I have an endpoint system extension that monitors exec system calls. It works fine, but I have to follow a very specific order when installing it.
When I (the user) click to install, I get the option to open System Settings. There, I am presented with an option to "Allow" the endpoint application.
If I:
(1) click "Allow"
and then
(2) enable full disk access
The application runs but doesn't get exec events. Console shows the error message
Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access
Even after enabling full disk access (after allowing the extension to be installed), I do not get the exec events.
To resolve this, I have to uninstall the endpoint system extension and reinstall it.
(Note: If I first grant full disk access and then allow the endpoint system extension to be installed, everything works fine, but I suspect most users will now follow this happy path.)
Is there a way to smooth this out, so that once full disk access is granted, the endpoint system extension gets events without needing to uninstall and reinstall the endpoint agent?