https://github.com/osquery/osquery logo
Join Slack
Powered by
I'm attempting to use the `user_interaction_events...
# macos
c
I'm attempting to use the 
user_interaction_events
table, however it requires that a user as authorized osqueryd in the "Input Monitoring" privacy settings. Unfortunately, MDM can only be used to add the osqueryd entry to the input monitoring setting, but not actually enable it. The enable part has to be done by the end user themselves (AFAICT). Is there a way to have osqueryd prompt for the user to enable that permission when it runs with the 
enable_keyboard/mouse_events
flags set?
b
osqueryd
runs as root, in a non-gui/login session. It can’t directly prompt the user. Some kind of proxy would be needed. As for MDM, Apple prefers user privacy over admin needs.
c
As for MDM, Apple prefers user privacy over admin needs
They sure do 🙂
b
Easiest solution would probably be for you to distribute a login script that asked users to give necessary perms
c
Yeah, that makes sense. Maybe the closest thing I can do is just pop up that system preference pane for them and tell them to enable it. TY for the info!
and im guessing there's no way to query the status of an individual TCC item without giving the script that is doing the checking full disk access
so even if I had a login script, I cant intelligently target users based on who has and has not enabled it
s
I’m pretty sure you can grant FDA via MDM, and then use ATC to read the TCC databases inside osquery
m
Yea definitely you can grant FDA via MDM, and that's necessary for the 
process_events_es
table already, so we have some help in the wiki about that. Maybe it would be a useful template for granting 
osqueryd
other permissions via MDM. https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#automatically-granting-permissions-silent-installs
12 Views
Open in Slack
PreviousNext
Powered by