A quick search for “Full Disk Access” reveals plenty of results, although some are misleading if not outright dishonest. Many come from application vendors suggesting that if we don’t grant their Mac apps Full Disk Access, they might not work as intended. In fact, the vast majority of applications should have no reason to need Full Disk Access.

Read on for the full low-down, after which you’ll be equipped with everything you need to know to be able to make an informed decision about whether to give any MacOS app the Full Disk Access (referred to as FDA from now on) permission.

What is it?

To understand FDA, we must first understand what Transparency Consent and Control is, of which FDA is part.

Transparency Consent and Control

In MacOS 10.14 Mojave, Apple began introducing a new privacy initiative called Transparency Consent and Control, or TCC for short. It’s a system designed to put users in control over which apps on their Mac are allowed access to which resources. As the name implies, it requires that you give explicit consent to each app that wants to access certain locations or hardware features.

All these TCC permissions are managed through the Privacy & Security section under System Settings.

Some of them regulate access to specific types of data stored in the file system. e.g.:

• Contacts
• Calendars
• Reminders
• Photos
• HomeKit
• Media & Apple Music

For more general storage locations, there is the Files and Folders category, where apps can be granted access to system folders like:

• Documents
• Desktop
• Downloads

But also to drives like:

• Removable Volumes
• Network Volumes

The nice thing about all of the above is that it’s mostly handled automatically, through a thoughtfully designed user interaction. As soon as an app tries to read anything from, say, the Documents folder, the OS pops up an alert asking if the user wants to allow said app access to their documents.

If you click Don’t Allow here, it won’t ask again and the app will be banned from that location. Should you later change your mind, you have to drill down to the relevant app in the Files and Folders section and toggle on the respective permission.

Full Disk Access

That’s all well and good, but what about Full Disk Access, you may at this point impatiently cry out.

The FDA permission basically covers all of the above, plus any other folders that Apple deems to contain sensitive user data, but without the nice consent-on-demand UX. When an app tries to access any of the other folders protected by FDA, it will just encounter a permissions error.

In other words, FDA is a blanket pass to access all the locations on the disk considered sensitive. Enabling FDA for an app overrides all the more fine-grained TCC permissions listed in the previous section.

What does it actually protect?

At the top of the FDA pane, Apple lists “Mail, Messages, Safari, Home, Time Machine backups and certain administrative settings” as affected by the permission. The keen-eyed reader might notice that none of these are actual folders, but what they refer to are the default storage locations for these built-in apps.

The full list of folders covered by FDA is not documented, but some known ones are:

What this means in practice, is that the “sensitive user data” protected by FDA, consists mostly of data handled by default built-in Mac apps. If you use third-party apps for these functionalities, the data they store and process is likely not covered by FDA.

What conclusions can we draw?

At this point, it ought to be clear that the name Full Disk Access is a bit of a misnomer, since it does not protect the whole disk from access, but rather a few select locations.

Valid reasons to give apps FDA

Irrespective of this caveat, leaving these locations protected is a very reasonable thing to do. For the most part, apps on a Mac have no business poking around in them.

However, there are certain classes of applications, for which granting the FDA permission can be important for their operation. They include:

• Antivirus/malware scanners: Without FDA, security software won’t be able to scan all the drive’s folders for nasty stuff.
• Backup tools: A backup tool running without FDA won’t be able to back up all files.
• File managers: File managers won’t be able to show or copy all directories without FDA.
• Terminal tools: For command-line tools, no TCC consent-on-demand popups appear, so it’s often easier to give the Terminal app blanket FDA.

From the perspective of a running app, errors caused by FDA are unfortunately indistinguishable from regular file permission errors. This can make it harder to diagnose why an app is unable to access a certain file or folder, and experimenting with toggling FDA on or off might be necessary to find out.

Should I enable it?

Armed with the above knowledge, we can now draw the following conclusions:

• Leave FDA disabled for all apps by default.
• Enable FDA for trustworthy apps that have a need to traverse directories.

In the case of a file manager like Fileside, it will get by just fine without FDA for the most part. But if you’re planning on working with FDA-protected subfolders of ~/Library, you will need to enable it. Another Fileside feature that will benefit from having FDA enabled is calculating the total size of the user directory, since the sizes of files in the inaccessible parts of the Library subfolder can’t be taken into account without FDA.

On the whole, you should probably worry more about which apps you allow onto your system in the first place, than whether they have FDA granted. Only install apps you can trust, since malicious software can do plenty of damage even without FDA.

How do I enable it?

FDA needs to be granted manually for each app in the system settings. Apps can not enable it automatically.

1. Open System Settings.
2. Open the Privacy & Security tab.
3. Enter Full Disk Access.
4. Click the + button at the bottom left of the table.
5. Choose the application to which you want to grant FDA from the file picker.
6. Restart the application for the change to take effect.