Enable Full Disk Access for the Elastic Endgame sensor on macOS Ventura and higheredit

On macOS versions starting with Ventura, Elastic Endgame requires Full Disk Access to protect against malware and other cybersecurity threats. Full Disk Access permission is a privacy feature that controls which applications can access your data. This means you need to manually enable Full Disk Access permission for the Elastic Endgame sensor to access these protected areas of your Mac.

macOS permissionsedit

The behavior of the Elastic Endgame sensor differs based on your macOS version. MDM/Jamf users can pre-approve all Full Disk Access without granting permission to the sensor. However, depending on the macOS version and sensor type, non-MDM/Jamf users may be prompted to enable Full Disk Access for required security files.

Here are the Full Disk Access requirements for macOS versions 13.0 and above:

  • Approve the system extension for the Elastic Endgame sensor. During installation, you’ll be prompted to go to System Preferences and approve the system extension. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt to proceed.
  • Grant the Elastic Endgame sensor Full Disk Access.

The following instructions apply to the Elastic Endgame sensor only. To see requirements for the Elastic Endpoint, refer to Install Elastic Endpoint manually on macOS Ventura and higher.

Approve the system extension for the Elastic Endgame sensoredit

To fully protect endpoints from malware and other cybersecurity threats when using Elastic Endgame with system extensions, you must enable the system extension during installation on macOS Ventura (13.0) and later.

When you receive the following prompt to approve loading the system extension:

System extension blocked
  1. Open the System Settings.
  2. Select Privacy & Security.
  3. In the right pane, scroll down to the Security section. Click Allow to allow the Elastic Endgame system extension to load.

    endgame allow sys ext ven
  4. Enter your username and password and click Modify Settings to save your changes.

Approve network content filtering for Elastic Endgameedit

After successfully loading the Elastic Endgame system extension, an additional message appears, asking to allow Elastic Endgame to filter network content.

endgame allow network filter ven

Click Allow to enable content filtering for the Elastic Endgame system extension. Without this approval, Elastic Endgame cannot receive network events and, therefore, cannot enable network-related features such as host isolation.

Enable Full Disk Access for the Elastic Endgame sensoredit

For the Elastic Endgame sensor to detect events from a macOS host, you must enable Full Disk Access for the esensor file, which appears once you’ve downloaded the sensor on your host.

  1. Open the System Settings application.
  2. Select Privacy & Security.
  3. From the right pane, select Full Disk Access.

    Select Full Disk Access
  4. Click the + button to view Finder.
  5. The system may prompt you to enter your username and password if you haven’t already.

    endgame enter login details to confirm ven
  6. Navigate to /Library/Endgame, then select the esensor file.
  7. Click Open.
  8. In the Privacy tab, confirm that the com.endgame and esensor files appear in the list of applications with Full Disk Access permission.

    enable fda endgame sensor ven

The Elastic Endgame sensor now has the access required to fully protect your system.