4 Replies
      Latest reply on Aug 16, 2019 9:44 PM by Charu
      Charu Level 1 Level 1 (0 points)

        Hi Eskimo,

        Need your help for a query related to privacy protection changes in Catalina..

         

        We noticed that with the latest privacy related changes in Catalina, our processes don't have access to desktop/documents and downloads folders. We are looking for a way to ask our customer to give our processes full disk access so that we can scan files in mentioned folders to check if files are malacious or not. This issue is specific to ‘consumer version of product’ (non-MDM use cases).

         

        Few questions:

        • How do we request customers to give our processes full disk access? Is there an API/documentation available from apple?
        • How to determine if customer has already granted full disk access to our processes? TCC.db doesn’t have read permissions.

         

        Regards,

        Charu

        • Re: Query related to privacy protection changes in Catalina
          eskimo Apple Staff Apple Staff (12,285 points)

          Is the process doing this running in a global context, for example, a launchd daemon?  Or is it running in a user context, like an app, or a launchd agent?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Query related to privacy protection changes in Catalina
              Charu Level 1 Level 1 (0 points)

              Hi Eskimo,

                   it's running in global context. It's a launchd daemon process.

               

              Thanks.

              Charu

                • Re: Query related to privacy protection changes in Catalina
                  eskimo Apple Staff Apple Staff (12,285 points)

                  It's running in global context. It's a launchd daemon process.

                  OK.  Keep in mind that there are two privacy controls in play on 10.15 beta:

                  • System Preferences > Security & Privacy > Full Disk Access

                  • System Preferences > Security & Privacy > Files and Folders

                  Full Disk Access works much like it did on 10.14.  Specifically, it’s a system-wide setting.  In contrast, Files and Folders is new to 10.15 beta.  Critically, this is a per-user setting.

                  Also, Full Disk Access subsumes Files and Folders.  If a program has Full Disk Access, it won’t hit any Files and Folders restrictions.

                  Given the above, a daemon doing AV checking should target Full Disk Access.  And in this respect I don’t think much has changed since 10.14.

                  Anyway, back to your specific questions:

                  How do we request customers to give our processes full disk access?

                  There is no API for Full Disk Access.  It must be enabled by the user.  If you want to create your own guidance for it, that’s really up to you.

                  As always with authorisation stuff like this, you may want to defer the request until you have a concrete use case.  That is, when your daemon is unable to scan an item, tell the user about that and then suggest Full Disk Access as a remedy.

                  How to determine if customer has already granted full disk access to our processes?

                  Again, there’s no API for this, and the approach we recommend is that you handle the permissions error you get back via your standard error handling path.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"