The easiest way to distribute the necessary Privacy Preference payload is to upload the MDM-privacyconfig.mobileconfig file, which is in the mounted DMG of the installer in the docs folder.

The following steps recreate the mobileconfig in your MDM.

These instructions were created using Apple documentation and were validated in Jamf PRO and WorkspaceONE UEM using sensor version 3.5.0.30. Field names, values, and functionality vary depending on the MDM framework or sensor version.

Granting an application full disk access is accomplished via a Privacy Preferences payload. The Carbon Black Cloud Sensor requires five identifiers in this Privacy payload.

Procedure

  1. Complete the fields exactly as follows. Copy and paste for accuracy.

    Identifier: com.vmware.carbonblack.cloud.daemon

    Identifier Type: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic 
                            and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                            certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                            certificate leaf[subject.OU] = "7AGZNQ2S2T"

    App or Service: SystemPolicyAllFiles

    Access: Allow

    Identifier: com.vmware.carbonblack.cloud.osqueryi

    Identifier Type: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.osqueryi" and anchor apple generic 
                            and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                            certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                            certificate leaf[subject.OU] = "7AGZNQ2S2T"

    App or Service: SystemPolicyAllFiles

    Access: Allow

    Identifier: com.vmware.carbonblack.cloud.se-agent.extension

    Identifier Type: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic 
                            and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */and 
                            certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                            certificate leaf[subject.OU] = "7AGZNQ2S2T"

    App or Service: SystemPolicyAllFiles

    Access: Allow

    Identifier: com.vmware.carbonblack.cloud.uninstall

    Identifier Type: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic 
                            and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                            certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                            certificate leaf[subject.OU] = "7AGZNQ2S2T"

    App or Service: SystemPolicyAllFiles

    Access: Allow

    Identifier: com.vmware.carbonblack.cloud.uninstallerui

    Identifier Type: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple 
                            generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
                            certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
                            certificate leaf[subject.OU] = "7AGZNQ2S2T"

    App or Service: SystemPolicyAllFiles

    Access: Allow

  2. Verify the Full Disk Access application on endpoints in one of two ways:
    • Use the Repcli status command on the individual endpoint:
      sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli status
      

      Expected values are:

      • All five Carbon Black Cloud sensor items that require Full Disk Access are marked as Configured via MDM. For example:

        Verify FDA by using RepCLI status command on the endpoint

      • Sensor State is Enabled.
    • In the Carbon Black Cloud console, click Inventory > Endpoints. For the endpoint in question, the status should read:
      • Sensor Status: Active (not in Bypass)
      • No FDA Error is present