Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Allow Full Disk Access for an App???

D

dmt43

macrumors regular
Original poster
Jul 28, 2023
115
19
I want to use OneDrive for offsite/online backup of my Mac. I have Time Machine backup to a hard drive. I currently have a cloud backup service that expires on 9/2 and do not want to renew. I researched iDrive for backup, which seems fine; the 100gb plan would work for me, but I already pay for MS365 and have 1TB on One Drive, of which I’m only using 24GB. So I thought why not use OneDrive?

It requires full disk access - which I know is a security risk but as long as I know what app I am providing access to and am comfortable with it it shouldn’t be an issue, correct? I checked and currently, no apps have FDA.

I am a relatively new Mac user and don’t totally understand what it means when I provide Full Disk Access. I’m questioning how do you decide if it’s ok to provide FDA to an app? I think OneDrive Microsoft is ok because they state they protect my info. But still, I’m not 100% comfortable, I’m trying to get there 😁

My current backup provider has all my data, but they don’t show up with Full Disk Access. I realize no matter which app I use, I have to trust that they will protect/keep my data safe…..FDA or not! thank you! Donna
 
Because a feature of OneDrive is to automatically monitor and sync your Mac's Documents, Desktop, and Photos folders to the OneDrive cloud storage.
 
Bigwaff said:
Because a feature of OneDrive is to automatically monitor and sync your Mac's Documents, Desktop, and Photos folders to the OneDrive cloud storage.
Click to expand...
Sorry, I don’t understand, are you saying that is why OneDrive needs FDA?
 
dmt43 said:
I am a relatively new Mac user and don’t totally understand what it means when I provide Full Disk Access.
Click to expand...
Even if an app has Full Disk Access, it can not modify the system volume, where macOS is stored.
Signed system volume security https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/1/web/1
Related Apple documetation
Controlling app access to files in macOS
https://support.apple.com/guide/security/controlling-app-access-to-files-secddd1d86a6/web
Accessing files from the macOS App Sandbox https://developer.apple.com/documentation/security/accessing-files-from-the-macos-app-sandbox
 
bogdanw said:
Even if an app has Full Disk Access, it can not modify the system volume, where macOS is stored.
Signed system volume security https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/1/web/1
Related Apple documetation
Controlling app access to files in macOS
https://support.apple.com/guide/security/controlling-app-access-to-files-secddd1d86a6/web
Accessing files from the macOS App Sandbox https://developer.apple.com/documentation/security/accessing-files-from-the-macos-app-sandbox
Click to expand...
thanks for the info!
 
Bigwaff said:
Because a feature of OneDrive is to automatically monitor and sync your Mac's Documents, Desktop, and Photos folders to the OneDrive cloud storage.
Click to expand...

Full Disk Access is not required for an application to gain access to Desktop, Documents and CloudStorage folders. Access to those folders is granted via the "Files & Folders" privilege. The "Photos" privilege will grant access to photos. Full Disk Access is a much broader privilege.

I use OneDrive lightly, it hasn't asked for Full Disk Access and doesn't appear in the Full Disk Access list. Any application that requests an action that would require Full Disk Access will automatically show up in the Full Disk Access list. I can't think of any reason OneDrive should require Full Disk Access. Following the "policy of least privilege", I would deny it full disk access and see if there is anything it's unable to do without it. I would also delete its entry from the Full Disk Access list so that the next time it needs Full Disk Access, it will ask for it again, and then hopefully you'll have a clearer picture of why it wants Full Disk Access.
 
MayflyMaven said:
Full Disk Access is not required for an application to gain access to Desktop, Documents and CloudStorage folders. Access to those folders is granted via the "Files & Folders" privilege. The "Photos" privilege will grant access to photos. Full Disk Access is a much broader privilege.

