diff --git a/docs/getting-started/install-elastic-endpoint.asciidoc b/docs/getting-started/install-elastic-endpoint.asciidoc index 30ee5a3614..97579a9999 100644 --- a/docs/getting-started/install-elastic-endpoint.asciidoc +++ b/docs/getting-started/install-elastic-endpoint.asciidoc @@ -49,9 +49,9 @@ image::images/install-endpoint/filter-network-content.png[] [[enable-fda-endpoint]] == Enable Full Disk Access for {elastic-endpoint} -{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {endpoint-sec} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. To enable Full Disk Access, you must manually approve {elastic-endpoint}. For endpoints running macOS Mojave (10.14) and earlier, you must also approve the {elastic-endpoint} <>. +{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve {elastic-endpoint}. -NOTE: The following instructions apply only to {elastic-endpoint} running {stack} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to <>. +NOTE: The following instructions apply only to {elastic-endpoint} running version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to <>. . Open the *System Preferences* application. . Select *Security and Privacy*. @@ -79,31 +79,4 @@ If the endpoint is running {stack} version 7.17.0 or earlier: . Click *Open*. . In the *Privacy* tab, confirm that `elastic-endpoint` AND `co.elastic.systemextension` are selected to properly enable Full Disk Access. -- -image::images/fda/fda-7-16.png[] - -[discrete] -[[kernel-extension-approval]] -== Approve the kernel extension - -For endpoints running macOS Mojave (10.14) and earlier, {elastic-endpoint} will attempt to load a kernel extension (as opposed to a system extension) during installation. This kernel extension is required to provide insight into system events such as process events, file system events, and network events. The following message appears during installation: - --- -image::images/fda/sys-ext-blocked.png[System extension blocked] --- - -To approve the extension: - -. Click *Open Security Preferences.* -. In the lower-left corner of the pane, click the **Lock button**, then enter your credentials to authenticate. -. Click *Allow* to load the kernel extension. -+ --- -image::images/fda/allow-kernel-ext.png[Allow kernel extension] --- -+ - -If the prompt does not appear, enable the extension by doing the following: - -. Open a Terminal application. -. Enter `kextload /Library/Extension/kendpoint.kext`. Prepend the command with `sudo` if necessary. -You should receive an output similar to `149 0 0xffffff7f82e7b000 0x21000 0x21000 co.elastic.kendpoint (7.11.0) BD152A57-ABD3-370A-BBE8-D15A0FCBD19A <6 5 2 1>`. If you receive this output, the kernel extension is enabled. +image::images/fda/fda-7-16.png[] \ No newline at end of file