I m attempting to use the `user interaction events` table ho

Question

I m attempting to use the `user interaction events` table however it requires that a user as authorized osqueryd in the Input Monitoring privacy settings Unfortunately MDM can only be used to add the osqueryd entry to the input monitoring setting but not actually enable it The enable part has to be done by the end user themselves AFAICT Is there a way to have osqueryd prompt for the user to enable that permission when it runs with the `enable keyboard mouse events` flags set

Brian Bergstrand · Answer

`osqueryd` runs as root in a non gui login session It can t directly prompt the user Some kind of proxy would be needed As for MDM Apple prefers user privacy over admin needs

clong · Answer

gt As for MDM Apple prefers user privacy over admin needs They sure do slightly smiling face

Brian Bergstrand · Answer

Easiest solution would probably be for you to distribute a login script that asked users to give necessary perms

clong · Answer

Yeah that makes sense Maybe the closest thing I can do is just pop up that system preference pane for them and tell them to enable it TY for the info

clong · Answer

and im guessing there s no way to query the status of an individual TCC item without giving the script that is doing the checking full disk access

clong · Answer

so even if I had a login script I cant intelligently target users based on who has and has not enabled it

seph · Answer

I m pretty sure you can grant FDA via MDM and then use ATC to read the TCC databases inside osquery

Mike Myers · Answer

Yea definitely you can grant FDA via MDM and that s necessary for the `process events es` table already so we have some help in the wiki about that Maybe it would be a useful template for granting `osqueryd` other permissions via MDM <https osquery readthedocs io en latest deployment process auditing automatically granting permissions silent installs>