Overview
Due to Apple privacy restrictions, administrators must grant Code42 permission to access specific items on macOS devices to ensure the insider risk agent is able to monitor all necessary areas of the device.
This article applies to the insider risk agent. For the backup agent, see macOS permissions for the backup agent.
Required permissions
The insider risk agent requires:
- Full disk access to monitor all areas of the device for file exfiltration
- Accessibility permissions to report the tab title and URL for web browser activity (requires insider risk agent version 1.5.0 or later)
Step 1: Deploy a Code42 computer configuration profile
Option 1: Download the configuration profile
The profile below was updated on May 3, 2024 to add support for capturing the destination device name for AirDrop events on devices running macOS Sonoma.
- Click to download the configuration profile:
Code42-AAT.mobileconfig - Deploy the .mobileconfig file to devices in your environment.
If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details. - For an existing deployment where you are replacing a previous configuration profile, restart the com.code42.agent.extension service on all deployed user devices for changes to take effect. Alternatively, restart the device.
Existing deployments can stop here and do not need to complete the remaining steps in this article. - For a new deployment, continue with Step 2 below to add the system extensions payload.
Option 2: Create your own configuration profile
These steps use Jamf's Privacy Preferences Policy Control (PPPC) Utility to create a .mobileconfig file. The steps below must be performed from a Mac with the insider risk agent already installed.
- Download and open Jamf's Privacy Preferences Policy Control (PPPC) Utility.
- Open the Finder and navigate to the Code42-AAT package on the device.
- Right-click the Code42-AAT app to show package contents.
- Open Contents > Library > SystemExtensions.
- Drag com.code42.agent.extension.systemextension into Jamf's Privacy Preferences Policy Control (PPPC) Utility.
- In the Properties section, select Allow for all areas you want to monitor. You should allow access to all items, but work with your internal stakeholders to determine what is best for your environment. To monitor file upload and download activity in browsers and other apps in insider risk agent version 1.5.0 and later, you must select Allow for both Accessibility and Full Disk Access.
- Above the Apple Events column, disable Big Sur Compatibility.
Big Sur Compatibility mode adds more permissions objects to the configuration, none of which are needed by Code42. Enabling Big Sur Compatibility mode also means the configuration profile will not work on devices running macOS versions older than Big Sur. - Click Save.
- Enter an Organization and Payload Name.
- Click Save.
A .mobileconfig file is created and saved to the location you selected. - Deploy the .mobileconfig file to devices in your environment.
If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details. - For an existing deployment where you are replacing a previous configuration profile, restart the com.code42.agent.extension service on all deployed user devices for changes to take effect. Alternatively, restart the device.
Existing deployments can stop here and do not need to complete the remaining steps in this article. - For a new deployment, continue with Step 2 below to add the system extensions payload.
Step 2: Add system extensions payload to configuration profile
- From the Jamf Pro console, navigate to the configuration profile you created above.
- Open System extensions.
- Verify Allow users to approve system extensions is selected.
Deselecting this option prevents users from manually approving system extensions from any other application. - Add system extensions:
- Enter a Display Name.
- In System Extension Types, select Allowed System Extensions.
- In Team Identifier, enter the following: 9YV9435DHD
- In Allowed System Extensions, click + Add.
- Enter com.code42.agent.extension and click Save.
The extension is saved. - For macOS Monterey (version 12) and later:
- In the upper-right, click the plus button.
A new Allowed Team IDs and System Extensions section appears. - Enter a Display Name.
- In System Extension Types, select Removable System Extensions.
- In Team Identifier, enter the following: 9YV9435DHD
- In Removable System Extensions, click + Add.
- Enter com.code42.agent.extension and click Save.
The extension is saved.
- In the upper-right, click the plus button.
- At the bottom of the screen, click Save.
The updates to the configuration profile are saved.
Whether you create your own file or download the profile above, test the .mobileconfig file thoroughly before deploying it to your production environment.
Step 3: Updates for macOS Ventura (optional)
Due to Apple security updates in macOS Ventura, you must deploy an additional computer configuration profile to:
- Block end users from disabling the Code42 insider risk agent in the macOS settings for Login items > Allow in the Background.
- Suppress user-facing notifications for newly-installed background services.
Note: The configuration profile below suppresses notifications for all background services on the device, not just Code42.
If you are not concerned about user-facing notifications or users disabling the Code42 service, you can skip this section.
- Click to download the additional configuration profile:
Code42 Background and Login Items.mobileconfig - Deploy the .mobileconfig file to devices in your environment.
If you use Jamf, follow the instructions in Jamf's guide to deploy custom configuration profiles. For other device management tools, consult your vendor's product documentation for details.
Troubleshoot full disk access status
To confirm if full disk access permissions are configured correctly, see Verify macOS full disk access status.
MDM requirements
- You must use a macOS-compatible MDM tool to deploy the insider risk agent. This article uses Jamf Pro for illustration purposes.
- The downloadable .mobileconfig file in this article is not compatible with Workspace ONE. To capture the tab title and URL of exfiltrated files, Workspace ONE requires Accessibility to be Allowed in the Define Apps or Process section of the Privacy Preferences Profile.
- If you need help creating a .mobileconfig file with other tools, such as Workspace ONE or Microsoft Endpoint Manager (Intune), contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.