Allow Full Disk Access for an App???

[dmt43]

I want to use OneDrive for offsite/online backup of my Mac. I have Time Machine backup to a hard drive. I currently have a cloud backup service that expires on 9/2 and do not want to renew. I researched iDrive for backup, which seems fine; the 100gb plan would work for me, but I already pay for MS365 and have 1TB on One Drive, of which I’m only using 24GB. So I thought why not use OneDrive?

It requires full disk access - which I know is a security risk but as long as I know what app I am providing access to and am comfortable with it it shouldn’t be an issue, correct? I checked and currently, no apps have FDA.

I am a relatively new Mac user and don’t totally understand what it means when I provide Full Disk Access. I’m questioning how do you decide if it’s ok to provide FDA to an app? I think OneDrive Microsoft is ok because they state they protect my info. But still, I’m not 100% comfortable, I’m trying to get there 😁

My current backup provider has all my data, but they don’t show up with Full Disk Access. I realize no matter which app I use, I have to trust that they will protect/keep my data safe…..FDA or not! thank you! Donna

 

[Bigwaff]

Because a feature of OneDrive is to automatically monitor and sync your Mac's Documents, Desktop, and Photos folders to the OneDrive cloud storage.

 

[dmt43]

Because a feature of OneDrive is to automatically monitor and sync your Mac's Documents, Desktop, and Photos folders to the OneDrive cloud storage.

Sorry, I don’t understand, are you saying that is why OneDrive needs FDA?

 

[Bigwaff]

Sorry, I don’t understand, are you saying that is why OneDrive needs FDA?

Correct.

 

[bogdanw]

I am a relatively new Mac user and don’t totally understand what it means when I provide Full Disk Access.

Even if an app has Full Disk Access, it can not modify the system volume, where macOS is stored.
Signed system volume security https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/1/web/1
Related Apple documetation
Controlling app access to files in macOS
https://support.apple.com/guide/security/controlling-app-access-to-files-secddd1d86a6/web
Accessing files from the macOS App Sandbox https://developer.apple.com/documentation/security/accessing-files-from-the-macos-app-sandbox

 

[dmt43]

Correct.

thank you

 

[dmt43]

Even if an app has Full Disk Access, it can not modify the system volume, where macOS is stored.
Signed system volume security https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/1/web/1
Related Apple documetation
Controlling app access to files in macOS
https://support.apple.com/guide/security/controlling-app-access-to-files-secddd1d86a6/web
Accessing files from the macOS App Sandbox https://developer.apple.com/documentation/security/accessing-files-from-the-macos-app-sandbox

thanks for the info!

 

[MayflyMaven]

Because a feature of OneDrive is to automatically monitor and sync your Mac's Documents, Desktop, and Photos folders to the OneDrive cloud storage.

Full Disk Access is not required for an application to gain access to Desktop, Documents and CloudStorage folders. Access to those folders is granted via the "Files & Folders" privilege. The "Photos" privilege will grant access to photos. Full Disk Access is a much broader privilege.

I use OneDrive lightly, it hasn't asked for Full Disk Access and doesn't appear in the Full Disk Access list. Any application that requests an action that would require Full Disk Access will automatically show up in the Full Disk Access list. I can't think of any reason OneDrive should require Full Disk Access. Following the "policy of least privilege", I would deny it full disk access and see if there is anything it's unable to do without it. I would also delete its entry from the Full Disk Access list so that the next time it needs Full Disk Access, it will ask for it again, and then hopefully you'll have a clearer picture of why it wants Full Disk Access.

 

[chrfr]

I use OneDrive for work and if you want to use Desktop and Documents sync you do need Full Disk Access enabled.

https://support.microsoft.com/en-us/office/back-up-your-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057

 

[dmt43]

Full Disk Access is not required for an application to gain access to Desktop, Documents and CloudStorage folders. Access to those folders is granted via the "Files & Folders" privilege. The "Photos" privilege will grant access to photos. Full Disk Access is a much broader privilege.

I use OneDrive lightly, it hasn't asked for Full Disk Access and doesn't appear in the Full Disk Access list. Any application that requests an action that would require Full Disk Access will automatically show up in the Full Disk Access list. I can't think of any reason OneDrive should require Full Disk Access. Following the "policy of least privilege", I would deny it full disk access and see if there is anything it's unable to do without it. I would also delete its entry from the Full Disk Access list so that the next time it needs Full Disk Access, it will ask for it again, and then hopefully you'll have a clearer picture of why it wants Full Disk Access.

I use OneDrive today and it does not ask for/nor have Full Disk Access. No apps currently have that and OneDrive has not asked for it. I don’t know why it requires FDA for Backup, but this is what happens when I go to enable backup: From OneDrive Settings -> Manage Backups-> Then a pop up comes up stating: OneDrive Needs Permission to Back Up. To back up your folders in OneDrive,, Go to System Preferences. Under Full Disk Access, select OneDrive checkbox. Pres Quit and Reopen and then try Manage Backups again. I share your concern that full disk access is not to be given out lightly, which is why I am asking about it. thanks !

