Grant the Sensor Full Disk Access by using MDM

The easiest way to distribute the necessary Privacy Preference payload is to upload the MDM-privacyconfig.mobileconfig file, which is in the mounted DMG of the installer in the docs folder.

The following steps recreate the mobileconfig in your MDM.

These instructions were created using Apple documentation and were validated in Jamf PRO and WorkspaceONE UEM using sensor version 3.5.0.30. Field names, values, and functionality vary depending on the MDM framework or sensor version.

Granting an application full disk access is accomplished via a Privacy Preferences payload. The Carbon Black Cloud Sensor requires five identifiers in this Privacy payload.

Procedure

Complete the fields exactly as follows. Copy and paste for accuracy.

Identifier: com.vmware.carbonblack.cloud.daemon

Identifier Type: Bundle ID

Code Requirement:

identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic 
                        and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                        certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                        certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service: SystemPolicyAllFiles

Access: Allow

Identifier: com.vmware.carbonblack.cloud.osqueryi

Identifier Type: Bundle ID

Code Requirement:

identifier "com.vmware.carbonblack.cloud.osqueryi" and anchor apple generic 
                        and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                        certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                        certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service: SystemPolicyAllFiles

Access: Allow

Identifier: com.vmware.carbonblack.cloud.se-agent.extension

Identifier Type: Bundle ID

Code Requirement:

identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic 
                        and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */and 
                        certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                        certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service: SystemPolicyAllFiles

Access: Allow

Identifier: com.vmware.carbonblack.cloud.uninstall

Identifier Type: Bundle ID

Code Requirement:

identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic 
                        and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                        certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                        certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service: SystemPolicyAllFiles

Access: Allow

Identifier: com.vmware.carbonblack.cloud.uninstallerui

Identifier Type: Bundle ID

Code Requirement:

identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple 
                        generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                        certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                        certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service: SystemPolicyAllFiles

Access: Allow

Verify the Full Disk Access application on endpoints in one of two ways:
- Use the Repcli status command on the individual endpoint:
```
sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli status
```
  Expected values are:
  - All five Carbon Black Cloud sensor items that require Full Disk Access are marked as Configured via MDM. For example:
  - Sensor State is Enabled.
- In the Carbon Black Cloud console, click Inventory > Endpoints. For the endpoint in question, the status should read:
  - Sensor Status: Active (not in Bypass)
  - No FDA Error is present