Team: Huntress Endpoint Detection and Response (EDR)
Product: Huntress Agent for macOS
Environment: macOS
Summary: The Huntress Agent for macOS requires Full Disk Access and other TCC considerations (Apple's Transparency Consent and Control mechanism) related to the incident response process.
What is Transparency, Consent, and Control (TCC)?
Why does the Huntress Agent for macOS require Full Disk Access?
What if Huntress does not have Full Disk Access on my endpoint?
What is Full Disk Access?
Full Disk Access is a privacy setting on machines running macOS Mojave or later that enables the user to grant an application access to all user folders (Desktop, Documents, Downloads) as well as access other personal user data such as Mail, Safari, and other administrative settings.
What is Transparency, Consent, and Control (TCC)?
For the last few years, Apple has emphasized and championed user privacy (formerly known as Transparency, Consent, and Control, or TCC).
"Apple believes that users should have full transparency, consent, and control over what apps are doing with their data."
This is enforced by requiring all users to consent to applications having access to user data. This explicit consent was introduced with macOS Mojave 10.14.
With most security tools, the concepts of “privacy” and “security” play on the same playground—but with differing principles on how data should be accessed. Security inherently requires obtaining visibility into the areas you are looking to protect; privacy is about keeping that data to yourself.
This means that most security tools, including Huntress, will need to obtain consent from the user for visibility and access into what would be considered private.
Why does the Huntress Agent for macOS require Full Disk Access?
Huntress, and its system extension, require Full Disk Access, so that Huntress can properly perform its Managed Endpoint Detection & Response (EDR) capabilities and has what it needs to investigate all areas of the endpoint. Threats vary wildly and change constantly; having access to data readily available to us provides the agility to explore threat details without having to stop and interrupt the user for permission gathering. In addition, Huntress anticipates continuous development, which may require deeper access into the endpoint for visibility and remediation as we continue to enhance our macOS agent.
In order to understand what the Huntress Agent for macOS requires -- specifically for threat hunting -- we have to think about the various stages of threat hunting:
- Capturing persistence telemetry and hunting for malicious and/or suspicious autoruns.
Isolation of the affected endpoint to stop the spread. - Investigation into binaries, executables, and directories on the system.
- Issuing an incident report with Assisted or Active Remediations -- a mechanism to task the Huntress Agent to handle remediation.
Isolating macOS endpoints requires that the Agent be granted Full Disk Access, as well as permissions for our system extension and network content filter.
What if Huntress does not have Full Disk Access on my endpoint?
Without Full Disk Access, Huntress is quite limited. It still has the ability to capture telemetry regarding persistence on your managed endpoints for threat hunting, but it will lack all visibility it leverages with its EDR capability, and also makes for remediation and file collection much more difficult, and in many cases, not possible.
There may be situations where deeper investigation or remediation of a suspicious threat requires access into those restricted user directories. Without Full Disk Access, Huntress may have blind spots on the endpoint, making it difficult to confirm or provide in-depth details for suspected threats that manifest in those user directories. Without Full Disk Access, Huntress cannot isolate the macOS endpoint.
In addition, any necessary file remediations in user directories may need to be done manually rather than through our Huntress Agent.
Other TCC Considerations
If you encounter an error message during installation that states, "The Installation Failed," you may be experiencing interference from Apple's TCC.
Beginning with macOS Ventura 13.0+, Apple has changed how its Installer behaves with TCC. If a user declines the prompt for Installer access to the Downloads folder, they will not be prompted again for that access, which leads to every installer failing that needs access to that folder.
You can update this setting by:
- On the endpoint, go into System Settings > Files and Folders.
- Expand the Installer row and grant access to the Downloads Folder.
- Alternatively, you can grant the Installer Full Disk Access by going back to the Privacy & Security menu and then into the Full Disk Access list and enabling it there.