Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, yes.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Grant Code42 permissions to macOS devices

Overview

Due to Apple privacy restrictions, administrators must grant Code42 permission to access specific applications and locations on user devices to ensure the Code42 app is able to monitor and back up all necessary areas of the device.

This article uses examples from Jamf Pro and Jamf's Privacy Preferences Policy Control (PPPC) Utility. While the same general concepts apply to deploying a .mobileconfig file with other tools, implementation details can vary slightly. Consult the product documentation for your device management provider.

Code42 Professional Services help for other tools
If you need help creating a .mobileconfig file with other tools, such as Workspace ONE or Microsoft Endpoint Manager (Intune), contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Required permissions

  • Code42 requires explicit permission for any location containing files you want to monitor for file exfiltration (for example, Desktop, Documents, Downloads, Contacts, Photos, and Mail) or back up. For best results, allow access to all areas of the device (sometimes also referred to as "full disk access"), but work with your internal stakeholders to determine what is appropriate for your environment.
  • To report the tab title and URL that is active at the time a file is uploaded, Code42 also needs permission to Automate other Applications for Safari, Google Chrome, Firefox, Opera, Slack, and Microsoft Edge (Chromium version only).

Before you begin

The steps below must be performed from a Mac with the Code42 app already installed.

Create and deploy a Code42 computer configuration profile

Incydr Professional and Enterprise only

Incydr Basic and Advanced, CrashPlan Cloud, and other plans

Sample computer configuration profile

Create and test your own computer configuration profile
The .mobileconfig file below should only be used as an example for reference purposes. Create your own file and test it thoroughly before deploying it to your production environment.

This .mobileconfig sample allows Code42 access to:

  • Locations to include for backup or file exfiltration monitoring:
    • Desktop
    • Documents
    • Downloads
    • Photos
    • Calendar
    • Address Book
  • Applications to capture tab title and URL exfiltration data:
    • Safari
    • Google Chrome
    • Firefox
    • Opera
    • Slack
    • Microsoft Edge (Chromium version only)

For Incydr Professional and Enterprise: Click to download a sample mobileconfig file for JAMF

For Incydr Basic and Advanced, CrashPlan Cloud, and other plans: Click to download a sample mobileconfig file for JAMF

Workspace ONE requires a different configuration
These sample .mobileconfig files are not compatible with Workspace ONE. For Code42 to capture the tab title and URL of exfiltrated files, Workspace ONE requires a separate AppleEvents key and array for each application Code42 accesses. This sample, which is supported by Jamf and some other tools, lists all applications (Safari, Chrome, Firefox, Opera, Slack, and Edge) in a single Apple Events entry.

For help creating a .mobileconfig file specific to your environment, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Confirm full disk access status

(Does not apply to Incydr Professional and Enterprise)

Requires Code42 app version 8.2.0 or later.

The Code42 API enables you to confirm if full disk access permissions are configured correctly for both a specific device and an entire organization.

The examples below assume basic familiarity with curl commands.

Single device

To check the status of a single device, use this as a template to create a command specific to your Code42 environment:

Copied!
curl -X GET \
  '<request_url>/api/v12/agent-state/view-by-device-guid?deviceGuid=<deviceGuid>&propertyName=fullDiskAccess' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'Authorization: Bearer <auth_token>'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <deviceGuid> with the numeric ID of the device you want to review (do not include the brackets in your request). To find this ID, view the device details in Code42 console and copy the numeric string listed under the device name.
  3. Replace <auth_token> with an authentication token.
  4. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
  5. Review the data object in the response. A value of true indicates full disk access is enabled. A value of false indicates full disk access is not enabled. The sample response below confirms full disk access is enabled for deviceGuid 1123581321345589144:
[{"deviceGuid":"1123581321345589144","name":"fullDiskAccess","value":"true"}]

All devices in an organization

To check the status of all devices in an organization, use this as a template to create a command specific to your Code42 environment:

Copied!
curl -X GET \
  '<request_url>/api/v12/agent-state/view-by-organization-id?orgId=<OrgID>&propertyName=fullDiskAccess' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'Authorization: Bearer <auth_token>'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <OrgID> with the numeric ID of the organization you want to review (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
  3. Replace <auth_token> with an authentication token.
  4. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
  5. Review the data object for each device included in the response. A value of true indicates full disk access is enabled. A value of false indicates full disk access is not enabled. The sample response below indicates full disk access is enabled for the first device and not enabled for the second device:
{"deviceGuid":"1123581321345589144","name":"fullDiskAccess","value":"true"},{"deviceGuid":"23337761098715972584","name":"fullDiskAccess","value":"false"}

Related topics

  • Was this article helpful?