A floating disc atop a tower

Full Disk Access - what is it and what does it do?

By Erik Jälevik on 31 May 2024

A quick search for “Full Disk Access” reveals plenty of results, although some are misleading if not outright dishonest. Many come from application vendors suggesting that if we don’t grant their Mac apps Full Disk Access, they might not work as intended. In fact, the vast majority of applications should have no reason to need Full Disk Access.

Read on for the full low-down, after which you’ll be equipped with everything you need to know to be able to make an informed decision about whether to give any MacOS app the Full Disk Access (referred to as FDA from now on) permission.

What is it?

To understand FDA, we must first understand what Transparency Consent and Control is, of which FDA is part.

In MacOS 10.14 Mojave, Apple began introducing a new privacy initiative called Transparency Consent and Control, or TCC for short. It’s a system designed to put users in control over which apps on their Mac are allowed access to which resources. As the name implies, it requires that you give explicit consent to each app that wants to access certain locations or hardware features.

All these TCC permissions are managed through the Privacy & Security section under System Settings.

Screenshot of the MacOS Privacy & Security settings dialog.
The MacOS Privacy & Security dialog

Some of them regulate access to specific types of data stored in the file system. e.g.:

  • Contacts
  • Calendars
  • Reminders
  • Photos
  • HomeKit
  • Media & Apple Music

For more general storage locations, there is the Files and Folders category, where apps can be granted access to system folders like:

  • Documents
  • Desktop
  • Downloads

But also to drives like:

  • Removable Volumes
  • Network Volumes

The nice thing about all of the above is that it’s mostly handled automatically, through a thoughtfully designed user interaction. As soon as an app tries to read anything from, say, the Documents folder, the OS pops up an alert asking if the user wants to allow said app access to their documents.

Screenshot of the MacOS TCC consent request dialog.
The MacOS TCC consent request dialog

If you click Don’t Allow here, it won’t ask again and the app will be banned from that location. Should you later change your mind, you have to drill down to the relevant app in the Files and Folders section and toggle on the respective permission.

Full Disk Access

That’s all well and good, but what about Full Disk Access, you may at this point impatiently cry out.

The FDA permission basically covers all of the above, plus any other folders that Apple deems to contain sensitive user data, but without the nice consent-on-demand UX. When an app tries to access any of the other folders protected by FDA, it will just encounter a permissions error.

Screenshot of the MacOS Full Disk Access dialog.
The MacOS Full Disk Access dialog

In other words, FDA is a blanket pass to access all the locations on the disk considered sensitive. Enabling FDA for an app overrides all the more fine-grained TCC permissions listed in the previous section.

What does it actually protect?

At the top of the FDA pane, Apple lists “Mail, Messages, Safari, Home, Time Machine backups and certain administrative settings” as affected by the permission. The keen-eyed reader might notice that none of these are actual folders, but what they refer to are the default storage locations for these built-in apps.

The full list of folders covered by FDA is not documented, but some known ones are:

Type of data Path
Messages ~/Library/Messages
Safari browsing history ~/Library/Safari
Cookies ~/Library/Cookies
Identity services ~/Library/IdentityServices
Spotlight data ~/Library/Metadata/CoreSpotlight
Phone call history ~/Library/Application Support/CallHistoryDB
Facetime data ~/Library/Application Support/Facetime
TCC database ~/Library/Application Support/

What this means in practice, is that the “sensitive user data” protected by FDA, consists mostly of data handled by default built-in Mac apps. If you use third-party apps for these functionalities, the data they store and process is likely not covered by FDA.

What conclusions can we draw?

At this point, it ought to be clear that the name Full Disk Access is a bit of a misnomer, since it does not protect the whole disk from access, but rather a few select locations.

Valid reasons to give apps FDA

Irrespective of this caveat, leaving these locations protected is a very reasonable thing to do. For the most part, apps on a Mac have no business poking around in them.

However, there are certain classes of applications, for which granting the FDA permission can be important for their operation. They include:

  • Antivirus/malware scanners: Without FDA, security software won’t be able to scan all the drive’s folders for nasty stuff.
  • Backup tools: A backup tool running without FDA won’t be able to back up all files.
  • File managers: File managers won’t be able to show or copy all directories without FDA.
  • Terminal tools: For command-line tools, no TCC consent-on-demand popups appear, so it’s often easier to give the Terminal app blanket FDA.

From the perspective of a running app, errors caused by FDA are unfortunately indistinguishable from regular file permission errors. This can make it harder to diagnose why an app is unable to access a certain file or folder, and experimenting with toggling FDA on or off might be necessary to find out.

Should I enable it?

Armed with the above knowledge, we can now draw the following conclusions:

  • Leave FDA disabled for all apps by default.
  • Enable FDA for trustworthy apps that have a need to traverse directories.

In the case of a file manager like Fileside, it will get by just fine without FDA for the most part. But if you’re planning on working with FDA-protected subfolders of ~/Library, you will need to enable it. Another Fileside feature that will benefit from having FDA enabled is calculating the total size of the user directory, since the sizes of files in the inaccessible parts of the Library subfolder can’t be taken into account without FDA.

On the whole, you should probably worry more about which apps you allow onto your system in the first place, than whether they have FDA granted. Only install apps you can trust, since malicious software can do plenty of damage even without FDA.

How do I enable it?

FDA needs to be granted manually for each app in the system settings. Apps can not enable it automatically.

  1. Open System Settings.
  2. Open the Privacy & Security tab.
  3. Enter Full Disk Access.
  4. Click the + button at the bottom left of the table.
  5. Choose the application to which you want to grant FDA from the file picker.
  6. Restart the application for the change to take effect.

Looking for a better file manager?

Fileside is a modern multi-pane file manager for Mac and Windows.

Its customisable workspaces of tiled panes make it a breeze to keep your projects and collections organised.

Learn moreTry it now
Laptop showing Fileside running

More from the blog

A weird world of paths

The weird world of Windows file paths

File system paths on Windows are stranger than you might think. On any Unix-derived system, a path is an admirably simple thing: if it starts with a /, it’s a path. Not so on Windows, which serves up a bewildering variety of schemes for composing a path.

Tabs in hell

Solve tab hell in Firefox without extensions

Here’s a quick tip for keeping your Firefox tabs and windows organised, achieving a workflow similar to Fileside’s saved layouts. Without installing a thing!

Records sorted into folders

How to merge folders on Mac - without risking losing your files

Merging, or combining, folders is possible with Mac’s Finder, even if it’s not immediately obvious how. Clicking the wrong button can however be punished with the irreversible loss of your files, so you need to tread carefully! This article will safely guide you through the treacherous waters of Finder’s hidden Merge command.

Illustrative image for the blog post

Fixing drag and drop in Electron

Drag and drop from Electron apps to other applications is broken. One possible way to work around it is by writing native Node modules replacing Electron’s implementation. That way we can support dragging multiple files out of our app with full support for modifier keys. This article describes how to do this for Windows and MacOS.

But be warned, you have to want drag and drop really, really badly to go down this route. It is a lot of work, as it involves use of native Node modules, the Win32 and Cocoa APIs, and the C, C++ and Objective-C languagues. And in the end it’s still not quite perfect. If that’s not enough to deter you, do read on to embark on a journey to the heart of darkness.




Sign up to receive important Fileside news and updates.

Built organically by Erik Jälevik in Berlin.
Privacy, Legal & Impressum |© 2024 All rights reserved