We recently have been testing the Elastic Agent on various employees’ MacBook Pros (macOS 12.x with Intel processors) and are having permission issues. During installation we followed the guidelines provided on Enable Full Disk Access for the Endgame sensor | Elastic Security Solution [8.0] | Elastic for Elastic Agent 7.17 with the result of “Healthy” status. After the current update is pushed out via Fleet though, there are flags raised and is in the “Unhealthy” state instead.
Currently we have updated several to Elastic Agent 8.0.0 from 7.17 on the Fleet page, and there are multiple causes that are listed on the Endpoint page:
Full Disk Access is not enabled
Failed to connect to kernel/system extension
Failed to start any process event reporting
Failed to start file write event reporting
Failed to start network event reporting
Is there something on the MacBook end that must be performed after the installation so that full disk access is still allowed? The only successful Elastic Agent 8.0.0 we have had is to uninstall the old version and then install the new which is not an option for pushing out to the field.
After further testing, we have found that the "Full Disk Access" ElasticEndpoint with the Security logo is unchecked after the 8.x agent update was pushed. We spoke with one of the test MacBook owners before the update was pushed by Fleet and we were unable to find ElasticEndpoint on that list. Is this a new component of the application installed by Fleet that came with version 8.x?
(After completed it appeared, this is the ElasticEndpoint that we must grant permission to)
Is this something that may happen with future updates, because once this is in production working with each employee MacBook individually may not be acceptable?
With 8.0 comes a few breaking changes due to us re-architecting the endpoint a bit since we were able to drop macOS 10.14 support and obtain performance boosts by leveraging new system libraries. However in doing so we had to change how full disk access is granted to our application. We have updated our documentation to reflect this here
In addition, if you are currently using some sort of MDM provider, I would recommend you use this configuration profile that is generated here
This will allow you to not have to manually approve FDA for Elastic Endpoint for 7.17 -> 8.0 upgrade. As for the future, unfortunately any major revision update can contain breaking changes. While I don't forsee us re-architecting our endpoint again, I cannot guarantee it won't happen for 8.0 -> 9.0. The best way to avoid having to manually approving permissions is using MDM.
Thank you for your elaborate explanation, that makes a lot more sense to us on what was happening. We had gone through the breaking changes before hand found for beats, Logstash, etc. but not come across ones that were related to the Elastic Security and will dive deeper next time.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
