When connecting via SSH to a remote Mac running macOS Big Sur, Apple’s user-level privacy controls apply. You can access data in the home folder of the account you’re using to connect, but you can’t access or alter protected data in other account’s home folders.
For most use cases, this is fine. However, there may be circumstances when full disk access for SSH connections is desired. To accommodate for this, Apple added an Allow full disk access for remote users checkbox in the Remote Login settings in System Preference’s Sharing preference pane.
This setting can normally only be enabled by the logged-in user sitting at that Mac. However, there is a way to manage this with a configuration profile. For more details, please see below the jump.
I’ve written a profile to manage full disk access for SSH connections which does the following:
- Enables the Allow full disk access for remote users checkbox in the Remote Login settings in System Preference’s Sharing preference pane
- Enables full disk access for /usr/libexec/sshd-keygen-wrapper
The first part is mainly cosmetic. It enables the Allow full disk access for remote users checkbox, but does not actually enable full disk access for SSH. That function is handled by the second part, which are the PPPC settings to allow full disk access for /usr/libexec/sshd-keygen-wrapper.
In order to apply PPPC settings, there are some pre-requisites:
- User Approved Mobile Device Management (UAMDM) must be enabled on the target Mac.
- Profile must be installed by an MDM server.
Those pre-requisites also apply to deploying this profile, which is available via the link below:
https://github.com/rtrouton/profiles/tree/main/EnableFullDiskAccessforSSH
When deployed, the profile should appear similar to this in System Preference’s Profiles preference pane.
Hat tip to poundbangbash for providing the correct PPPC settings for SSH full disk access by allowing full disk access to /usr/libexec/sshd-keygen-wrapper.