Full Disk Access for the macOS Huntress Agent

Team: Huntress EDR
Product: MacOS Huntress Agent
Environment: MacOS
Summary: Full Disk Access for the macOS Huntress Agent and other TCC considerations (Apple's Transparency Consent and Control mechanism) centered around Installer

What is Full Disk Access?

Full Disk Access is a Privacy setting on machines running macOS Mojave or above that enables the user to grant an application access to all user folders (Desktop, Documents, Downloads) as well as access other personal user data such as Mail, Safari, and other administrative settings.

• Manually Provisioning Full Disk Access to the Huntress macOS Agent
• Huntress PPPC Payload for Full Disk Access in Addigy
• Generic PPPC Payload

What is Transparency, Consent, and Control (TCC)?

For the last few years, Apple has emphasized and championed user privacy, (formerly known as Transparency, Consent, and Control, or TCC). 

 "Apple believes that users should have full transparency, consent, and control over what apps are doing with their data."

This is enforced by requiring all users to consent to applications having access to user data introduced in macOS Mojave 10.14.

With most security tools, the concepts of “privacy” and “security” play on the same playground -- but with differing principles on how data should be accessed. Security inherently requires obtaining visibility into the areas you are looking to protect; Privacy is about keeping that data to yourself.

This means that most security tools, including Huntress, will need to obtain consent from the user for visibility and access into what would be considered private.

Does the Huntress macOS agent require Full Disk Access?

Huntress requires Full Disk Access so that the Huntress Agent has what it needs to investigate all areas of the endpoint. Threats vary wildly and change constantly; having access readily available to data provides agility to explore details of a threat without having to stop and interrupt the user for permission gathering. In addition, Huntress anticipates continuous development which may require deeper access into the endpoint for visibility and remediation as we continue to enhance our macOS agent.

In order to understand what the macOS Huntress agent requires -- specifically for persistence hunting -- we have to think about the various stages of threat hunting:

1. Capturing persistence telemetry and hunting for malicious and/or suspicious autoruns
2. Investigation into binaries, executables, and directories on the system
3. Issuing an incident report with Assisted Remediation -- a mechanism to task the Huntress agent to handle remediation

Based on the current capabilities within our macOS agent, most persistence that we capture are in non-user areas of the endpoint that are not currently subject to TCC. This means Full Disk Access is not a current requirement for Huntress’ ability to capture and obtain telemetry with which to hunt.

Investigation, however, is a bit more nuanced. If the binaries, artifacts, IOCs that are needed to validate and confirm a threat are located in user data areas (i.e. Desktop, Downloads, Documents folders), the Huntress agent will need to be granted permission to access them in order to continue investigation.

The same goes for Assisted Remediation, where remediation tasks that apply to those files and folders must have the right permissions in order to succeed.

What if Huntress does not have Full Disk Access on my endpoint?

Without Full Disk Access, Huntress will still have the ability to capture telemetry regarding persistence on your managed endpoints for threat hunting.

There may be situations where deeper investigation or remediation of a suspicious threat requires access into those restricted user directories. Without Full Disk Access, Huntress may have blind spots on the endpoint, making it difficult to confirm or provide in-depth details for suspected threats that manifest in those user directories.

In addition, remediation of files in user directories may need to be done manually rather than through our Huntress agent.

Other TCC Considerations

If you run into an error message during install that states "The Installation Failed" you may be seeing interference from Apple's TCC. Beginning in macOS Ventura 13.0+ Apple has changed how their Installer behaves with TCC. If a user declines Installer access to the downloads folder they probably will not get prompted again for that access, leading to every installer that needs access to that folder to fail. The fix is to go into System Settings -> Files and Folders -> expand out Installer -> grant access to the Downloads Folder . Alternatively you can safely grant Installer Full Disk access by backing out one menu level and going into Full Disk Access.