that will give partial or no results if FDA is not active include:

App Usage
Bluetooth Connections
Document Revisions
Downloads
DS_Store
Notification Info
TCC

A PPPC config file in macOS manages permissions for apps to access sensitive data and system features like Full Disk Access, camera, and microphone. It's used by organizations to pre-configure these permissions, often through MDM, ensuring necessary apps run without user prompts. These files are in .mobileconfig (XML) format and help balance security with convenience by automating privacy settings for applications.

Steps to follow:

Download and open the Jamf PPPC Utility: https://github.com/jamf/PPPC-Utility/releases/tag/1.5.0
From a MacBook where Binalyze AIR is already installed, go to the path /opt/binalyze/air/agent, drag the "air" binary to PPPC Utility, and you will be able to see identifier details
In properties - "Full Disk Access" -> Choose "Allow"
Bottom right, Click "Save", and provide a Payload Name, for example, "AIR"
Save AIR.mobileconfig:

Now you can Import the saved config file into Jamf - Configuration Profiles.

Identifier and Identifier Type for importing the config created using PPPC utility to achieve FDA:

Verification of Full Disk Access:

An entry is created in /Library/Application Support/com.apple.TCC/TCC.db for all the applications that were assigned FDA (Manual Install)
For remote deployments, an entry is created in /Library/Application Support/com.apple.TCC/MDMOverrides.plist
For practical verification, users should try to collect KnowledgeC evidence. Successful collection confirms that the responder has Full Disk Access.
Reference: https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/EndpointProtection/MacCheckSecurityPermissions/index.html#terminal

PreviousBinalyze AIR Watchdog Folder NextUninstalling AIR Responders

Last updated 1 day ago