Check from installing app if Full Disk Access has been enabled?

I have a macOS app that installs an endpoint system extension. After the user clicks "Allow" to allow it to be installed, the user must still scroll up to the "Full Disk Access" section and enable full disk access for the system extension.

It is easy for the user to forget to do this.

Is there an API (or other easy way) for the installing app to check whether the endpoint system extension has been granted full disk access?

I would like to display some big message in the GUI saying "You must enable Full Disk Access" until they do.

Up vote post of Todd_at_Ennetix Down vote post of Todd_at_Ennetix
435 views
Posted by
Todd_at_Ennetix
Reply
Add a Comment

Accepted Reply

Is there an API (or other easy way) for the installing app to check whether the endpoint system extension has been granted full disk access?

There is no standalone API for checking whether a particular problem has FDA enabled. However, you can do this from you ES client. Specifically, if FDA is not enabled then es_new_client will return ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED. You can test for that specific result and inform the user accordingly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Thanks. I think I can work with this. Right now the agent doesn't establish its XPC listener until after es_new_client is established, but if I do that before, let the GUI connect, and then handle the es_new_client error internally, I can probably keep the installing/GUI app aware of the progress.

    Todd_at_Ennetix
Add a Comment

Replies

Is there an API (or other easy way) for the installing app to check whether the endpoint system extension has been granted full disk access?

There is no standalone API for checking whether a particular problem has FDA enabled. However, you can do this from you ES client. Specifically, if FDA is not enabled then es_new_client will return ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED. You can test for that specific result and inform the user accordingly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Thanks. I think I can work with this. Right now the agent doesn't establish its XPC listener until after es_new_client is established, but if I do that before, let the GUI connect, and then handle the es_new_client error internally, I can probably keep the installing/GUI app aware of the progress.

    Todd_at_Ennetix
Add a Comment