Does an app need Full Disk Access if System Integrity Protection is disabled?

App & System Services Core OS
sbhat6 OP
Created May ’24
Replies 1
Boosts 0
Views 425
Participants 2

I am going through the list of ways to check if my app is given Full Disk Access (FDA) or not. Out of which only one method is supported by apple.

@note The only supported way to check if an application is properly TCC authorized for Full Disk Access
 *       is to call es_new_client and handling ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED in a way appropriate
 *       to your application.

I have implemented this method using EndpointSecurity and calling it from a root process as required. But when I disable System Integrity Protection (SIP) and call it, it succeeds without FDA. No error is thrown. Then I tested, in our app both EndpointSecurity and protected folder access (like Documents folder) functionalities are working fine even without FDA when SIP is disabled. Now my questions are

  1. When SIP disabled, does every app has FDA access by default?.
  2. Is there any use case that still needs FDA access when SIP is off?.
  3. Is there any way to check for FDA permission given or not whenever SIP is off, since above method won't work in that case?.
Replies  1
Boosts  0
Views  425
Participants  2
DTS Engineer OP
Apple
May ’24

FDA is effectively disabled when you disable SIP.

Is there any way to check for FDA permission given or not whenever SIP is off, since above method won't work in that case?

To what end? I mean, if you’re building an ES client and you end up running on a machine with SIP disabled, your ES client will work regardless of whether it has FDA, so why do you need to check for it?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Does an app need Full Disk Access if System Integrity Protection is disabled?
First post date Last post date
 
 
Q