Enable Full Disk Access

edit

The Endpoint Security requires Full Disk Access to protect you from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. This means you need to manually grant permission for the Endgame sensor and Elastic Endpoint to access these protected areas of your Mac.

This article describes how to enable Full Disk Access for the required security system extensions, the Elastic Endpoint sensor, and the legacy Endgame sensor.

macOS permissions

edit

The behavior of the Endgame sensor and Elastic Endpoint differs based on your macOS version. MDM/JAMF users can pre-approve all Full Disk Access without granting permission to the sensors. However, depending on the macOS version and sensor type, non-MDM/JAMF users may be prompted to enable Full Disk Access for required security files.

Endgame Sensor

  • 10.13, 10.14, 10.15: Users cannot proceed with installation without first granting the sensor the ability to load a kernel extension. During installation, you will be prompted to go to System preferences and approve loading the kernel. Upon approval, installation proceeds.
  • 11.0 (Big Sur): Users cannot proceed with installation without first granting the sensor the ability to load System extension. During installation, you will be prompted to go to System preferences and approve loading the system extension. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt for installation to proceed.

    You also must grant Full Disk Access to com.endgame.systemextension.

  • 10.14.6+, 10.15, 11.0: Grant the esensor Full Disk Access.

Elastic Endpoint

No prompts appear to approve the kernel, System extension, or elastic-endpoint, due to installation happening through the Elastic Agent. After installation, Endpoint policies will fail to detect events until you approve and enable kernel or system extension loading and Full Disk Access for each version, as reflected in the Endpoints page of the Elastic Security app.

System extension

edit

To fully protect endpoints from malware and other cybersecurity threats when using Elastic Endpoint with system extensions, Full Disk Access must be enabled for the system extension during installation on macOS Big Sur (11.0) and later.

System Extension Prompt

If you select OK and continue installation, you’ll receive a prompt to Filter Network Content. Select Allow, and then use the following steps to enable Full Disk Access for the system extension.

  1. Open the System Preferences application.
  2. Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
  3. In the left pane, select Full Disk Access.

    Select Full Disk Access
  4. In the lower-left corner of the panel, click the Lock button and enter your username and password.
  5. Click the + button to view Finder. Find the system extension com.endgame.systemextension (Endgame sensor) or co.elastic.systemextension (Elastic Endpoint) and select.

The system extension now has Full Disk Access. However, for both the Elastic Agent and Elastic Endgame sensor to detect events from a macOS host, you must enable Full Disk Access for the file most relevant to your security setup.

Elastic Endpoint and Endgame sensor

edit

The elastic-endpoint files appear after you’ve downloaded and installed the Elastic Agent with Endpoint Security Integration. Similarly, the esensor file for Elastic Endgame appears once you’ve downloaded the sensor on your host.

  1. Open the System Preferences application.
  2. Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
  3. In the left pane, select Full Disk Access.

    Select Full Disk Access
  4. In the lower-left corner of the panel, click the Lock button and enter your username and password. You can now add the elastic-endpoint or esensor file.
  5. Click the + button to view Finder. Select the file that pertains most to your Endpoint configuration:

    • Endpoint Security: Navigate to /Library/Elastic/Endpoint/ and select the elastic-endpoint file.
    • Elastic Endgame: Navigate to /Library/Endgame and select the esensor file.
  6. After you’ve selected the applicable file, click Open.
  7. In the Privacy tab, confirm that the elastic-agent or esensor file appears in the list of applications that have Full Disk Access permissions.

Elastic Endpoint now has the access required to fully protect your system.