Grant permissions to macOS devices

This article applies to CrashPlan Enterprise and MSPs.png

Overview

Due to Apple privacy restrictions, administrators must grant CrashPlan permission to access specific applications and locations on user devices to ensure the CrashPlan app is able to back up all necessary areas of the device.

This article uses examples from Jamf Pro and Jamf's Privacy Preferences Policy Control (PPPC) Utility. While the same general concepts apply to deploying a .mobileconfig file with other tools, implementation details can vary slightly. Consult the product documentation for your device management provider.

If you need help creating a .mobileconfig file with other tools, contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team.

Required permissions

CrashPlan requires explicit permission for any location containing files you want to back up. For best results, allow access to all areas of the device (sometimes also referred to as "full disk access"), but work with your internal stakeholders to determine what is appropriate for your environment.

Steps

The options below must be performed from a Mac with the CrashPlan app already installed.

Option A: Use our sample configuration profile

Test your configuration profile before use
The sample .mobileconfig file below will work for most environments, but should be tested thoroughly before deploying it to your production environment.

This .mobileconfig sample allows CrashPlan access to locations to include for backup:

  • Desktop
  • Documents
  • Downloads
  • Photos
  • Calendar
  • Address Book

Follow the instructions in Jamf's guide to deploy custom configuration profiles to deploy the .mobileconfig file to devices in your environment.

The sample mobileconfig file is attached at the bottom of this article.

Option B: Create and deploy your own configuration profile

The steps below use Jamf's Privacy Preferences Policy Control (PPPC) Utility to create a .mobileconfig file.

  1. Download and open Jamf's Privacy Preferences Policy Control (PPPC) Utility.
  2. Click the + icon to add an application.
  3. From the dialog of all applications, select CrashPlan CrashPlan.
  4. In the Properties section, select Allow for all areas you want to back up. You should allow access to all items, but work with your internal stakeholders to determine what is best for your environment.
  5. Above the Apple Events column, disable Big Sur Compatibility.
    Big Sur Compatibility mode adds more permissions objects to the configuration, none of which are needed by CrashPlan. Enabling Big Sur Compatibility mode also means the configuration profile will not work on devices running macOS versions older than Big Sur.
  6. Click Save.
  7. Enter an Organization and Payload Name.
  8. Click Save.
    A .mobileconfig file is created and saved to the location you selected.
  9. Follow the instructions in Jamf's guide to deploy custom configuration profiles to deploy the .mobileconfig file to devices in your environment.

Full disk access not showing on Mac

Due to an Apple limitation, the CrashPlan app may not appear listed in the Security & Privacy window for Full Disk Access depending on your macOS version. However, the CrashPlan app will still be granted full disc access via the configuration profile.

You can confirm full disc access by going to Profiles, selecting the CrashPlan app, and verifying that it lists Access All Application Data as Allowed.

Confirm full disk access status

Requires CrashPlan app version 8.2.0 or later.

The CrashPlan API enables you to confirm if full disk access permissions are configured correctly for both a specific device and an entire organization.

The examples below assume basic familiarity with curl commands.

Single device

To check the status of a single device, use this as a template to create a command specific to your CrashPlan environment:


curl -X GET '<request_url>/api/v12/agent-state/view-by-device-guid?deviceGuid=<deviceGuid>&propertyName=fullDiskAccess' -H 'cache-control: no-cache' -H 'content-type: application/json' -H 'Authorization: Bearer <auth_token>'
  1. Replace <request_url> with the address of your CrashPlan environment (do not include the brackets in your request).
  2. Replace <deviceGuid> with the numeric ID of the device you want to review (do not include the brackets in your request). To find this ID, view the device details in CrashPlan console and copy the numeric string listed under the device name.
  3. Replace <auth_token> with an authentication token.
  4. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
  5. Review the data object in the response. A value of true indicates full disk access is enabled. A value of false indicates full disk access is not enabled. The sample response below confirms full disk access is enabled for deviceGuid 1123581321345589144:

[{"deviceGuid":"1123581321345589144","name":"fullDiskAccess","value":"true"}]

All devices in an organization

To check the status of all devices in an organization, use this as a template to create a command specific to your CrashPlan environment:


curl -X GET '<request_url>/api/v12/agent-state/view-by-organization-id?orgId=<OrgID>&propertyName=fullDiskAccess' -H 'cache-control: no-cache' -H 'content-type: application/json' -H 'Authorization: Bearer <auth_token>'
  1. Replace <request_url> with the address of your CrashPlan environment (do not include the brackets in your request).
  2. Replace <OrgID> with the numeric ID of the organization you want to review (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
  3. Replace <auth_token> with an authentication token.
  4. Execute the curl command in your command-line tool of choice. When prompted, enter your password.
  5. Review the data object for each device included in the response. A value of true indicates full disk access is enabled. A value of false indicates full disk access is not enabled. The sample response below indicates full disk access is enabled for the first device and not enabled for the second device:

{"deviceGuid":"1123581321345589144","name":"fullDiskAccess","value":"true"},{"deviceGuid":"23337761098715972584","name":"fullDiskAccess","value":"false"}

External resources

Downloads

Jamf Pro guides

Sample configuration profile

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more