In macOS Catalina, Apple has introduced a whole new permissions system so that applications cannot access system files or user files by default. In order for Kolide to properly function, it needs to be granted explicit full disk access.

Why does Kolide need full disk access? 

Kolide needs full disk access to perform the following tasks:

  1. To list other apps that also have disk access that may not need it.
  2. To inspect system files that give us a better understanding of the security of the device.
  3. To look for evidence of plain text credentials in your downloads, documents, and desktop folders.
  4. Finally, to read the file name of our installation package to assist with user-to-device association. 

Kolide takes having full disk access to your mac very seriously and will never transmit the content of your personal files to our server. 

If there are questions or concerns about this, please contact us at, or speak with your admin.

How do I detect which devices have full disk access?

By logging into K2, we have prepared a special inventory view called Kolide Agents that will list all devices that have insufficient permissions. 

Additionally, if a device is missing permissions, you will see the Kolide Logo turn red on their device details page. 

Options for enabling full disk access

Option 1: via MDM (Jamf, Airwatch, etc.)
If your organization uses MDM to manage its macs, we have prepared a profile that you can distribute that will grant the Kolide agent the correct permissions. 

Please consult your MDM provider's documentation on how to correctly add the SystemPolicyAllFiles permissions for an app. You will need the following information to construct your own profile:

  • Identifier Type - "Path"
  • Identifier - /usr/local/kolide-k2/bin/launcher
  • CodeRequirement - identifier launcher and anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = YZ3EM74M78  

If you prefer to use the Bundle ID instead, use  com.kolide-k2.launcher. If you need any additional help constructing the profile, please reach out to support.

Option 2: Have users manually update this permission on their device. If your users have self-installed the Kolide package, and you have our Slack app installed, Kolide will reach out to your users automatically with instructions on how to grant full disk access

32-Bit Apps

macOS Catalina is the first version of macOS to no longer support legacy 32-bit applications. If you are unsure if your organization has any remaining 32-bit apps, you can list them in the K2 apps Inventory.

Did this answer your question?