diff --git a/administration/agent.rst b/administration/agent.rst index 8ff3af0..2b4dd2c 100644 --- a/administration/agent.rst +++ b/administration/agent.rst @@ -101,7 +101,7 @@ You can test it, by executing the following command in Terminal: .. code-block:: console - MacBook-Pro:~ nextron$ pkgutil --check-signature /Users/nextron/Downloads/asgard2-agent-macos-arm64.pkg + MacBook-Pro:~ nextron$ pkgutil --check-signature /Users/nextron/Downloads/asgard2-agent-macos-arm64.pkg Package "asgard2-agent-macos-arm64.pkg": Status: signed by a developer certificate issued by Apple for distribution Notarization: trusted by the Apple notary service @@ -117,8 +117,22 @@ macOS Full Disk Access Since macOS Ventura (v13.0) the ASGARD Agent needs full disk access to function properly. After you have deployed the ASGARD Agent, you need to grant the service the required access permissions. Please keep in mind -that administrative privileges on the machine are needed to perform this -change. +that administrative privileges on the machine are needed to perform the +following tasks. + +.. note:: + There is no workaround to these steps, since it is an integral + part of the security design of Apple devices. If you are having trouble + with THOR scans via ASGARD on macOS, please check if the ``Full Disk + Access`` permission for the ASGARD agent was granted. Since macOS Mojave + (v10.14), you need to grant the same permissions to removable volumes, + if you plan on scanning those. + +If you need to grant Full Disk Access via MDM, please have a look at the chapter +:ref:`appendix/mdm-fulldiskaccess:Full Disk Access for macOS asgard2-agent-service via MDM`. + +Prior to macos 26 +""""""""""""""""" To do this, navigate on your Mac to ``System Settings`` > ``Privacy & Security`` > ``Full Disk Access``: @@ -133,13 +147,68 @@ You need to enable the ``asgard2-agent-service`` slider: :scale: 40 :alt: macOS 13 Full Disk Access -If you need to grant Full Disk Access via MDM, please have a look at the chapter -:ref:`appendix/mdm-fulldiskaccess:Full Disk Access for macOS asgard2-agent-service via MDM`. +Starting with macOS 26 +"""""""""""""""""""""" +Starting with version 26, we noticed that macOS no longer displays the entry ``asgard2-agent-service`` in the Full Disk Access UI. -.. note:: - There is no workaround to this step, since it is an integral - part of the security design of Apple devices. If you are having trouble - with THOR scans via ASGARD on macOS, please check if the ``Full Disk - Access`` permission for the ASGARD agent was granted. Since macOS Mojave - (v10.14), you need to grant the same permissions to removable volumes, - if you plan on scanning those. +.. figure:: ../images/macos_missing_asgard2-agent_service.png + :scale: 40 + :alt: Missing asgard2-agent.service + +If you have updated from macOS 15 Sequoia you should check in ASGARD the THOR scan protocol for a warning about Full Disk Access or query your operating system's ``TCC.db`` database. + +To query the database, open the Terminal App and perform the following SQL command: + +.. code-block:: console + :emphasize-lines: 2 + + MacBook-Pro:~ nextron$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep asgard + kTCCServiceSystemPolicyAllFiles|/private/var/lib/asgard2-agent/asgard2-agent-service|1|2|4|1|??||0|UNUSED|0|176962327|||UNUSED|0 + MacBook-Pro:~ nextron$ + +This value section must match: + +.. code-block:: console + + asgard2-agent-service|1|2|4|1| + +If the values do NOT match at this point, or if you originally installed our agent on macOS 26, please proceed with the following instructions. + +Temporarily adjust the permissions for the directory /private/var/lib/asgard2-agent via Terminal: + +.. code-block:: console + + MacBook-Pro:~ nextron$ sudo chmod 777 -R /private/var/lib/asgard2-agent/ + MacBook-Pro:~ nextron$ + +Open the Full Disk Access UI (``System Settings`` > ``Privacy & +Security`` > ``Full Disk Access``) and click on the ``+ Symbol`` bottom left. Enter the admin credentials. + +Open the search window by clicking on ``Command + SHIFT + G`` and enter the path to the service binary, ``/private/var/lib/asgard2-agent``. + +.. figure:: ../images/macos_path_asgard2-agent_service.png + :scale: 45 + :alt: Path to asgard2-agent-service + +Choose the ``asgard2-agent-service`` and click ``Open``. + +.. figure:: ../images/macos_choose_asgard2-agent_service.png + :scale: 45 + :alt: Path to asgard2-agent-service + +Check that the permissions have now been granted correctly by reopening the Terminal App and executing the following SQL command: + +.. code-block:: console + + MacBook-Pro:~ nextron$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep asgard + kTCCServiceSystemPolicyAllFiles|/private/var/lib/asgard2-agent/asgard2-agent-service|1|2|4|1|??||0|UNUSED|0|176962327|||UNUSED|0 + MacBook-Pro:~ nextron$ + +Please note that the entry is still not displayed in the UI. + +Finally adjust the permissions again: + +.. code-block:: console + + MacBook-Pro:~ nextron$ sudo chmod 700 -R /private/var/lib/asgard2-agent/ + MacBook-Pro:~ nextron$ diff --git a/images/macos_choose_asgard2-agent_service.png b/images/macos_choose_asgard2-agent_service.png new file mode 100644 index 0000000..bcdc178 Binary files /dev/null and b/images/macos_choose_asgard2-agent_service.png differ diff --git a/images/macos_missing_asgard2-agent_service.png b/images/macos_missing_asgard2-agent_service.png new file mode 100644 index 0000000..0d4be57 Binary files /dev/null and b/images/macos_missing_asgard2-agent_service.png differ diff --git a/images/macos_path_asgard2-agent_service.png b/images/macos_path_asgard2-agent_service.png new file mode 100644 index 0000000..b5b9ebe Binary files /dev/null and b/images/macos_path_asgard2-agent_service.png differ