fredturner Posted October 1, 2019 Report Share Posted October 1, 2019 Hey Everyone— I've recently moved most of the stations at one of my larger installations to macOS 10.14 Mojave. I started seeing the alerts in the logs about the Retro client not having full disk access, of course. Is there a suggestion or recommendation for a way to automate setting this on the stations? I use Apple Remote Desktop to manage machines, so is there a defaults command that any of you have already used to get this working? I really don't want to have to manually hit every single station to configure this. Thanks, Fred Quote Link to comment Share on other sites More sharing options...
DavidHertzberg Posted October 2, 2019 Report Share Posted October 2, 2019 (edited) fredturner, AFAIK the "Client" sub-section of this Knowledge Base article is the authority on how to enable Full Disk Access for for a Retrospect Client under Mojave. I don't know about defaults commands, but my guess is that Apple wouldn't make automating the settings easy for fear everybody would use that to get around Privacy for "Application Data"—see the "Overview" of that KB article. Cheer up; it will be worse for macOS Catalina. P.S.: Here's an Apple Developer Forums thread discussing this problem for other applications. Note that one of the thread's posters is S.Reitshamer, who as many of us know is the principal developer of Arq (which he mentions in his post). However Arq is not a client-server backup application, so I feel I can get away with mentioning its name in this Forum (because it is not listed in the Competitive Analysis — Retrospect for Mac KB White Paper). The KB article I linked to in the first paragraph of this post was written before the December posts in the Developer Forums thread, but I strongly suspect the Retrospect engineers were reading that thread. In any case, AFAICT the developers in that thread didn't come up with an automation solution even for self-contained—much less client-server—applications. Edited November 2, 2019 by DavidHertzberg Added P.S. pointing out Apple Developer Forums thread on this general subject Quote Link to comment Share on other sites More sharing options...
Nigel Smith Posted October 2, 2019 Report Share Posted October 2, 2019 The "supported" way is to use MDM profiles -- but that involves enrolling the devices into MDM, etc. Der Flounder's page here is a good starting point for info, and visit Jamf for more MDM goodness. (Note: I've not used MDM myself, bar a bit of a play.) AFAIK, the TCC (Transparency, Consent and Control) database is read-only protected by SIP -- indeed the only command available in tccutil is "reset". Carl Ashley's TCC Roundup is a good primer, see also other pages on Der Flounder's site and these results from the Eclectic Light Co. So I think that, absent MDM, hitting every station is your only option. You might be able to push an Applescript that uses GUI interaction to automate things a bit while you're connected via ARD, but I can see that being highly error prone... But even something as simple as: tell application "System Preferences" activate reveal anchor "Privacy_AllFiles" of pane id "com.apple.preference.security" authorize pane id "com.apple.preference.security" end ...could save you a lot of mousing. You might even be able to wrap it in "osascript -e ..." and use ARD's Send Unix Command, though you'll have to be controlling the machine with ARD at the time. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.