https://github.com/osquery/osquery logo
#macos
Title
# macos
c

clong

01/17/2023, 7:42 PM
I'm attempting to use the
user_interaction_events
table, however it requires that a user as authorized osqueryd in the "Input Monitoring" privacy settings. Unfortunately, MDM can only be used to add the osqueryd entry to the input monitoring setting, but not actually enable it. The enable part has to be done by the end user themselves (AFAICT). Is there a way to have osqueryd prompt for the user to enable that permission when it runs with the
enable_keyboard/mouse_events
flags set?
b

Brian Bergstrand

01/17/2023, 8:00 PM
osqueryd
runs as root, in a non-gui/login session. It can’t directly prompt the user. Some kind of proxy would be needed. As for MDM, Apple prefers user privacy over admin needs.
c

clong

01/17/2023, 8:00 PM
As for MDM, Apple prefers user privacy over admin needs
They sure do 🙂
b

Brian Bergstrand

01/17/2023, 8:01 PM
Easiest solution would probably be for you to distribute a login script that asked users to give necessary perms
c

clong

01/17/2023, 8:02 PM
Yeah, that makes sense. Maybe the closest thing I can do is just pop up that system preference pane for them and tell them to enable it. TY for the info!
and im guessing there's no way to query the status of an individual TCC item without giving the script that is doing the checking full disk access
so even if I had a login script, I cant intelligently target users based on who has and has not enabled it
s

seph

01/17/2023, 8:18 PM
I’m pretty sure you can grant FDA via MDM, and then use ATC to read the TCC databases inside osquery
m

Mike Myers

01/19/2023, 11:41 PM
Yea definitely you can grant FDA via MDM, and that's necessary for the
process_events_es
table already, so we have some help in the wiki about that. Maybe it would be a useful template for granting
osqueryd
other permissions via MDM. https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#automatically-granting-permissions-silent-installs
12 Views