As documented in this post among some other places, MacOS Mojave implements additional security protocols that even affect root's
access to user data.
The solution in the linked question provides the basic method I used to resolve my issue.
For custom-built scripts that will run through launchd
, the administrator of the computer on which the script is to be run must add that script to Security & Privacy
to give that "app" permission to access user data.
It was not necessary to add launchd
or rsync
(in my case) to Security & Privacy
.
I have not researched if there is a way to do this via Terminal, which it seems would be necessary for those administering a large number of clients.
========
Update: I've also learned that if you add a script, and you later make changes to that script, you need to delete it from the Security & Privacy
-->Full Disk Access
, then add it again. Perhaps macOS creates a hash that is checked?
========
Update w/ Catalina: I do not recall if I had System Integrity Protection
disabled on Mojave, but it appears to be required to be disabled in Catalina. I know SIP
doesn't have to be disabled for OS versions prior to these.
Disabling macOS SIP
allowed the script in question to start running again. This is not ideal, so I'll be researching other approaches.
Apps with photos access can access all photos in you library whenever the app chooses to in the background without your future confirmation, and can save pictures to the library.
Without photos access, the app can still ask the OS to get the user to choose a picture, at which point iOS can show a system-wide photo chooser and you can choose a single photo. Once you've chosen the photo, just that specific photo is provided by iOS back to the app.
Best Answer
If you want to access special directories/files such as
~/Library/Application Support/AddressBook
or~/Pictures/Photos Library.photoslibrary
, yes you need to give Full Disk Access to iTerm2. If don't, you can not access those directories.For more information, here is the iTerm2 wiki https://gitlab.com/gnachman/iterm2/wikis/fulldiskaccess
Here is the screenshot when you don't give Full Disk Access to iTerm2.