Continuing on from Darilla. We have found that on the machines where the toggle will not stay on that in the console we find this error.
/AppleInternal/Library/BuildRoots/1c8f7852-11f0-b28b-226177e5bb69/Library/Caches/com.apple.xbs/Sources/SecurityPref/Extension/Privacy/TCCService.swift:97 setApplicationEnabled(_:enabled:path:locNameKey:) Error. Fall back to path /Library/Application Support/Fidelis/Endpoint/App/fidelisevents.app
Those machines that allow the toggle to stay on do not see this error. Could this be the problem that is causing the toggle to not stay on?
Also from the machines where the toggle won't stay on we get this when querying the TCC.db:
sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db"
> 'SELECT service, client, auth_value, last_modified
> FROM access
> WHERE service is "kTCCServiceEndpointSecurityClient"'
kTCCServiceEndpointSecurityClient|/Library/Application Support/Fidelis/Endpoint/App/fidelisevents.app|2|1763500302|4
kTCCServiceEndpointSecurityClient|com.fidelisendpoint.fidelisevents|0|1761918781|5
We noticed that com.fidelisendpoint.fidelisevents has an auth_value of 0 and a auth_reason of 5. On any system that has the daemon working the auth_value is 2 and the auth_reason is 4. Is this to be expected because the toggle isn't working?
