macOS permissions for the insider risk agent

Overview

Due to Apple privacy restrictions, administrators must grant Code42 permission to access specific items on macOS devices to ensure the insider risk agent is able to monitor all necessary areas of the device.

This article applies to the insider risk agent. For the backup agent, see macOS permissions for the backup agent.

This article uses examples from Jamf Pro and Jamf's Privacy Preferences Policy Control (PPPC) Utility. While the same general concepts apply to deploying a .mobileconfig file with other tools, implementation details can vary slightly. Consult the product documentation for your device management provider.

Required permissions

The insider risk agent requires:

  • Full disk access to monitor all areas of the device for file exfiltration
  • Accessibility permissions to report the tab title and URL for web browser activity (requires insider risk agent version 1.5.0 or later)

Step 1: Deploy a Code42 computer configuration profile

Option 1: Download the configuration profile

Updated configuration for insider risk agent 1.13.0
The profile below was updated on May 3, 2024 to add support for capturing the destination device name for AirDrop events on devices running macOS Sonoma.
  1. Click to download the configuration profile:
    Functional_icons_Download_Orange.png Code42-AAT.mobileconfig
  2. Deploy the .mobileconfig file to devices in your environment.
    If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details. 
  3. For an existing deployment where you are replacing a previous configuration profile, restart the com.code42.agent.extension service on all deployed user devices for changes to take effect. Alternatively, restart the device.
    Existing deployments can stop here and do not need to complete the remaining steps in this article.
  4. For a new deployment, continue with Step 2 below to add the system extensions payload.

Option 2: Create your own configuration profile

These steps use Jamf's Privacy Preferences Policy Control (PPPC) Utility to create a .mobileconfig file. The steps below must be performed from a Mac with the insider risk agent already installed.

  1. Download and open Jamf's Privacy Preferences Policy Control (PPPC) Utility.
  2. Open the Finder and navigate to the Code42-AAT package on the device.
  3. Right-click the Code42-AAT app to show package contents. 
  4. Open Contents > Library > SystemExtensions
  5. Drag com.code42.agent.extension.systemextension into Jamf's Privacy Preferences Policy Control (PPPC) Utility.
  6. In the Properties section, select Allow for all areas you want to monitor. You should allow access to all items, but work with your internal stakeholders to determine what is best for your environment. To monitor file upload and download activity in browsers and other apps in insider risk agent version 1.5.0 and later, you must select Allow for both Accessibility and Full Disk Access.
  7. Above the Apple Events column, disable Big Sur Compatibility.
    Big Sur Compatibility mode adds more permissions objects to the configuration, none of which are needed by Code42. Enabling Big Sur Compatibility mode also means the configuration profile will not work on devices running macOS versions older than Big Sur.
  8. Click Save.
  9. Enter an Organization and Payload Name.
  10. Click Save.
    A .mobileconfig file is created and saved to the location you selected.
  11. Deploy the .mobileconfig file to devices in your environment.
    If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details.
  12. For an existing deployment where you are replacing a previous configuration profile, restart the com.code42.agent.extension service on all deployed user devices for changes to take effect. Alternatively, restart the device.
    Existing deployments can stop here and do not need to complete the remaining steps in this article.
  13. For a new deployment, continue with Step 2 below to add the system extensions payload.

Step 2: Add system extensions payload to configuration profile

If you use Jamf, the steps below are required to manually add the system extensions payload. For other device management tools, similar steps may also be required if the system extension is not automatically added via the configuration profile. Consult your vendor's product documentation for details.
  1. From the Jamf  Pro console, navigate to the configuration profile you created above.
  2. Open System extensions.
  3. Verify Allow users to approve system extensions is selected. 
    Deselecting this option prevents users from manually approving system extensions from any other application.
  4. Add system extensions:
    1. Enter a Display Name.
    2. In System Extension Types, select Allowed System Extensions.
    3. In Team Identifier, enter the following: 9YV9435DHD
    4. In Allowed System Extensions, click + Add.
    5. Enter com.code42.agent.extension and click Save.
      The extension is saved.
    6. For macOS Monterey (version 12) and later:
      1. In the upper-right, click the plus button.
        A new Allowed Team IDs and System Extensions section appears.
      2. Enter a Display Name.
      3. In System Extension Types, select Removable System Extensions.
      4. In Team Identifier, enter the following: 9YV9435DHD
      5. In Removable System Extensions, click + Add.
      6. Enter com.code42.agent.extension and click Save.
        The extension is saved.
  5. At the bottom of the screen, click Save.
    The updates to the configuration profile are saved.
Test a small group of devices first
Whether you create your own file or download the profile above, test the .mobileconfig file thoroughly before deploying it to your production environment.

Step 3: Updates for macOS Ventura (optional)

Due to Apple security updates in macOS Ventura, you must deploy an additional computer configuration profile to:

  • Block end users from disabling the Code42 insider risk agent in the macOS settings for Login items > Allow in the Background.
  • Suppress user-facing notifications for newly-installed background services.
    Note: The configuration profile below suppresses notifications for all background services on the device, not just Code42.

If you are not concerned about user-facing notifications or users disabling the Code42 service, you can skip this section.

  1. Click to download the additional configuration profile:
    Functional_icons_Download_Orange.pngCode42 Background and Login Items.mobileconfig
  2. Deploy the .mobileconfig file to devices in your environment.
    If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details.

Troubleshoot full disk access status

To confirm if full disk access permissions are configured correctly, see Verify macOS full disk access status.

MDM requirements

  • You must use a macOS-compatible MDM tool to deploy the insider risk agent. This article uses Jamf Pro for illustration purposes.
  • The downloadable .mobileconfig file in this article is not compatible with Workspace ONE. To capture the tab title and URL of exfiltrated files, Workspace ONE requires Accessibility to be Allowed in the Define Apps or Process section of the Privacy Preferences Profile.
  • If you need help creating a .mobileconfig file with other tools, such as Workspace ONE or Microsoft Endpoint Manager (Intune), contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.