Another update. We have been able to get the TCC db happy by setting the user for the app to the current user and then prompting them to allow FDA. This works fine on all architectures on macOS 14 and 15. We also believe that it was working in macOS 26.0, but it fails to work on 26.2. The problem is that fidelisevents does not populate into the FDA screen, but is in the TCC db as kTCCServiceEndpointSecurityClient|com.fidelisendpoint.fidelisevents|0|1761918781|5. Then when the user manually adds the app it loads in as the app, not the service so FDA is only given to the app. Is this a permissions problem that keeps it from being populated to FDA screen or is there something else keeping the system from tying the app to the service?

Kevin, The bug number is FB21118226.

Continuing on from Darilla. We have found that on the machines where the toggle will not stay on that in the console we find this error. /AppleInternal/Library/BuildRoots/1c8f7852-11f0-b28b-226177e5bb69/Library/Caches/com.apple.xbs/Sources/SecurityPref/Extension/Privacy/TCCService.swift:97 setApplicationEnabled(_:enabled:path:locNameKey:) Error. Fall back to path /Library/Application Support/Fidelis/Endpoint/App/fidelisevents.app Those machines that allow the toggle to stay on do not see this error. Could this be the problem that is causing the toggle to not stay on? Also from the machines where the toggle won't stay on we get this when querying the TCC.db: sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" > 'SELECT service, client, auth_value, last_modified > FROM access > WHERE service is "kTCCServiceEndpointSecurityClient"' kTCCServiceEndpointSecurityClient|/Library/Application Support/Fidelis/Endpoint/App/fidelisevents.app|2|1763500302|4 kTCCServiceEndpointSecurityClient|com.fidelisendpoint.fidelisevents|0|1761918781|5 We noticed that com.fidelisendpoint.fidelisevents has an auth_value of 0 and a auth_reason of 5. On any system that has the daemon working the auth_value is 2 and the auth_reason is 4. Is this to be expected because the toggle isn't working?