In macOS Catalina, Apple has introduced a whole new permissions system so that applications cannot access system files or user files by default. In order for Kolide to properly function, it needs to be granted explicit full disk access.
Why does Kolide need full disk access?
Kolide needs full disk access to perform the following tasks:
To list other apps that also have disk access that may not need it.
To inspect system files that give us a better understanding of the security of the device.
To look for evidence of plain text credentials in your downloads, documents, and desktop folders.
Finally, to read the file name of our installation package to assist with user-to-device association.
Kolide takes having full disk access to your mac very seriously and will never transmit the content of your personal files to our server.
If there are questions or concerns about this, please contact us at firstname.lastname@example.org, or speak with your admin.
How do I detect which devices have full disk access?
Additionally, if a device is missing permissions, you will see the Kolide Logo turn red on their device details page.
Options for enabling full disk access
Option 1: via MDM (Jamf, Airwatch, etc.)
If your organization uses MDM to manage its macs, we have prepared a profile that you can distribute that will grant the Kolide agent the correct permissions.
Please consult your MDM provider's documentation on how to correctly add the SystemPolicyAllFiles permissions for an app. You will need the following information to construct your own profile:
Identifier Type -
identifier launcher and anchor apple generic and certificate 1[field.1.2.840.113618.104.22.168.6] /* exists */ and certificate leaf[field.1.2.840.113622.214.171.124.13] /* exists */ and certificate leaf[subject.OU] = YZ3EM74M78
Feel free to use the example profile below
<string>identifier launcher and anchor apple generic and certificate 1[field.1.2.840.1136126.96.36.199.6] /* exists */ and certificate leaf[field.1.2.840.1136188.8.131.52.13] /* exists */ and certificate leaf[subject.OU] = YZ3EM74M78</string>
<string>Allow kolide access to device and user level files</string>
If you need any additional help constructing the profile, please reach out to support.
Option 2: Have users manually update this permission on their device. If your users have self-installed the Kolide package, and you have our Slack app installed, Kolide will reach out to your users automatically with instructions on how to grant full disk access.
macOS Catalina is the first version of macOS to no longer support legacy 32-bit applications. If you are unsure if your organization has any remaining 32-bit apps, you can list them in the K2 apps Inventory.