hey, I’m at a loss with not being able to run queries that access tables requiring full disk access (e.g.

select * from file where path like '/Users/%/Desktop/%'

) via the fleet UI and looking for some guidance. i’ve followed the osquery docs to silently push out FDA access with our MDM (JAMF)

So, I am not having any trouble running that kind of query on my test Mac with a Fleet live query. Are you running into this problem with live or saved queries?

👋 i’m having trouble with both live and scheduled queries that require FDA

maybe it's a symlink issue? I tried allowing by bundle identifier like this:

hmm, i’m not sure. we push out osquery 5.8.2 currently with JAMF to macOS and use the free version of Fleet. I’ve used fleetctl and osqueryctl, but not fleetd. I have looked a little bit into orbit but we are not deploying osquery/fleet with it yet. is fleetd an option in my environment?

@aldente for sure, checkout https://fleetdm.com/docs/using-fleet/enroll-hosts#osquery-installer

unfortunately changing the identifier to

io.osquery.agent

did not enable me to query protected tables via Fleet with our current config 😕

@aldente are you codesigning with

io.osquery.agent

as the bundle id?

i codesigned like so

> codesign  -dr - /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
Executable=/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
Executable=/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
designated => identifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3522FA9PXF"