Full disk permissions for compliance script, or alternative?

Question

Created Jan ’21

Replies 5

Boosts 0

Views 2.7k

Participants 2

Hey guys, so I'm writing a business compliance script for my company's internal audits, and part of it needs to validate that users are allowing time machine to make backups on a regular basis.

tmutil listbackups

...does a great job of this in a shell script, but once I bundle the script into an application bundle, it fails to return any data. Realized it was because of "Full Disk Access" permissions - however, adding the application bundle explicitly to Prefs/Security & Privacy /Privacy/Full Disk Access makes no difference, nor does adding the script inside the app bundle, or whitelisting /usr/bin/bash.

Part of the issue could be that I'm having users run this by putting a shell script in a .app package. (see: https:// mathiasbynens.be/notes/shell-script-mac-apps)

If you run the script directly via terminal, and the terminal is whitelisted for disk access, it works fine.

Is there any way to have the script request fill disk access from the user at runtime the way regular Mac apps do on first attempt? Could it be that I need to whitelist something else?

Boost

Answer 1

Etresoft OP

Jan ’21

Is there any way to have the script request fill disk access from the user at runtime the way regular Mac apps do on first attempt?

There are virtually no Mac apps that do that on first attempt. That would be an automatic rejection from the Mac App Store.

Speaking of which, why are you worrying about Mac App Store security requirement for your internal tool?

0

Answer 2

quad64bit OP

Jan ’21

@etresoft A number of the apple apps ask on first attempt, and then auto-add the permission. Thats why I asked.

I don't care about App Store anything - this is a pure shell script to do compliance audits in my company to validate that users are actually performing regular time machine backups as required by our ISO standards. We only use this script internally.

0

Answer 3

quad64bit OP

Jan ’21

Ok, so I think I answered my own question. I was getting caught up with the manual granting of full disk access to the script itself, but it turns out, my shebang was borking the permissions. I was doing this:

Code Block bash#!/usr/bin/env bash
# instead of
#!/usr/bin

Which it turns out, means you would need to grant access to /usr/bin/env rather than /bin/bash. Duh.

I don't really want to do either, since it seems like a 5 ton hammer for just getting time machine backup metadata, but unless someone can provide a better way to do this, I think it'll have to do. Thanks for looking!

0

Answer 4

Etresoft OP

Jan ’21

A number of the apple apps ask on first attempt, and then auto-add the permission

I have never seen a single Apple app ask for Full Disk Access at all. They most definitely never "auto-add" any permissions.

You seem to be thinking about the access for certain special locations like Downloads or Desktop. Any app that attempts to access those locations will trigger a confirmation dialog. As a convenience, Apple automatically adds apps to those security lists, but leaves them unchecked. This is so the user doesn't have to go searching for them.

I don't care about App Store anything - this is a pure shell script to do compliance audits in my company to validate that users are actually performing regular time machine backups as required by our ISO standards. We only use this script internally.

Then why do you care about this? Just give your app app Full Disk Access via MDM.

Which it turns out, means you would need to grant access to /usr/bin/env rather than /bin/bash. Duh.

The macOS version of bash is ancient. It is better to use zsh. For scripts, just use "sh".

0

Answer 5

quad64bit OP

Mar ’21

@Etresoft

I have never seen a single Apple app ask for Full Disk Access at all. They most definitely never "auto-add" any permissions.

Fair point - but I think to access time machine backups, I require this, unless you know otherwise?

Then why do you care about this? Just give your app app Full Disk Access via MDM.

MDM? We don't currently use it, but perhaps I'll do some research. It might make some of this stuff easier rather than having people do their own juggling, we could roll out policy level changes.

The macOS version of bash is ancient. It is better to use zsh. For scripts, just use "sh".

I'm aware, and most devs are using zsh via brew by default. We generally target bash on scripts since it plays nice in most of our environments, and I'm not doing anything dependent on new bash features, but this is a good point.

Thanks for the tips!

0