Any suggestions for automating "Full Disk Access" client settings?

[fredturner]

Hey Everyone—

I've recently moved most of the stations at one of my larger installations to macOS 10.14 Mojave. I started seeing the alerts in the logs about the Retro client not having full disk access, of course. Is there a suggestion or recommendation for a way to automate setting this on the stations? I use Apple Remote Desktop to manage machines, so is there a defaults command that any of you have already used to get this working? I really don't want to have to manually hit every single station to configure this.

Thanks,

Fred

[DavidHertzberg]

fredturner,

AFAIK the "Client" sub-section of this Knowledge Base article is the authority on how to enable Full Disk Access for for a Retrospect Client under Mojave. I don't know about defaults commands, but my guess is that Apple wouldn't make automating the settings easy for fear everybody would use that to get around Privacy for "Application Data"—see the "Overview" of that KB article.

Cheer up; it will be worse for macOS Catalina.

P.S.: Here's an Apple Developer Forums thread discussing this problem for other applications.  Note that one of the thread's posters is S.Reitshamer, who as many of us know is the principal developer of Arq (which he mentions in his post).  However Arq is not a client-server backup application, so I feel I can get away with mentioning its name in this Forum (because it is not listed in the Competitive Analysis — Retrospect for Mac KB White Paper).  The KB article I linked to in the first paragraph of this post was written before the December posts in the Developer Forums thread, but I strongly suspect the Retrospect engineers were reading that thread.  In any case, AFAICT the developers in that thread didn't come up with an automation solution even for self-contained—much less client-server—applications.

Edited November 2, 2019 by DavidHertzberg
Added P.S. pointing out Apple Developer Forums thread on this general subject

[Nigel Smith]

The "supported" way is to use MDM profiles -- but that involves enrolling the devices into MDM, etc. Der Flounder's page here is a good starting point for info, and visit Jamf for more MDM goodness. (Note: I've not used MDM myself, bar a bit of a play.)

AFAIK, the TCC (Transparency, Consent and Control) database is read-only protected by SIP -- indeed the only command available in tccutil is "reset". Carl Ashley's TCC Roundup is a good primer, see also other pages on Der Flounder's site and these results from the Eclectic Light Co.

So I think that, absent MDM, hitting every station is your only option. You might be able to push an Applescript that uses GUI interaction to automate things a bit while you're connected via ARD, but I can see that being highly error prone... But even something as simple as:

tell application "System Preferences"
	activate
	reveal anchor "Privacy_AllFiles" of pane id "com.apple.preference.security"
	authorize pane id "com.apple.preference.security"
end

...could save you a lot of mousing. You might even be able to wrap it in "osascript -e ..." and use ARD's Send Unix Command, though you'll have to be controlling the machine with ARD at the time.