Third-Party Patch Fails on macOS with "Requires Full Disk Access (rc=100)"

Overview

Third-party software updates on macOS may fail when the Automox agent does not have the required Full Disk Access permissions. This issue commonly affects applications installed in the /Applications directory, such as Docker Desktop and iTerm2.

When this occurs, the patch may run for an extended period before failing, and the Automox agent log reports a requires Full Disk Access (rc=100) error.

 

Symptoms

A third-party software update is detected and begins installing but ultimately fails.

The Automox agent log contains entries similar to the following:

level=INFO  command="InstallUpdate" message="Classification: 1 third-party, 0 macOS install, 0 macOS download, 0 invalid"
level=INFO  command="InstallUpdate" message="Processing package com.docker.docker"
level=ERROR command="InstallUpdate" message="ottopm update for com.docker.docker requires Full Disk Access (rc=100): "

The key indicator is:

requires Full Disk Access (rc=100)

Applications that run continuously in the background, such as Docker Desktop and iTerm2, are the most common examples.

 

Cause

To install updates for applications located in /Applications, the Automox agent must replace or modify files within the existing application bundle.

macOS protects signed application bundles through the Transparency, Consent, and Control (TCC) privacy framework. If the Automox agent process (amagent) has not been granted Full Disk Access, macOS blocks these file operations and returns an Operation not permitted error. The update then fails with exit code 100.

This issue may affect only specific applications because:

  • Some updates complete without modifying protected application bundles.
  • Certain patch types do not require Full Disk Access.
  • Privacy Preferences Policy Control (PPPC) profiles that grant only Automation or Apple Events permissions do not provide Full Disk Access.
  • Microsoft Office and Microsoft AutoUpdate patches may succeed while applications such as Docker Desktop fail.

 

Resolution

Grant Full Disk Access to the Automox agent using one of the following methods.

Option 1: Grant Full Disk Access on a Single Device

Use this method for testing or for individual devices.

  1. Open System Settings.
  2. Navigate to Privacy & Security > Full Disk Access.
  3. Click +.
  4. In the file selection dialog, press Shift + Command + G.
  5. Enter the following path:

    /usr/local/bin/amagent
  6. Select amagent and verify that Full Disk Access is enabled.
  7. Restart the Automox agent:

    sudo launchctl bootout system/com.automox.agent
    sudo launchctl bootstrap system /Library/LaunchDaemons/com.automox.agent.plist
  8. Re-run the patch policy.

The update should complete successfully.

Note: Manual Full Disk Access permissions apply only to the individual device. If the device is reimaged or replaced, the permission must be granted again. For managed environments, Automox recommends deploying a PPPC profile through your MDM solution.

Option 2: Deploy Full Disk Access Using an MDM (Recommended)

For managed macOS environments, deploy a Privacy Preferences Policy Control (PPPC) configuration profile that grants Full Disk Access to the Automox agent.

Requirements

  • User-Approved MDM enrollment or Apple Business Manager enrollment
  • An MDM platform such as Jamf Pro, Kandji, Mosyle, or Microsoft Intune

Configure the PPPC payload (com.apple.TCC.configuration-profile-policy) with the following settings:

FieldValue
Identifier/usr/local/bin/amagent
Identifier Typepath
ServiceSystemPolicyAllFiles (Full Disk Access)
AuthorizationAllow
Code RequirementSee below

Code Requirement

identifier "com.automox.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DAEQ58A4ES

Most MDM platforms provide a guided PPPC configuration interface that allows you to:

  1. Add the application by path.
  2. Select Full Disk Access (SystemPolicyAllFiles).
  3. Set authorization to Allow.
  4. Deploy the profile to managed devices.

Once the profile is installed, no user interaction is required. Existing and future bundle-overwrite updates can install successfully without prompting users.

 

Verification

After granting Full Disk Access:

  1. Re-run the affected patch policy or specific third-party update.
  2. Verify that the update completes successfully.
  3. Review the Automox agent log and confirm that the following error no longer appears:

    requires Full Disk Access (rc=100)
  4. Confirm the patch status reports Success in the Automox console.
Was this article helpful?
0 out of 0 found this helpful