From c98065bd19c9c5d21edef3ad29b747131326bf87 Mon Sep 17 00:00:00 2001
From: Allen Houchins <allenhouchins@mac.com>
Date: Thu, 11 Jun 2026 14:37:23 -0500
Subject: [PATCH] Enable macOS EndpointSecurity and FDE profile

Enable EndpointSecurity-based process and FIM events in fleet configs and add the Full Disk Access profile for macOS. Adds disable_endpointsecurity: false and disable_endpointsecurity_fim: false to agent_options in testing-and-qa.yml and workstations.yml (enables es_process_events and es_process_file_events). Adds an apple_settings.configuration_profiles entry in testing-and-qa.yml pointing to full-disk-access-for-fleetd.mobileconfig so osqueryd can inherit Full Disk Access.
---
 it-and-security/fleets/testing-and-qa.yml | 7 +++++++
 it-and-security/fleets/workstations.yml   | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/it-and-security/fleets/testing-and-qa.yml b/it-and-security/fleets/testing-and-qa.yml
index d0086d50b53..0458794afe2 100644
--- a/it-and-security/fleets/testing-and-qa.yml
+++ b/it-and-security/fleets/testing-and-qa.yml
@@ -52,6 +52,9 @@ agent_options:
     watchdog_utilization_limit: 130
     # --- macOS FIM ---
     enable_file_events: true
+    # --- macOS EndpointSecurity tables (requires Full Disk Access for osqueryd) ---
+    disable_endpointsecurity: false       # enables es_process_events
+    disable_endpointsecurity_fim: false   # enables es_process_file_events
     # --- Linux process + socket auditing via the audit framework ---
     disable_audit: false
     audit_allow_process_events: true
@@ -64,6 +67,10 @@ agent_options:
     orbit: edge
     desktop: edge
 controls:
+  apple_settings:
+    configuration_profiles:
+      # Required for osqueryd to inherit Full Disk Access (EndpointSecurity tables)
+      - path: ../lib/macos/configuration-profiles/full-disk-access-for-fleetd.mobileconfig
   setup_experience:
     macos_bootstrap_package: ""
     enable_end_user_authentication: true
diff --git a/it-and-security/fleets/workstations.yml b/it-and-security/fleets/workstations.yml
index 136d609cac6..da768e72383 100644
--- a/it-and-security/fleets/workstations.yml
+++ b/it-and-security/fleets/workstations.yml
@@ -62,6 +62,9 @@ agent_options:
     watchdog_utilization_limit: 130
     # --- macOS FIM ---
     enable_file_events: true
+    # --- macOS EndpointSecurity tables (requires Full Disk Access for osqueryd) ---
+    disable_endpointsecurity: false       # enables es_process_events
+    disable_endpointsecurity_fim: false   # enables es_process_file_events
     # --- Linux process + socket auditing via the audit framework ---
     disable_audit: false
     audit_allow_process_events: true