As documented in this post among some other places, MacOS Mojave implements additional security protocols that even affect root's
access to user data.
The solution in the linked question provides the basic method I used to resolve my issue.
For custom-built scripts that will run through launchd
, the administrator of the computer on which the script is to be run must add that script to Security & Privacy
to give that "app" permission to access user data.
It was not necessary to add launchd
or rsync
(in my case) to Security & Privacy
.
I have not researched if there is a way to do this via Terminal, which it seems would be necessary for those administering a large number of clients.
========
Update: I've also learned that if you add a script, and you later make changes to that script, you need to delete it from the Security & Privacy
-->Full Disk Access
, then add it again. Perhaps macOS creates a hash that is checked?
========
Update w/ Catalina: I do not recall if I had System Integrity Protection
disabled on Mojave, but it appears to be required to be disabled in Catalina. I know SIP
doesn't have to be disabled for OS versions prior to these.
Disabling macOS SIP
allowed the script in question to start running again. This is not ideal, so I'll be researching other approaches.
I ended up uninstalling Backblaze completely (even though it was the up-to-date version 5.4.0 that supports Mojave) and then reinstalled the same version from scratch.
This took care of the issue.
Best Answer
This is possible for MDM managed Macs by pushing signed profiles to preemptively white-list signed applications.
The process is quite detailed, but it uses a well documented profile setup (175 pages to cover the basics). We currently push about 20 items this way, so if you need to manage a lot of apps and a lot of Macs, this is possible and once you have your tools in place, easy to add new profiles. This isn’t feasible for a few machines if you’re not running a MDM.
Look at the section on page 64
> Privacy Preferences Policy Control Payload
Here is a very not short (but as short as can be reasonably made) guide for an engineer or team thinking about adding this to your MDM.
Here is an awesome tool for automating creation of your profiles: