Adding troubleshooting info about full disk access (#7938)

* Adding troubleshooting info about full disk access * Apply suggestions from code review Co-authored-by: Chris McGillicuddy <108031970+chris-mcgillicuddy@users.noreply.github.com> Co-authored-by: Chris McGillicuddy <108031970+chris-mcgillicuddy@users.noreply.github.com>
2026-05-24 01:18:42 +00:00 · 2022-11-09 11:14:44 -05:00 · 2022-11-09 11:14:44 -05:00 · a42dd708d6
commit a42dd708d6
parent d6b3250d05
1 changed files with 12 additions and 3 deletions
--- a/docs/Using-Fleet/Adding-hosts.md
+++ b/docs/Using-Fleet/Adding-hosts.md
@ -307,8 +307,17 @@ Preferences*, run this query from Fleet:
 SELECT * FROM file WHERE path LIKE '/Users/%/Downloads/%%';
 ```

-If this query returns files, the profile has been successfully applied, as *Downloads* is a
-protected location. You can now enjoy the benefits of osquery on all system files as well as start
-using the *es_process_events* table!
+If this query returns files, the profile was applied, as **Downloads** is a
+protected location. You can now enjoy the benefits of osquery on all system files and start
+using the **es_process_events** table!
+
+If this query does not return data, you can look at operating system logs to confirm whether or not full disk
+access has been applied.
+
+See the last hour of logs related to TCC permissions with this command:
+
+`log show --predicate 'subsystem == "com.apple.TCC"' --info --last 1h`
+
+You can then look for `orbit` or `osquery` to narrow down results.

 <meta name="pageOrderInSection" value="500">