Query related to privacy protection changes in Catalina

Hi Eskimo,

Need your help for a query related to privacy protection changes in Catalina..


We noticed that with the latest privacy related changes in Catalina, our processes don't have access to desktop/documents and downloads folders. We are looking for a way to ask our customer to give our processes full disk access so that we can scan files in mentioned folders to check if files are malacious or not. This issue is specific to ‘consumer version of product’ (non-MDM use cases).


Few questions:

  • How do we request customers to give our processes full disk access? Is there an API/documentation available from apple?
  • How to determine if customer has already granted full disk access to our processes? TCC.db doesn’t have read permissions.


Regards,

Charu

Replies

Is the process doing this running in a global context, for example, a launchd daemon? Or is it running in a user context, like an app, or a launchd agent?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,

it's running in global context. It's a launchd daemon process.


Thanks.

Charu

It's running in global context. It's a launchd daemon process.

OK. Keep in mind that there are two privacy controls in play on 10.15 beta:

  • System Preferences > Security & Privacy > Full Disk Access

  • System Preferences > Security & Privacy > Files and Folders

Full Disk Access works much like it did on 10.14. Specifically, it’s a system-wide setting. In contrast, Files and Folders is new to 10.15 beta. Critically, this is a per-user setting.

Also, Full Disk Access subsumes Files and Folders. If a program has Full Disk Access, it won’t hit any Files and Folders restrictions.

Given the above, a daemon doing AV checking should target Full Disk Access. And in this respect I don’t think much has changed since 10.14.

Anyway, back to your specific questions:

How do we request customers to give our processes full disk access?

There is no API for Full Disk Access. It must be enabled by the user. If you want to create your own guidance for it, that’s really up to you.

As always with authorisation stuff like this, you may want to defer the request until you have a concrete use case. That is, when your daemon is unable to scan an item, tell the user about that and then suggest Full Disk Access as a remedy.

How to determine if customer has already granted full disk access to our processes?

Again, there’s no API for this, and the approach we recommend is that you handle the permissions error you get back via your standard error handling path.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo for quick reply and suggestions.