Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Grant Code42 permissions to macOS devices

Overview

Due to Apple privacy restrictions, administrators must grant Code42 permission to access specific applications and locations on user devices to ensure the Code42 app is able to monitor and back up all necessary areas of the device.

This article uses examples from Jamf Pro and Jamf's Privacy Preferences Policy Control (PPPC) Utility. While the same general concepts apply to deploying a .mobileconfig file with other tools, implementation details can vary slightly. Consult the product documentation for your device management provider.

Code42 Professional Services help for other tools
If you need help creating a .mobileconfig file with other tools, such as Workspace ONE or Microsoft Endpoint Manager (Intune), contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Required permissions

  • Code42 requires explicit permission for any location containing files you want to monitor for file exfiltration (for example, Desktop, Documents, Downloads, Contacts, Photos, and Mail) or back up. For best results, allow access to all areas of the device (sometimes also referred to as "full disk access"), but work with your internal stakeholders to determine what is appropriate for your environment.
  • To report the tab title and URL that is active at the time a file is uploaded, Code42 needs:
    • Accessibility permissions (Code42 app versions 1.5.0 and 10.3.0 and later)
    • Permission to Automate other Applications for Safari, Google Chrome, Firefox, Opera, Slack, and Microsoft Edge (Code42 app versions 1.4.1 and 8.8.5 and earlier)

Considerations

The steps below must be performed from a Mac with the Code42 app already installed.

Create and deploy a Code42 computer configuration profile

Incydr Professional, Enterprise, Horizon, and Gov F2 only

Incydr Basic, Advanced, and Gov F1

Sample computer configuration profile

Create and test your own computer configuration profile
The .mobileconfig file below should only be used as an example for reference purposes. Create your own file and test it thoroughly before deploying it to your production environment.

This .mobileconfig sample allows Code42 access to:

  • Locations to include for backup or file exfiltration monitoring:
    • Desktop
    • Documents
    • Downloads
    • Photos
    • Calendar
    • Address Book
  • Applications to capture tab title and URL exfiltration data:
    • Safari
    • Google Chrome
    • Firefox
    • Opera
    • Slack
    • Microsoft Edge

For Incydr Professional, Enterprise, Horizon, and Gov F2: Click to download a sample mobileconfig file for JAMF

For Incydr Basic, Advanced, and Gov F1: Click to download a sample mobileconfig file for JAMF

September 2022 update
Due to recent macOS changes, the sample above for Incydr Basic, Advanced, and Gov F1 was updated to include both com.backup42.desktop and com.code42.service
Workspace ONE requires a different configuration
These sample .mobileconfig files are not compatible with Workspace ONE. For Incydr to capture the tab title and URL of exfiltrated files, Workspace ONE requires Accessibility to be Allowed in the Define Apps or Process section of the Privacy Preferences Profile.

For help creating a .mobileconfig file specific to your environment, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Confirm full disk access status

The Code42 API enables you to confirm if full disk access permissions are configured correctly for both a specific device and an entire organization.

The examples below assume basic familiarity with curl commands.

Code42 Developer Portal
See the Code42 Developer Portal for more API documentation and resources. The portal provides:

Use the Code42 Developer Portal for your API needs as much as possible. APIs in the portal are the preferred way to integrate with Code42 for Incydr users. If you use Code42 APIs that do not appear on the Code42 Developer Portal, contact our Customer Champions for guidance on the best way to integrate with Code42. 

Single device

To check the status of a single device, use this as a template to create a command specific to your Code42 environment:

Copied!
curl -X GET \
  '<request_url>/api/v12/agent-state/view-by-device-guid?deviceGuid=<deviceGuid>&propertyName=<property_name>' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'Authorization: Bearer <auth_token>'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <deviceGuid> with the numeric ID of the device you want to review (do not include the brackets in your request). To find this ID, view the device details in Code42 console and copy the numeric string listed under the device name.
  3. Replace <property_name> with the value for your product plan (do not include the brackets in your request):
    • For Incydr Professional, Enterprise, Horizon, and Gov F2, use full_disk_access (requires agent version 1.5.0 or later)
    • For Incydr Basic, Advanced, and Gov F1, use fullDiskAccess 
  4. Replace <auth_token> with an authentication token.
  5. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
  6. Review the data object in the response. A value of true indicates full disk access is enabled. A value of false indicates full disk access is not enabled. The sample response below confirms full disk access is enabled for deviceGuid 1123581321345589144:
[{"deviceGuid":"1123581321345589144","name":"fullDiskAccess","value":"true"}]

All devices in an organization

To check the status of all devices in an organization, use this as a template to create a command specific to your Code42 environment:

Copied!
curl -X GET \
  '<request_url>/api/v12/agent-state/view-by-organization-id?orgId=<OrgID>&propertyName=<property_name>' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'Authorization: Bearer <auth_token>'
  1. Replace <request_url> with the address of your Code42 environment (do not include the brackets in your request).
  2. Replace <OrgID> with the numeric ID of the organization you want to review (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
  3. Replace <property_name> with the value for your product plan (do not include the brackets in your request):
    • For Incydr Professional, Enterprise, Horizon, and Gov F2, use full_disk_access (requires agent version 1.5.0 or later)
    • For Incydr Basic, Advanced, and Gov F1, use fullDiskAccess 
  4. Replace <auth_token> with an authentication token.
  5. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
  6. Review the data object for each device included in the response. A value of true indicates full disk access is enabled. A value of false indicates full disk access is not enabled. The sample response below indicates full disk access is enabled for the first device and not enabled for the second device:
{"deviceGuid":"1123581321345589144","name":"fullDiskAccess","value":"true"},{"deviceGuid":"23337761098715972584","name":"fullDiskAccess","value":"false"}

Related topics

  • Was this article helpful?