Enable Full Disk Access
editEnable Full Disk Access
editElastic Endpoint Security requires Full Disk Access to protect you from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. This means you need to manually grant permission for the Endgame sensor and Elastic Endpoint to access these protected areas of your Mac.
This article describes how to enable Full Disk Access for the required security system extensions, the Elastic Endpoint sensor, and the legacy Endgame sensor.
macOS permissions
editThe behavior of the Endgame sensor and Elastic Endpoint differs based on your macOS version. MDM/JAMF users can pre-approve all Full Disk Access without granting permission to the sensors. However, depending on the macOS version and sensor type, non-MDM/JAMF users may be prompted to enable Full Disk Access for required security files.
Endgame Sensor
-
10.13, 10.14, 10.15
: Users cannot proceed with installation without first granting the sensor the ability to load a kernel extension. During installation, you will be prompted to go to System preferences and approve loading the kernel. Upon approval, installation proceeds. -
11.0
(Big Sur): Users cannot proceed with installation without first granting the sensor the ability to load System extension. During installation, you will be prompted to go to System preferences and approve loading the system extension. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt for installation to proceed.You also must grant Full Disk Access to
com.endgame.systemextension
. -
10.14.6+, 10.15, 11.0
: Grant the esensor Full Disk Access.
Elastic Endpoint
No prompts appear to approve the kernel, System extension, or elastic-endpoint, due to installation happening through the Elastic Agent. After installation, Endpoint policies will fail to detect events until you approve and enable kernel or system extension loading and Full Disk Access for each version, as reflected in the Administration > Endpoints page of the security application.
-
10.13, 10.14, 10.15
: Approve the kernel-extension. -
11.0
(Big Sur): Give Full Disk Access to the System extension, as well asco.elastic.systemextension
. -
-
10.14.6+, 10.15, 11.0
: Grant the elastic-endpoint Full Disk Access.
System extension
editTo fully protect endpoints from malware and other cybersecurity threats when using Elastic Endpoint with system extensions, Full Disk Access must be enabled for the system extension during installation on macOS Big Sur (11.0) and later.
If you select OK and continue installation, you’ll receive a prompt to Filter Network Content. Select Allow, and then use the following steps to enable Full Disk Access for the system extension.
- Open the System Preferences application.
- Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
-
In the left pane, select Full Disk Access.
- In the lower-left corner of the panel, click the Lock button and enter your username and password.
-
Click the + button to view Finder. Find the system extension
com.endgame.systemextension
(Endgame sensor) orco.elastic.systemextension
(Elastic Endpoint) and select.
The system extension now has Full Disk Access. However, for both the Elastic Agent and Elastic Endgame sensor to detect events from a macOS host, you must enable Full Disk Access for the file most relevant to your security setup.
Elastic Endpoint and Endgame sensor
editThe elastic-endpoint
files appear after you’ve downloaded and installed the Elastic Agent with Endpoint Security Integration. Similarly, the esensor
file for Elastic Endgame appears once you’ve downloaded the sensor on your host.
- Open the System Preferences application.
- Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
-
In the left pane, select Full Disk Access.
-
In the lower-left corner of the panel, click the Lock button and enter your username and password. You can now add the
elastic-endpoint
oresensor
file. -
Click the + button to view Finder. Select the file that pertains most to your Endpoint configuration:
-
Endpoint Security: Navigate to
/Library/Elastic/Endpoint/
and select theelastic-endpoint
file. -
Elastic Endgame: Navigate to
/Library/Endgame
and select theesensor
file.
-
Endpoint Security: Navigate to
- After you’ve selected the applicable file, click Open.
-
In the Privacy tab, confirm that the
elastic-agent
oresensor
file appears in the list of applications that have Full Disk Access permissions.
Elastic Endpoint now has the access required to fully protect your system.