kolide / launcher

Osquery launcher, autoupdater, and packager
https://kolide.com/launcher
Other
506 stars 102 forks source link

macOS Sequoia `Access Local Network` prompt #1841

Open directionless opened 2 months ago

directionless commented 2 months ago

We're hearing reports that the new macOS Sequoia beta is causing prompts about Allow osquery to find devices on local networks This would be a horrific customer experience, and we need to understand more about what's happening...

  1. AFAIK this should only apply to things running in user context and accessing the network
  2. We run osquery in launchd context
  3. Except for screenlock, is that's what's happening?
  4. We run launcher in usercontext for the menu
  5. An Apple friend tells me there's an occasional bug where this triggers for launchd contexts

Threads:

RebeccaMahany commented 2 months ago

Reproducing the popup

Upgrade to Sequoia Beta. You will get the popup after upgrade.

To trigger the popup again, uninstall launcher, reboot the machine, and reinstall launcher.

In Privacy & Security => Local Network, you can see osquery is allowed or disallowed depending on how you responded to the prompt.

Actions that do NOT reproduce the popup

  1. Unloading and reloading launcher
  2. Refreshing all checks
  3. Querying the screenlock and curl tables via launcher interactive
  4. Uninstalling and reinstalling launcher without a reboot in between
  5. tccutil reset All io.osquery.agent (even with a reboot)

I have not yet found an actual consequence for selecting "Don't Allow". No error logs (osquery, launcher, or in the Console), and no missing data when running checks.