From a42dd708d621636021ad165336d52564669c3613 Mon Sep 17 00:00:00 2001 From: Guillaume Ross Date: Wed, 9 Nov 2022 11:14:44 -0500 Subject: [PATCH] Adding troubleshooting info about full disk access (#7938) * Adding troubleshooting info about full disk access * Apply suggestions from code review Co-authored-by: Chris McGillicuddy <108031970+chris-mcgillicuddy@users.noreply.github.com> Co-authored-by: Chris McGillicuddy <108031970+chris-mcgillicuddy@users.noreply.github.com> --- docs/Using-Fleet/Adding-hosts.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/Using-Fleet/Adding-hosts.md b/docs/Using-Fleet/Adding-hosts.md index 4fe7858dfd..86c7cf1609 100644 --- a/docs/Using-Fleet/Adding-hosts.md +++ b/docs/Using-Fleet/Adding-hosts.md @@ -307,8 +307,17 @@ Preferences*, run this query from Fleet: SELECT * FROM file WHERE path LIKE '/Users/%/Downloads/%%'; ``` -If this query returns files, the profile has been successfully applied, as *Downloads* is a -protected location. You can now enjoy the benefits of osquery on all system files as well as start -using the *es_process_events* table! +If this query returns files, the profile was applied, as **Downloads** is a +protected location. You can now enjoy the benefits of osquery on all system files and start +using the **es_process_events** table! + +If this query does not return data, you can look at operating system logs to confirm whether or not full disk +access has been applied. + +See the last hour of logs related to TCC permissions with this command: + +`log show --predicate 'subsystem == "com.apple.TCC"' --info --last 1h` + +You can then look for `orbit` or `osquery` to narrow down results.