Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

macOS permissions for Incydr Basic, Advanced, and Gov F1

Overview

Due to Apple privacy restrictions, administrators must grant Code42 permission to access specific applications and locations on user devices to ensure the Code42 app is able to monitor and back up all necessary areas of the device.

This article applies to Incydr Basic, Advanced, and Gov F1. For Incydr Professional, Enterprise, Horizon, and Gov F2, see macOS permissions for the insider risk agent. If you have Agent modernization enabled, both articles apply to you.

This article uses examples from Jamf Pro and Jamf's Privacy Preferences Policy Control (PPPC) Utility. While the same general concepts apply to deploying a .mobileconfig file with other tools, implementation details can vary slightly. Consult the product documentation for your device management provider.

Required permissions

The Code42 app requires:

  • Full disk access to perform security monitoring and backup files from all areas of the device
  • Accessibility permissions to report the tab title and URL for web browser activity (Code42 app version 10.3.0 and later)
  • Permission to Automate other Applications for Safari, Google Chrome, Firefox, Opera, Slack, and Microsoft Edge (Code42 app version 8.8.5 and earlier)

Deploy a Code42 computer configuration profile

Option 1: Download the computer configuration profile

September 2022 update
Due to recent macOS changes, the profile below was updated to include both com.backup42.desktop and com.code42.service
  1. Click to download the configuration profile:
    Download icon Code42_Incydr_Basic_and_Advanced.mobileconfig
  2. Deploy the .mobileconfig file to devices in your environment.
    If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details.
  3. Restart the Code42 service on all deployed user devices for changes to take effect. Alternatively, restart the device.

Option 2: Create your own configuration profile

September 2022 update
Due to recent macOS changes, the steps below were updated to create a configuration profile that includes both the Code42 and Code42 Service applications.

These steps use Jamf's Privacy Preferences Policy Control (PPPC) Utility to create a .mobileconfig file. The steps below must be performed from a Mac with the Code42 app already installed.

  1. Download and open Jamf's Privacy Preferences Policy Control (PPPC) Utility.
  2. Open a new Finder window.
  3. Navigate to Applications.
  4. Drag Code42.app from the Finder window to the Applications column in the Privacy Preferences Policy Control Utility window. 
    If you don't see Code42.app, press Cmd + Shift + Period (.) to show hidden files.
  5. In the Finder, right-click Code42.app and select Show Package Contents.
  6. Open the folders Contents > Library > LaunchServices.
  7. Drag Code42Service.app from the Finder window to the Applications column in the Privacy Preferences Policy Control Utility window.
    The Applications column in the Privacy Preferences Policy Control Utility should now include both Code42 and Code42 Service.
  8. In the Applications column in the Privacy Preferences Policy Control Utility, select Code42.
  9. In the Properties section, select Allow for all areas you want to monitor. You should allow access to all items, but work with your internal stakeholders to determine what is best for your environment. To monitor file upload and download activity in browsers and other apps in Code42 app version 10.3.0 and later, you must select Allow for both Accessibility and Full Disk Access.
  10. Code42 app version 8.8.5 and earlier only: In the Apple Events column, click the + icon and select the web browsers you want to monitor for file uploads. Add Safari, Google Chrome, Firefox, Opera, Slack, and Microsoft Edge, but work with your internal stakeholders to determine what is best for your environment.
    If you don't see all the browsers as options after clicking the + icon, select Other. Then select the browser from the list of all applications.
  11. Above the Apple Events column, disable Big Sur Compatibility.
    Big Sur Compatibility mode adds more permissions objects to the configuration, none of which are needed by Code42. Enabling Big Sur Compatibility mode also means the configuration profile will not work on devices running macOS versions older than Big Sur.
  12. In the Applications column, select Code42 Service.
  13. Repeat steps 9 - 11 to apply the same settings to Code42 Service as you applied to Code42.
  14. Click Save.
  15. Enter an Organization and Payload Name.
  16. Click Save.
    A .mobileconfig file is created and saved to the location you selected.
  17. Deploy the .mobileconfig file to devices in your environment.
    If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details.
  18. Restart the Code42 service on all deployed user devices for changes to take effect. Alternatively, restart the device.
Test a small group of devices first
Whether you create your own file or download the profile above, test the .mobileconfig file thoroughly before deploying it to your production environment.

Updates for macOS Ventura (optional)

Due to Apple security updates in macOS Ventura, you must deploy an additional computer configuration profile to:

  • Block end users from disabling the Code42 app in the macOS settings for Login items > Allow in the Background.
  • Suppress user-facing notifications for newly-installed background services.
    Note: The configuration profile below suppresses notifications for all background services on the device, not just Code42.

If you are not concerned about user-facing notifications or users disabling the Code42 app, you can skip this section.

  1. Click to download the additional configuration profile:
    Download icon Code42 Background and Login Items.mobileconfig
  2. Deploy the .mobileconfig file to devices in your environment.
    If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details.
  3. Restart the Code42 service on all deployed user devices for changes to take effect. Alternatively, restart the device.

Troubleshoot full disk access status 

Due to an Apple limitation, the Code42 app may not appear in the Full Disk Access list under Security & Privacy preferences, depending on your macOS version. However, the Code42 app is still granted full disk access via the configuration profile. 

To confirm full disk access, navigate to your device's Profiles preferences. In the details for Code42, verify that Access All Application Data shows Allowed. For additional methods to confirm if full disk access permissions are configured correctly, see Verify macOS full disk access status.

MDM requirements

  • You must use a macOS-compatible MDM tool to deploy the Code42 app. This article uses Jamf Pro for illustration purposes.
  • The downloadable .mobileconfig file in this article is not compatible with Workspace ONE. To capture the tab title and URL of exfiltrated files, Workspace ONE requires Accessibility to be Allowed in the Define Apps or Process section of the Privacy Preferences Profile.
  • If you need help creating a .mobileconfig file with other tools, such as Workspace ONE or Microsoft Endpoint Manager (Intune), contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Related topics

  • Was this article helpful?