diff --git a/it-and-security/fleets/testing-and-qa.yml b/it-and-security/fleets/testing-and-qa.yml
index d0086d50b53..0458794afe2 100644
--- a/it-and-security/fleets/testing-and-qa.yml
+++ b/it-and-security/fleets/testing-and-qa.yml
@@ -52,6 +52,9 @@ agent_options:
     watchdog_utilization_limit: 130
     # --- macOS FIM ---
     enable_file_events: true
+    # --- macOS EndpointSecurity tables (requires Full Disk Access for osqueryd) ---
+    disable_endpointsecurity: false       # enables es_process_events
+    disable_endpointsecurity_fim: false   # enables es_process_file_events
     # --- Linux process + socket auditing via the audit framework ---
     disable_audit: false
     audit_allow_process_events: true
@@ -64,6 +67,10 @@ agent_options:
     orbit: edge
     desktop: edge
 controls:
+  apple_settings:
+    configuration_profiles:
+      # Required for osqueryd to inherit Full Disk Access (EndpointSecurity tables)
+      - path: ../lib/macos/configuration-profiles/full-disk-access-for-fleetd.mobileconfig
   setup_experience:
     macos_bootstrap_package: ""
     enable_end_user_authentication: true
diff --git a/it-and-security/fleets/workstations.yml b/it-and-security/fleets/workstations.yml
index 136d609cac6..da768e72383 100644
--- a/it-and-security/fleets/workstations.yml
+++ b/it-and-security/fleets/workstations.yml
@@ -62,6 +62,9 @@ agent_options:
     watchdog_utilization_limit: 130
     # --- macOS FIM ---
     enable_file_events: true
+    # --- macOS EndpointSecurity tables (requires Full Disk Access for osqueryd) ---
+    disable_endpointsecurity: false       # enables es_process_events
+    disable_endpointsecurity_fim: false   # enables es_process_file_events
     # --- Linux process + socket auditing via the audit framework ---
     disable_audit: false
     audit_allow_process_events: true