I use OneDrive lightly, it hasn't asked for Full Disk Access and doesn't appear in the Full Disk Access list. Any application that requests an action that would require Full Disk Access will automatically show up in the Full Disk Access list. I can't think of any reason OneDrive should require Full Disk Access. Following the "policy of least privilege", I would deny it full disk access and see if there is anything it's unable to do without it. I would also delete its entry from the Full Disk Access list so that the next time it needs Full Disk Access, it will ask for it again, and then hopefully you'll have a clearer picture of why it wants Full Disk Access.
Click to expand...
I use OneDrive today and it does not ask for/nor have Full Disk Access. No apps currently have that and OneDrive has not asked for it. I don’t know why it requires FDA for Backup, but this is what happens when I go to enable backup: From OneDrive Settings -> Manage Backups-> Then a pop up comes up stating: OneDrive Needs Permission to Back Up. To back up your folders in OneDrive,, Go to System Preferences. Under Full Disk Access, select OneDrive checkbox. Pres Quit and Reopen and then try Manage Backups again. I share your concern that full disk access is not to be given out lightly, which is why I am asking about it. thanks !
 
dmt43 said:
I see that when I go to enable backup. I have to decide if I want to allow it……… I can get a different app for backup. Just didn’t want to do that since I already have OneDrive. thanks!
Click to expand...
Because I use it for work I don't find the backup part to be all that valuable but what I like is that my desktop is the same at any computer where I'm signed into my OneDrive account. I do the same with iCloud on my personal computers.
 
chrfr said:
I use OneDrive for work and if you want to use Desktop and Documents sync you do need Full Disk Access enabled.
Click to expand...
Hmm, indeed OneDrive requires that you grant it Full Disk Access in order to use the Desktop and Documents syncing functionality (I never tried that from OneDrive, I got burned by iCloud's Desktop/Documents syncing years ago and never reconsidered it). I'm still not following why they would require this though. Getting access to those folders from TCC definitely does not require Full Disk Access. Maybe it's just simpler for them, e.g. two-birds-one-stone? That would not be cool...

I'm too curious. I started my own OneDrive from scratch to see what happens. When I opened it for the "first" time I see:

> "OneDrive.app" would like to access files on your Documents folder

Allow...

> "OneDrive.app" would like to access files on your Desktop folder

Ok, allow... Continued through setup and finally one more prompt:

> "OneDrive.app" wants to access files managed by "OneDrive".

So it would seem that OneDrive should have everything it needs to access my Desktop and Documents folders at this point, right?

When I click the "Manage Backup" button (for backing up Desktop and Documents), I get a special dialog indicating that OneDrive needs Full Disk Access. OK, so what did it try to access that it couldn't access? Here it is (via fs_usage):

Code: 
11:05:05.039118  open                   [  1] (R_____________)  /Library/Preferences/com.apple.TimeMachine.plist  0.000095   OneDrive.19491060

So OneDrive is trying to read Time Machine's backup preferences? I granted Full Disk Access to OneDrive just to see what would happen. I don't see any suggestion (in OneDrive's UI) that there is an interaction with Time Machine (and I don't have it enabled on my computer). Running fs_usage again, it's clear that OneDrive is not actually trying to read that file, it's just trying to open it, then close it, without reading it:

Code: 
11:15:03.038431  open              F=72       (R_____________)  /Library/Preferences/com.apple.TimeMachine.plist   0.000049   OneDrive.19543003
11:15:03.038435  close             F=72                                                                            0.000004   OneDrive.19543003

It must be some sort of sentinel check (i.e. "do I have full disk access?").

This seems a little weird to me. I'm sure OneDrive has more complexity than I care to appreciate, but if it has access to the Desktop and Documents folders, and access to "files managed by OneDrive" (i.e. its location in ~/Library/CloudStorage), I can't immediately see why it would actually need Full Disk Access too, which gives it far broader access to other folders, external media, etc. than I would care to grant it.
 
Last edited:
  • Like
Reactions: Rnd-chars
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back