After the ElasticEndpoint enables full disk access, it is closed after a period of time

Elastic agent version: 8.9.1
Mac versions: 14.0, 14.1
Problem Description:
After installing the Elatic Agent, full disk access was enabled, and the logs were all normal. However, after running for 1-2 days, the full disk access was turned off, causing the Elatic Agent log to be abnormal. Then enable full disk access again. A few days later, the same situation occurred again. Does anyone know what the problem is? What's the solution?

Hi @xqaiviwjxzw!

Have you granted permission to Elastic Agent or Endpointe security? I saw in some sources that you need to assign the permission to Elastic Endpoint. Below are the resources researched:

Another possibility would be to update the Elastic Agent. Currently, it is in version 8.12.2.

@wsouza Thank you for your reply. When the installation was completed, elasticendpoint was turned on and the logs were normal. However, after running for 1 day, I found that elasticendpoint was closed and the logs were abnormal.

@wsouza Can upgrading the current 8.9.1 version to 8.12.2 solve the problem?

It may be an alternative to try updating the elastic agent to see if the problem is resolved. Is your system also up to date?

@wsouza Problems were found in macos systems 14.0 and 14.1, which are not the latest macos systems. Is there any other way besides upgrading the version?

As I mentioned, I just made a suggestion to perform the update. Therefore, I cannot guarantee that it would be a definitive solution since I do not have the same environment to carry out the tests.

Hi @xqaiviwjxzw!

I know this is an issue you were reporting in the last couple of months. Agent and Endpoint cannot either grant or revoke FDA by themselves. There are 2 situations that would result in the behavior that you are seeing:

  • 3rd party program would interfere with Agent or Endpoint invalidating the their signature
  • 3rd party software leverages tccutil command to modify the TCC state.

I've personally running 8.10 on macOS 14.0 for over 2 months and Full Disk Access wasn't ever altered.

@ricardo2197 thank you for your reply. I'm currently using version 8.9.1. I recently tried version 8.10. There is currently no such problem found in version 8.10. I feel that version 8.9.1 may have some kind of conflict with the system or other software?

@ricardo2197 Which version of 8.10 are you using? Which version among 8.10.0-8.10.4? I will try to install this version and take a look, thanks

@wsouza @ricardo2197
After installing elastic agent 8.10.1, 8.12.2, 8.13.0, 8.13.1 in macos14.1, a situation occurs. After the installation is complete, full access permissions enable ElasticEndpoint permissions. ElasticEndpoint permissions are turned off once when the computer is shut down and restarted. Has anyone encountered this situation? Or is it related to macos system?