Overview
Apple's security framework requires administrators to deploy specific configuration files to grant the insider risk agent the permissions it needs to operate.
This article applies to the insider risk agent. For the backup agent, see macOS permissions for the backup agent.
Considerations
- Previous versions of this article used a single configuration profile to cover both privacy and system extension permissions. To better align with Apple's best practices, the steps below now outline two separate configuration profiles (both required).
- If your environment is working successfully with a single configuration profile, you do not need to change anything.
- If you are migrating from the older single profile to the newer two profiles, keep both configurations in place for 30 days and then remove the old configuration. If you run into issues after removing the old configuration, contact Code42 Technical Support.
- If you are troubleshooting permissions issues with the older single profile, redeploying the two profiles as outlined below is a good first step to correct any issues.
- If you deployed a single profile before May 3, 2024, follow the steps below to redeploy two profiles. This adds support for capturing the destination device name for AirDrop events on devices running macOS Sonoma.
- Test the .mobileconfig files thoroughly on a small group of devices before deploying to your production environment.
Required permissions
The insider risk agent requires:
- Full disk access to monitor all areas of the device for file exfiltration
- Accessibility permissions to report the tab title and URL for web browser activity
- System extension permissions to allow the agent to run
Step 1: Download and deploy the Code42 PPPC configuration profile
The Privacy Preferences Policy Control (PPPC) configuration profile defines the permissions required by the insider risk agent to monitor activity on the device.
- Click to download the configuration profile:
Code42-AAT-PPPC.mobileconfig
- Deploy the .mobileconfig file to devices in your environment. (For more details, see the product documentation for your MDM.)
- If you are replacing a previous configuration profile, restart the com.code42.agent.extension service on all deployed user devices for changes to take effect. Alternatively, restart the device.
Step 2: Download and deploy the system extension configuration profile
The System Extension configuration profile enables the insider risk agent to run as a system extension on the device.
- Click to download the configuration profile:
Code42 System Extension.mobileconfig
- Deploy the .mobileconfig file to devices in your environment. (For more details, see the product documentation for your MDM.)
Step 3: Updates for macOS Sequoia
Due to Apple security updates in macOS Sequoia, you must deploy an additional computer configuration profile to block end users from disabling the Code42 insider risk agent in the macOS settings for Login Items & Extensions > Endpoint Security Extensions.
Earlier versions of macOS do not recognize the new profile keys. Only deploy this profile to devices running macOS 15 Sequoia.
If you do not have devices running Sequoia, you can skip this section.
- Click to download the additional configuration profile.
Code42 Non-Removable System Extension.mobileconfig
- Deploy the .mobileconfig file to devices in your environment.
Step 4: Optional configuration profile
Due to Apple security updates in macOS Ventura and later, you must deploy an additional computer configuration profile to:
- Block end users from disabling the Code42 insider risk agent in the macOS settings for Login items > Allow in the Background.
- Suppress user-facing notifications for newly-installed background services.
Note: The configuration profile below suppresses notifications for all background services on the device, not just Code42.
If you are not concerned about user-facing notifications or users disabling the Code42 service, you can skip this section.
- Click to download the additional configuration profile.
Code42 Background and Login Items.mobileconfig
- Deploy the .mobileconfig file to devices in your environment.
Troubleshoot full disk access status
To confirm if full disk access permissions are configured correctly, see Verify macOS full disk access status.
MDM requirements
- You must use a macOS-compatible MDM tool to deploy the insider risk agent.
- The downloadable PPPC configuration profile (.mobileconfig) file in this article is not compatible with Workspace ONE. To capture the tab title and URL of exfiltrated files, Workspace ONE requires Accessibility to be Allowed in the Define Apps or Process section of the Privacy Preferences Profile.
- If you need help creating or deploying .mobileconfig files with tools such as Workspace ONE or Microsoft Endpoint Manager (Intune), contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.