Full Disk Access (Catalina) - Not working with privileged helper

I've noticed that Catalina has a new security category. In addition to Full Disk Access, there is "Removable Volumes" under "Files and Folders". I think Full Disk Access is for full access to the boot volume whereas "Removable Volumes" is for other volumes. I guess that given the complexity of SIP, Full Disk Access, ACLs, and basic Unix permissions, Apple felt that external volumes with Owners disabled needed another layer of security.

Unfortunately, I don't see a way to enable the "+" button in this category. You have to have the app ask for access. With a PrivilegedHelper, I guess you would have to have the parent ask for access.

Personally, I can't say I would ever use a PrivilegedHelper. I just added a helper to my app and executed it via osascript with "administrator privileges" and that seems to work pretty well.

Thank John for the reply!

Interesting find! However, I do not see "Removable Volumes" listed on my MacBoop Pro (15" 2016) and MacBook (12") - both running public final release of Catalina (I'm assuming you're refering to the list "System Preferences" -> "Security & Privacy" -> "Privacy").

If this is a leftover of a beta, then maybe Apple goofed up there, and planned this option, but removed it at the final release without correcting "Full Disk Access"? On that note, I ran the beta on my MacBook (12") which doesn't list it either.

I used scripts before, and this indeed worked fine, but it did cause issues with some users.

Trying to implement things the Apple recommended way, I figured that it would be at least a good idea to explore how this works and eventually implemented it. It comes with the nice side effect that the GUI becomes more responsive while executing scripts, etc as well.

As for asking access from the user, I wouldn't know how to do this.
i've seen 2 scenario's when it comes to "asking the user";

1) The application accesses a function that needs permission, and macOS ask a "Allow/Do not Allow" question when the application calls this function

2) When I want to install a helper tool, in which case I ask the user for authorization and macOS then handles the installation of the helper tool.

Since I'm seeing CCC, Etcher, etc having similar problems, I'm wondering if this is a bug and if I should report this or not.

Having said that: I'm no expert, and that's why I'm trying to find out from experts in this forum if it is a bug or just my lack of knowledge.

It doesn’t matter if it is a bug or lack of knowedge. It has been released, so you have to deal with it. Try navigating to the external volume in the Terminal. You should get a security prompt and the Removable Volumes entry. Make sure Full Disk Access is not enabled for Terminal just to make sure. You may have to have your main app try to access the external volume to get the entry.

I don’t know why so many developers are having trouble with these issues. It is practically like Apple is putting on a siren with flashing lights for Mac developers. Consider how your app would function in iOS. If it wouldn’t function at all, then you need to find a new app to write. I’m in the same boat. My software is Dead App Walking. Apple is killing theses kinds of system utilities with a thousand little cuts. macOS, at least as we know it, is deprecated. These new security dialogs are our signal to find something else to write while we still have some income.

Hi John,

Yep, I had not noticed it yet, but indeed I do get a "Terminal would like to access files on a removable volume" message.
Even worse, using "sudo" I can't even ask for a list of the external drive.
Who the heck comes up with these ideas? 😟

I fully agree with you that Apple is killing developers (of said utilities) with a thousand cuts - nicely put!

It is almost like Apple has a special department that comes up with ideas to take motivation away from developers.

I'm not even using XCode (I really can't stand it) so you can imagine the extra hurdles I have to take to get anything done.

And you're right; maybe it is time to (yet again) move to another platform or maybe even start a different hobby ...

I do understand the need for more security though, but can't this be done in a more developer friendly way?

I'm not paying $99/year for a certificate, for software I offer others for free, to get more and more aggravated with every release.

Anyhoo - I'm still hopefull that there will be a fix for this 😊

Yup. Same problem here. "Full Disk Access" doesn't allow my root user app to access external volumes. Curiously enough it does if I invoke it using sudo within Terminal. Now how does one go about getting "Removable Volumes" to appear in the Security & Privacy section for my app even though it already has "Full Disk Access" and is running as root (via Security.framework's authtrampoline). 😟

That is because your app is using Terminal's privileges, which does have access to external volumes. The new privacy controls in Catalina are higher than even root. The user must authorize them. There are some functions you can call to see if you have access. Review the "Advances in macOS Security" presentation from WWDC 2019.