NextronSystems · redteampanda-ng · Dec 17, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 17, 2025
diff --git a/administration/agent.rst b/administration/agent.rst
@@ -101,7 +101,7 @@ You can test it, by executing the following command in Terminal:
 
 .. code-block:: console
 
-   MacBook-Pro:~ nextron$  pkgutil --check-signature /Users/nextron/Downloads/asgard2-agent-macos-arm64.pkg
+   MacBook-Pro:~ nextron$ pkgutil --check-signature /Users/nextron/Downloads/asgard2-agent-macos-arm64.pkg
    Package "asgard2-agent-macos-arm64.pkg":
    Status: signed by a developer certificate issued by Apple for distribution
    Notarization: trusted by the Apple notary service
@@ -117,8 +117,22 @@ macOS Full Disk Access
 Since macOS Ventura (v13.0) the ASGARD Agent needs full disk access
 to function properly. After you have deployed the ASGARD Agent, you need
 to grant the service the required access permissions. Please keep in mind
-that administrative privileges on the machine are needed to perform this
-change.
+that administrative privileges on the machine are needed to perform the
+following tasks.
+
+.. note:: 
+   There is no workaround to these steps, since it is an integral
+   part of the security design of Apple devices. If you are having trouble
+   with THOR scans via ASGARD on macOS, please check if the ``Full Disk
+   Access`` permission for the ASGARD agent was granted. Since macOS Mojave
+   (v10.14), you need to grant the same permissions to removable volumes,
+   if you plan on scanning those.
+
+If you need to grant Full Disk Access via MDM, please have a look at the chapter
+:ref:`appendix/mdm-fulldiskaccess:Full Disk Access for macOS asgard2-agent-service via MDM`.
+
+Prior to macos 26
+"""""""""""""""""
 
 To do this, navigate on your Mac to ``System Settings`` > ``Privacy &
 Security`` > ``Full Disk Access``:
@@ -133,13 +147,68 @@ You need to enable the ``asgard2-agent-service`` slider:
    :scale: 40
    :alt: macOS 13 Full Disk Access
 
-If you need to grant Full Disk Access via MDM, please have a look at the chapter
-:ref:`appendix/mdm-fulldiskaccess:Full Disk Access for macOS asgard2-agent-service via MDM`.
+Starting with macOS 26
+""""""""""""""""""""""
+Starting with version 26, we noticed that macOS no longer displays the entry ``asgard2-agent-service`` in the Full Disk Access UI.
 
-.. note:: 
-   There is no workaround to this step, since it is an integral
-   part of the security design of Apple devices. If you are having trouble
-   with THOR scans via ASGARD on macOS, please check if the ``Full Disk
-   Access`` permission for the ASGARD agent was granted. Since macOS Mojave
-   (v10.14), you need to grant the same permissions to removable volumes,
-   if you plan on scanning those.
+.. figure:: ../images/macos_missing_asgard2-agent_service.png
+   :scale: 40
+   :alt: Missing asgard2-agent.service
+
+If you have updated from macOS 15 Sequoia you should check in ASGARD the THOR scan protocol for a warning about Full Disk Access or query your operating system's ``TCC.db`` database.
+
+To query the database, open the Terminal App and perform the following SQL command:
+
+.. code-block:: console
+    :emphasize-lines: 2
+
+    MacBook-Pro:~ nextron$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep asgard
+    kTCCServiceSystemPolicyAllFiles|/private/var/lib/asgard2-agent/asgard2-agent-service|1|2|4|1|??||0|UNUSED|0|176962327|||UNUSED|0
+    MacBook-Pro:~ nextron$
+
+This value section must match:
+
+.. code-block:: console
+
+   asgard2-agent-service|1|2|4|1|
+
+If the values do NOT match at this point, or if you originally installed our agent on macOS 26, please proceed with the following instructions.
+
+Temporarily adjust the permissions for the directory /private/var/lib/asgard2-agent via Terminal:
+
+.. code-block:: console
+
+   MacBook-Pro:~ nextron$ sudo chmod 777 -R /private/var/lib/asgard2-agent/
+   MacBook-Pro:~ nextron$
+
+Open the Full Disk Access UI (``System Settings`` > ``Privacy &
+Security`` > ``Full Disk Access``) and click on the ``+ Symbol`` bottom left. Enter the admin credentials.
+
+Open the search window by clicking on ``Command + SHIFT + G`` and enter the path to the service binary, ``/private/var/lib/asgard2-agent``.
+
+.. figure:: ../images/macos_path_asgard2-agent_service.png
+   :scale: 45
+   :alt: Path to asgard2-agent-service
+
+Choose the ``asgard2-agent-service`` and click ``Open``.
+
+.. figure:: ../images/macos_choose_asgard2-agent_service.png
+   :scale: 45
+   :alt: Path to asgard2-agent-service
+
+Check that the permissions have now been granted correctly by reopening the Terminal App and executing the following SQL command:
+
+.. code-block:: console
+
+     MacBook-Pro:~ nextron$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep asgard
+     kTCCServiceSystemPolicyAllFiles|/private/var/lib/asgard2-agent/asgard2-agent-service|1|2|4|1|??||0|UNUSED|0|176962327|||UNUSED|0
+     MacBook-Pro:~ nextron$
+
+Please note that the entry is still not displayed in the UI.
+
+Finally adjust the permissions again:
+
+.. code-block:: console
+
+   MacBook-Pro:~ nextron$ sudo chmod 700 -R /private/var/lib/asgard2-agent/
+   MacBook-Pro:~ nextron$
diff --git a/images/macos_choose_asgard2-agent_service.png b/images/macos_choose_asgard2-agent_service.png
diff --git a/images/macos_missing_asgard2-agent_service.png b/images/macos_missing_asgard2-agent_service.png
diff --git a/images/macos_path_asgard2-agent_service.png b/images/macos_path_asgard2-agent_service.png