This KB will guide you on how to create a PPPC MDM payload to allow applications Full Disk Access in order to avoid your end-users being prompted.
Please note: Every application is different in the permissions that they need. If you are unsure of the permissions a certain application needs, we recommend contacting the software manufacturer for exact permissions.
How to grant Full Disk Access
In order to grant Full Disk Access to an application, you will first navigate to Catalog -> MDM Profiles and create a new Privacy Preferences Policy Control (PPPC) payload.
Next, you will need to execute some commands in the terminal.
Note: In order to run these commands, the application must be installed on the device you intend to run it on.
For FDA, you'll need the identifier and the code requirement to fill out the required fields in the payload.
For the app identifier run:
codesign -dv /path/to.app
For the code requirement run:
codesign -dr - /path/to.app
To run the above commands, you will need to substitute the file path to the application.
Tip: If you are unsure of the file path to a certain application, you can drag the application into terminal and you'll get the full file path.
As an example, we'll go through this process with Webroot.
Here is how we got the file path, going to the Applications folder and dragging it into the terminal:
We can run the commands now that we have the file path, here is the command for the identifier:
Now we run the command for the code requirement (for every application, the code requirement starts with identifier:
Putting the payload together:
In this step, we will put the payload together using the information gathered above:
Identifer: com.webroot.Webroot-SecureAnywhere
Code Requirement: identifier "com.webroot.Webroot-SecureAnywhere" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6Q6RVXVYC2"
The fields you want to fill out to grant Full Disk Access (FDA) are Access to All Protected and System Administration.
Below is how the payload should look:
Save your changes, add the configuration to your policy, and deploy your changes!
If you know that a specific application needs Full Disk Access, we recommend deploying this payload before deploying the software. Also, it's normal to see the applications in question have their checkbox "unchecked" in Security & Privacy -> Privacy -> Full Disk Access panel.
Now you should be able to configure Full Disk Access for any application!