Enable Full Disk Access for the Endgame sensor

edit

If your solution includes Elastic Endgame, it requires Full Disk Access to protect you from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that controls which applications can access your data. This means you need to manually enable Full Disk Access permission for the Endgame sensor to access these protected areas of your Mac.

macOS permissions

edit

The behavior of the Endgame sensor differs based on your macOS version. MDM/Jamf users can pre-approve all Full Disk Access without granting permission to the sensor. However, depending on the macOS version and sensor type, non-MDM/Jamf users may be prompted to enable Full Disk Access for required security files.

Here are the following Full Disk Access requirements for specific versions of macOS:

  • 10.13, 10.14, 10.15: You cannot install the sensor without allowing it to load a kernel extension. During installation, you’ll be prompted to go to System Preferences and approve it. Upon approval, installation proceeds.
  • 11.0, 12.0: You cannot install the sensor without allowing it to load a system extension. During installation, you’ll be prompted to go to System Preferences and approve it. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt to proceed.

    You must also grant Full Disk Access to com.endgame.systemextension.

  • 10.14.6+, 10.15, 11.0, 12.0: Grant the esensor file Full Disk Access.

The following instructions apply to the Endgame sensor only. To see requirements for the Elastic Endpoint, refer to Install Elastic Endpoint manually.

Approve the kernel extension for the Endgame sensor

edit

For endpoints running macOS Mojave (10.14) and earlier, the Endgame sensor will attempt to load a kernel extension (as opposed to a system extension) during installation. This kernel extension is required to provide insight into system events such as process events, file system events, and network events. The following prompt appears during installation:

System extension blocked

To approve the extension:

  1. Click Open Security Preferences.
  2. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
  3. Click Allow to load the kernel extension.

    Allow kernel extension

    If the prompt does not appear, enable the extension by doing the following:

  4. Open a Terminal application.
  5. Enter kextload /Library/Extension/kendpoint.kext. Prepend the command with sudo if necessary. You should receive an output similar to 149 0 0xffffff7f82e7b000 0x21000 0x21000 co.elastic.kendpoint (7.11.0) BD152A57-ABD3-370A-BBE8-D15A0FCBD19A <6 5 2 1>. If you receive this output, the kernel extension is enabled.

Approve the system extension for the Endgame sensor

edit

To fully protect endpoints from malware and other cybersecurity threats when using Elastic Endgame with system extensions, you must enable Full Disk Access for the system extension during installation on macOS Big Sur (11.0) and later.

When you receive the prompt to approve loading the system extension:

  1. Open the System Preferences application.
  2. Select Security and Privacy.

    sec privacy pane
  3. On the Security and Privacy pane, select the Privacy tab.
  4. From the left pane, select Full Disk Access.

    Select Full Disk Access
  5. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
  6. Click the + button to view Finder. Find com.endgame.systemextension and select it.
  7. Continue below to enable Full Disk Access for the Endgame sensor.

Enable Full Disk Access for the Endgame sensor

edit

For the Endgame sensor to detect events from a macOS host, you must enable Full Disk Access for the esensor file, which appears once you’ve downloaded the sensor on your host.

  1. Open the System Preferences application.
  2. Click Security and Privacy.
  3. On the Security and Privacy pane, select the Privacy tab.
  4. From the left pane, select Full Disk Access.

    Select Full Disk Access
  5. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate. You can now add the elastic-endpoint or esensor file.
  6. Click the + button to view Finder.
  7. Navigate to /Library/Endgame, then select the esensor file.
  8. Click Open.
  9. In the Privacy tab, confirm that the elastic-agent or esensor file appears in the list of applications with Full Disk Access permissions.

The Endgame sensor now has the access required to fully protect your system.