Full Disk Access

nylle February 23, 2025

Full Disk Access (Allows the application access to all protected files, including system administration files) is need for an app to function correctly on macOS. How can that be fixed with an mobileconfig profile and send it out to all macOS clients using MDM.

Note! Microsoft Defender.app is only used as an example.

Codesign

First lets find the identifier, open Terminal and type the command and path to the application to get it.

Open Terminal
Type:

codesign -dr - "/Applications/Microsoft Defender.app"

output:
Executable=/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon
designated => identifier “com.microsoft.wdav” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G9

Help for the command:

codesign → A macOS command-line tool for managing code signatures.
-dr - →
- -d → Displays information about the app’s signature.
- -r - → Displays the designated requirement (a policy that defines how the app’s signature is validated).
/Applications/Microsoft Defender.app" → The path to the Microsoft Defender app (if installed).

Check if application has Full Disk Access

To check if an application already have Full Disk Access or if it is working after Full Disk Access has been applied run the following command. If there is more that one result listed some searching for the application may be needed in the list. (Sometimes Full Disk Access still work even though it does not show here or can be seen in the GUI under System Settings)

Open Terminal
Type:

sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT * FROM access WHERE service='kTCCServiceSystemPolicyAllFiles';"

output:
kTCCServiceSystemPolicyAllFiles|com.microsoft.wdav|0|1|1|2024-02-23 10:30:45|2024-02-22 14:15:12|UNUSED|UNUSED|1234567890

Understanding the Output

Each field represents different values of the application.

Field	Example Value	Description
service	`kTCCServiceSystemPolicyAllFiles`	The type of permission requested (e.g., Full Disk Access, Camera, Microphone).
client	`com.microsoft.wdav`	The bundle identifier of the application.
client_type	`0`	0 = App bundle, 1 = Command-line tool.
allowed	`1`	1 = Allowed, 0 = Denied.
prompt_count	`1`	Number of times the app was prompted for access.
indirect_object_identifier	`2024-02-23 10:30:45`	Last modification timestamp.
direct_object_identifier	`2024-02-22 14:15:12`	Timestamp of when permission was first granted.
flags	`UNUSED`	Typically unused.
last_modified_by_username	`UNUSED`	Usually blank for system-wide permissions.
csreq	`1234567890`	A code signing requirement hash.

Defender had Full Disk Access to the system on this mac, it could be seen in the output that it was a 1 for the Allowed.

Create a mobileconfig file

Create the mobileconfig file that can be used to send out from MDM to all other macOS clients.

To create the mobileconfig file lets use iMazing.

Download iMazing app from Apple App Store iMazing
Open the app and search for Privacy Preferences Policy Control and add that.
Under Privacy Preferences Policy Control scroll down to Full Disk Access section.
Fill in
- Identifier: com.microsoft.defender
- Identify Type: Bundle ID
- Code Requirement: identifier “com.microsoft.wdav” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Static Code: Optional
- Authorized: No Value
- Allowed: 1
- Comment: Optional

There is a possibility to use Path instead of “Bundle ID” as “Identify Type” that could be when the App Has No Bundle ID. Or check in this table below.

Scenario	Use Bundle ID?	Use Path?
Standard installed app	✅ Yes	❌ No
Modified or patched app	❌ No	✅ Yes
Command-line tool / standalone binary	❌ No	✅ Yes
Running app from an external drive	❌ No	✅ Yes
Temporary or unsigned app	❌ No	✅ Yes

But this is a Standard installed app so we use the above this is only for demonstration.

If using Path it should look like this:

Identifier: /Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon
Identify type: Path
Code Requirement: identifier “com.microsoft.wdav” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G9
Static Code: Optional
Authorized: No Value
Allowed: 1
Comment: Optional

Don’t forget to update the General section in Imazing and save the profile.

Example from the saved mobileconfig file.

            <dict>
                <key>SystemPolicyAllFiles</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.microsoft.wdav</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
            </dict>

Deploy it via MDM as a Device Channel deployment.

Don’t want to it manually a great tool to grant Full Disk Access is: Privacy Preferences Policy Control (PPPC) Utility