# Permissions for Endpoint Central macOS agent via MDM This article describes the steps to configure permissions for macOS level that required each 3rd party vendor's System extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID. - With macOS 10.14, Apple added a new default behavior that prevented applications from accessing the disk, remote control, etc - With macOS 13, Apple added a option in System settings to disable background process ### Table of contents 1. [Granting Permissions](https://www.manageengine.com/products/desktop-central/help/permissions-for-endpoint-central-agent-via-mdm.html#grant) 2. [Whitelisting System Extensions](https://www.manageengine.com/products/desktop-central/help/permissions-for-endpoint-central-agent-via-mdm.html#whitelist) 3. [Background Service/Login Item Management](https://www.manageengine.com/products/desktop-central/help/permissions-for-endpoint-central-agent-via-mdm.html#login) **In case, ManageEngine MDM is used, Below mentioned Permission will be deployed to macOS machines Automatically. Follow below steps if Other MDM Vendor is used.** ## Granting Permissions Permissions can be provided through MDM Privacy Preferences Policy Control (PPPC) profile. Permissions that will be granted are Full disk access, Accessibility, and Screen capture. ### Below contains details required for PPPC Profile: #### **1. Protector System Extension** - Process that monitors the Agent folder and processes and prevents Users from modifying files and interrupting process | Identifier | com.manageengine.protectord | |---|---| | Code sign requirement | anchor apple generic and identifier "com.manageengine.protectord" and certificate leaf[subject.OU] = TZ824L8Y37 | | Static code validation | No | | Allowed Permissions | System Policy All Files | | Other Permissions | User controlled | #### **2. Agent service** - Process that performs all agent tasks | Identifier | dcagentservice | |---|---| | Code sign requirement | identifier dcagentservice and anchor apple generic and certificate leaf[subject.OU] = TZ824L8Y37 | | Static code validation | No | | Allowed Permissions | System Policy All Files | | Other Permissions | User controlled | Apps for Apple Events | # | Identifier | Code Requirement | |---|---|---| | 1 | com.apple.systemevents | identifier "com.apple.systemevents" and anchor apple | | 2 | com.apple.systemuiserver | identifier "com.apple.systemuiserver" and anchor apple | | 3 | com.apple.finder | identifier "com.apple.finder" and anchor apple | | 4 | com.apple.installer | identifier "com.apple.installer" and anchor apple | #### **3. Remote Access** - Process responsible for taking remote control | Identifier | com.zoho.assist.ManageEngineRemoteAccess | |---|---| | Code sign requirement | identifier "com.zoho.assist.ManageEngineRemoteAccess" and anchor apple generic and certificate leaf[subject.OU] = TZ824L8Y37 | | Static code validation | No | | Allowed Permissions | Accessibility, screen capture | | Other Permissions | User controlled | If the above steps is not helpful, kindly follow steps in this [link](https://www.manageengine.com/products/desktop-central/accessibility-permissions-for-remote-control-not-configured.html) for providing permission for Remote access. #### **4. Application Control System Extension** - Process that monitors and Controls Other Process based on Application Control policy | Identifier | com.manageengine.protectord | |---|---| | Code sign requirement | anchor apple generic and identifier "com.manageengine.appctrl.driver" and certificate leaf[subject.OU] = TZ824L8Y37 | | Static code validation | No | | Allowed Permissions | System Policy All Files | | Other Permissions | User controlled | ## Whitelisting System Extensions System Extensions can be allowed through MDM System Extension profile. ### Below contains details required for System extension Profile: #### **1. Protector System extension** | Team Identifier | TZ824L8Y37 | |---|---| | Allowed Extension Categories | Security extensions | | Extension bundle identifier(s) | com.manageengine.protectord | #### **2. Application Control System Extension** | Team Identifier | TZ824L8Y37 | |---|---| | Allowed Extension Categories | Security extensions | | Extension bundle identifier(s) | com.manageengine.appctrl.driver | ## Background Service / login item management Admins can restrict users from disabling the apps running background items on the macOS machine. Team Identifier of the app to be restricted from disabling = TZ824L8Y37