 

[dmt43]

I use OneDrive for work and if you want to use Desktop and Documents sync you do need Full Disk Access enabled.

https://support.microsoft.com/en-us/office/back-up-your-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057

I see that when I go to enable backup. I have to decide if I want to allow it……… I can get a different app for backup. Just didn’t want to do that since I already have OneDrive. thanks!

 

[chrfr]

I see that when I go to enable backup. I have to decide if I want to allow it……… I can get a different app for backup. Just didn’t want to do that since I already have OneDrive. thanks!

Because I use it for work I don't find the backup part to be all that valuable but what I like is that my desktop is the same at any computer where I'm signed into my OneDrive account. I do the same with iCloud on my personal computers.

 

[MayflyMaven]

I use OneDrive for work and if you want to use Desktop and Documents sync you do need Full Disk Access enabled.

https://support.microsoft.com/en-us/office/back-up-your-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057

Hmm, indeed OneDrive requires that you grant it Full Disk Access in order to use the Desktop and Documents syncing functionality (I never tried that from OneDrive, I got burned by iCloud's Desktop/Documents syncing years ago and never reconsidered it). I'm still not following why they would require this though. Getting access to those folders from TCC definitely does not require Full Disk Access. Maybe it's just simpler for them, e.g. two-birds-one-stone? That would not be cool...

I'm too curious. I started my own OneDrive from scratch to see what happens. When I opened it for the "first" time I see:

> "OneDrive.app" would like to access files on your Documents folder

Allow...

> "OneDrive.app" would like to access files on your Desktop folder

Ok, allow... Continued through setup and finally one more prompt:

> "OneDrive.app" wants to access files managed by "OneDrive".

So it would seem that OneDrive should have everything it needs to access my Desktop and Documents folders at this point, right?

When I click the "Manage Backup" button (for backing up Desktop and Documents), I get a special dialog indicating that OneDrive needs Full Disk Access. OK, so what did it try to access that it couldn't access? Here it is (via fs_usage):

11:05:05.039118  open                   [  1] (R_____________)  /Library/Preferences/com.apple.TimeMachine.plist  0.000095   OneDrive.19491060

So OneDrive is trying to read Time Machine's backup preferences? I granted Full Disk Access to OneDrive just to see what would happen. I don't see any suggestion (in OneDrive's UI) that there is an interaction with Time Machine (and I don't have it enabled on my computer). Running fs_usage again, it's clear that OneDrive is not actually trying to read that file, it's just trying to open it, then close it, without reading it:

11:15:03.038431  open              F=72       (R_____________)  /Library/Preferences/com.apple.TimeMachine.plist   0.000049   OneDrive.19543003
11:15:03.038435  close             F=72                                                                            0.000004   OneDrive.19543003

It must be some sort of sentinel check (i.e. "do I have full disk access?").

This seems a little weird to me. I'm sure OneDrive has more complexity than I care to appreciate, but if it has access to the Desktop and Documents folders, and access to "files managed by OneDrive" (i.e. its location in ~/Library/CloudStorage), I can't immediately see why it would actually need Full Disk Access too, which gives it far broader access to other folders, external media, etc. than I would care to grant it.

 

[dmt43]

This seems a little weird to me. I'm sure OneDrive has more complexity than I care to appreciate, but if it has access to the Desktop and Documents folders, and access to "files managed by OneDrive" (i.e. its location in ~/Library/CloudStorage), I can't immediately see why it would actually need Full Disk Access too, which gives it far broader access to other folders, external media, etc. than I would care to grant it.

I agree with this. I purchased iDrive backup and thought it does not require FDA, but I just logged on and it does!!! Ugh. I guess I can’t escape it if I want this type of backup.

 

[throAU]

IMHO, once you hand over access to your documents, desktop, etc. then granting full disk access is a formality; All your sensitive user data is in the folders you're already using with OneDrive, and you're literally using OneDrive to back up your private, important stuff.

The privacy ship sailed long ago at that point.

 

[dmt43]

IMHO, once you hand over access to your documents, desktop, etc. then granting full disk access is a formality; All your sensitive user data is in the folders you're already using with OneDrive, and you're literally using OneDrive to back up your private, important stuff.

The privacy ship sailed long ago at that point.

throAU, I agree with you 100%!! But, I’m still trying to hang on to my privacy🙂 Anyway, we should consider carefully before granting access to apps. I ended up granting FDA to iDrive because it was required!!! I did not know that b4 making the purchase. I chose iDrive for backup because the consensus (internet articles and forums) was that OneDrive is not a backup service, it only syncs. I also use iDrive to access my hard drive documents on the iPad & iPhone, but I do not like the way that feature works. Very clunky!

