Enable Full Disk Access for the Elastic Endgame sensor on macOS Ventura and higher
editEnable Full Disk Access for the Elastic Endgame sensor on macOS Ventura and higher
editOn macOS versions starting with Ventura, Elastic Endgame requires Full Disk Access to protect against malware and other cybersecurity threats. Full Disk Access permission is a privacy feature that controls which applications can access your data. This means you need to manually enable Full Disk Access permission for the Elastic Endgame sensor to access these protected areas of your Mac.
macOS permissions
editThe behavior of the Elastic Endgame sensor differs based on your macOS version. MDM/Jamf users can pre-approve all Full Disk Access without granting permission to the sensor. However, depending on the macOS version and sensor type, non-MDM/Jamf users may be prompted to enable Full Disk Access for required security files.
Here are the Full Disk Access requirements for macOS versions 13.0 and above:
- Approve the system extension for the Elastic Endgame sensor. During installation, you’ll be prompted to go to System Preferences and approve the system extension. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt to proceed.
- Grant the Elastic Endgame sensor Full Disk Access.
The following instructions apply to the Elastic Endgame sensor only. To see requirements for the Elastic Endpoint, refer to Install Elastic Endpoint manually on macOS Ventura and higher.
Approve the system extension for the Elastic Endgame sensor
editTo fully protect endpoints from malware and other cybersecurity threats when using Elastic Endgame with system extensions, you must enable the system extension during installation on macOS Ventura (13.0) and later.
When you receive the following prompt to approve loading the system extension:
- Open the System Settings.
- Select Privacy & Security.
-
In the right pane, scroll down to the Security section. Click Allow to allow the Elastic Endgame system extension to load.
- Enter your username and password and click Modify Settings to save your changes.
Approve network content filtering for Elastic Endgame
editAfter successfully loading the Elastic Endgame system extension, an additional message appears, asking to allow Elastic Endgame to filter network content.
Click Allow to enable content filtering for the Elastic Endgame system extension. Without this approval, Elastic Endgame cannot receive network events and, therefore, cannot enable network-related features such as host isolation.
Enable Full Disk Access for the Elastic Endgame sensor
editFor the Elastic Endgame sensor to detect events from a macOS host, you must enable Full Disk Access for the esensor file, which appears once you’ve downloaded the sensor on your host.
- Open the System Settings application.
- Select Privacy & Security.
-
From the right pane, select Full Disk Access.
- Click the + button to view Finder.
-
The system may prompt you to enter your username and password if you haven’t already.
-
Navigate to
/Library/Endgame, then select theesensorfile. - Click Open.
-
In the Privacy tab, confirm that the
com.endgameandesensorfiles appear in the list of applications with Full Disk Access permission.
The Elastic Endgame sensor now has the access required to fully protect your system.