Endpoint Security, CrowdStrike, Full Disk Access for macOS 10.14 and 10.15
Granting Full Disk Access to the Falcon Sensor on macOS 10.14 (Mojave) and 10.15 (Catalina).
University of Illinois IT Pros leveraging Technology Services CrowdStrike
Beginning with macOS 10.15, full disk access must be granted to the CrowdStrike Falcon Sensor to obtain visibility to all files on the device. This action only needs to be taken once per host when installing the Falcon Sensor on Catalina, or after upgrading to Catalina from earlier macOS releases. It does not need to be repeated after sensor updates.
For macOS 10.14, CrowdStrike recommends granting full disk access to the CrowdStrike Falcon Sensor, in order to prepare for upcoming sensor releases that will be able to access file paths protected by default on Mojave.
If you are using EPS Workspace ONE to manage your macOS devices, please contact the EPS team and we will help you leverage the existing "fda.crowdstrike" global privacy preferences profile to grant full disk access to the Crowdstrike Falcon Sensor.
For Macs not enrolled in Workspace ONE, you can take the following steps to manually grant full disk access to the Crowdstrike Falcon Sensor. Administrator account permission is needed for these steps.
- Open System Preferences
- Open Security & Privacy
- Select the Privacy tab. If privacy settings are locked:
- Click the lock icon in the lower-left corner
- Enter your device password
- In the left pane, select Full Disk Access
- In the right pane, click the + icon
- Navigate to /Library/CS/falcond, or type Cmd-Shift-G and enter /Library/CS/falcond
- Click Open
- Click Quit Now
- If necessary, click the lock in the lower-left corner to re-lock privacy settings