So I am considering Apple Cloud drive https://support.apple.com/en-us/118443
This would load my hard drive to iCloud and make it accessible on my devices. I think that is what I want, but do I want to put my hard drive in iCloud???!!! 😱 It does add to iCloud storage……but I’m more concerned about privacy issues. Are any of you using this feature ? Do you have any feedback on using it? thanks! Donna

 

[throAU]

I think that is what I want, but do I want to put my hard drive in iCloud???!!! 😱 It does add to iCloud storage……but I’m more concerned about privacy issues. Are any of you using this feature ? Do you have any feedback on using it? thanks! Donna

I use iCloud sync for my important files; i have a 2TB family plan.

It means i can pretty much rest easy with regards to device failure, wondering where i saved things, etc. MacBook dies? access things on my iPad or iPhone. It's all there. I do also back up to some hard drives at home, but that's in case i ever lose access to my iCloud account.

In terms of privacy - who are you worried about defending against? If you use an OS from Microsoft or Apple (or Google) you have to assume that they already have the capability to access or analyze any/all content on the device if that's what they want to do - so if you've bought into any of those platforms you're pretty much at their mercy already.

Pick the company you have more faith in and deal with it. Don't rely on having guaranteed privacy on the internet because you probably don't; over the long term as companies change, may get hacked, your account may be compromised, etc. Plan appropriately.

If you're worried about privacy because you're doing something sketchy or politically dangerous, then I'd strongly suggest not doing anything like that on an internet connected device, never mind backing it up to the internet.

 

[dmt43]

I use iCloud sync for my important files; i have a 2TB family plan.

It means i can pretty much rest easy with regards to device failure, wondering where i saved things, etc. MacBook dies? access things on my iPad or iPhone. It's all there. I do also back up to some hard drives at home, but that's in case i ever lose access to my iCloud account.

In terms of privacy - who are you worried about defending against? If you use an OS from Microsoft or Apple (or Google) you have to assume that they already have the capability to access or analyze any/all content on the device if that's what they want to do - so if you've bought into any of those platforms you're pretty much at their mercy already.

Pick the company you have more faith in and deal with it. Don't rely on having guaranteed privacy on the internet because you probably don't; over the long term as companies change, may get hacked, your account may be compromised, etc. Plan appropriately.

If you're worried about privacy because you're doing something sketchy or politically dangerous, then I'd strongly suggest not doing anything like that on an internet connected device, never mind backing it up to the internet.

I am not doing anything sketchy. I suppose my biggest fear is hacking. That being said, my data has already been hacked so many times - not my hard drive data, but companies that I have accounts with being hacked. They are so careless and there are no major consequences!! My SSN, phone, name, address, email, all of it already out there! I think other scenarios are unlikely (government or company entity accessing my data). I think I will try icloud drive. thanks for your feedback.

 

[Bigwaff]

I chose iDrive for backup because the consensus (internet articles and forums) was that OneDrive is not a backup service, it only syncs.

One option is to use OneDrive for the cloud storage and another application for the backup process, e.g. Arq Backup can be configured to use OneDrive as backup storage location. Works really well. Just make sure you remove the Arq backup folder from OneDrive sync before execute your first backup, otherwise, the Arq backup data files will sync to your Mac, which is a waste of bandwidth and storage.

 

[throAU]

I am not doing anything sketchy. I suppose my biggest fear is hacking.

You mean if say, OneDrive (or iCloud) running on your computer was to be compromised?

I think that's pretty low risk, the software doesn't listen for external connections, it only makes connections outbound and connects directly to the parent company's servers.

As far as one drive or iCloud for backup goes - pretty sure both keep deleted files for X days (30?) so whilst its not a traditional backup, its a LOT better than not using the service(s).

 

[MayflyMaven]

IMHO, once you hand over access to your documents, desktop, etc. then granting full disk access is a formality; All your sensitive user data is in the folders you're already using with OneDrive, and you're literally using OneDrive to back up your private, important stuff.

I really can't disagree more. Sure, you have important stuff in these folders, but a lot of content that is inherently privacy-sensitive is stored in your ~/Library folder. Full Disk Access is giving an app way, way more access than Desktop and Documents.

In terms of privacy - who are you worried about defending against? If you use an OS from Microsoft or Apple (or Google) you have to assume that they already have the capability to access or analyze any/all content on the device if that's what they want to do - so if you've bought into any of those platforms you're pretty much at their mercy already.

In this particular context (i.e. the OP), yes, we're talking about defending your privacy against the vendor that makes OneDrive. I would hate to see Mac users get complacent about granting Full Disk Access though. It definitely is not a formality. Companies like Microsoft, especially, should not promote that complacency by unnecessarily requiring Full Disk Access (and again, disclaimer, it's possible that I just don't understand the reason that OneDrive does actually need Full Disk Access, but then I don't see the reasoning documented anywhere either. I would be fairly surprised if Apple developed FileProvider in a way such that Full Disk Access is inherently required by a FileProvider. If that's the case, then shame on Apple instead).