clong
01/17/2023, 7:42 PMuser_interaction_events
table, however it requires that a user as authorized osqueryd in the "Input Monitoring" privacy settings. Unfortunately, MDM can only be used to add the osqueryd entry to the input monitoring setting, but not actually enable it. The enable part has to be done by the end user themselves (AFAICT). Is there a way to have osqueryd prompt for the user to enable that permission when it runs with the enable_keyboard/mouse_events
flags set?Brian Bergstrand
01/17/2023, 8:00 PMosqueryd
runs as root, in a non-gui/login session. It can’t directly prompt the user. Some kind of proxy would be needed. As for MDM, Apple prefers user privacy over admin needs.clong
01/17/2023, 8:00 PMAs for MDM, Apple prefers user privacy over admin needsThey sure do 🙂
Brian Bergstrand
01/17/2023, 8:01 PMclong
01/17/2023, 8:02 PMseph
01/17/2023, 8:18 PMMike Myers
01/19/2023, 11:41 PMprocess_events_es
table already, so we have some help in the wiki about that. Maybe it would be a useful template for granting osqueryd
other permissions via MDM. https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#automatically-granting-permissions-silent-installs