| OSX 10.14 Mojave added a new security feature called “Full Disk Access” that limits the operations that a OSX user (including root) can do. You can find information about FDA here: https://macpaw.com/how-to/full-disk-access-mojave Because of this feature, some of the Puppet functionality (for example changing a user’s home directory) does not work unless the puppet executable is whitelisted in FDA. Whitelisting an app for FDA can be done in two official ways:
- Manual by the owner of the Macbook by clicking on the Apple icon > System Preferences > Go to Security & Privacy > Click on the privacy tab > Click Full Disk Access section in the side bar > Click on the “+” and add the path to the puppet executable: . Link: https://support.intego.com/hc/en-us/articles/360016683471-Enable-Full-Disk-Access-in-macOS-Mojave
- Automated using Privacy Preferences Control Profiles (PPCP) and a Mobile Device Management (MDM) Server.
We could try to “engineer” our Puppet Agent installer to whitelist the puppet app in FDA. DropBox has done something similar in the past and they had a lot of backlash from Apple and the community: https://www.reddit.com/r/apple/comments/51wy96/discovering_how_dropbox_hacks_your_mac/,[https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/] Without whitelisting puppet, we’ve got 2 Puppet tests that are failing. Both of them are related to changing a user’s home directory. We were able to validate that by whitelisting puppet the tests pass. In my opinion the best way to handle this is to document the need to whitelist Puppet in FDA and specify that if it is not whitelisted some of the system calls might fail. |
