Fix Full Disk Access inaccuracies. (#335)

* Fix Full Disk Access inaccuracies.

* Fix typos

* Update sensor-full-disk-access.asciidoc

* Add system extension instructions

* Add image for system extension prompt

* Make small tweak to installation instructions about macOS versions

* Fix h2 header

* Make small editorial updates

* Add headers to new sections

* Add links to new requirements on install doc

* Fix header and version number for system extension

* Add clarity to kernal extension prompts

* Add clarification around prompts and versioning

* Light grammar edits

* Fix issue #271

* Add Daniel's feedback

* Update docs/getting-started/sensor-full-disk-access.asciidoc

Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com>

* Update docs/getting-started/sensor-full-disk-access.asciidoc

Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com>

* Update sensor-full-disk-access.asciidoc

* Update docs/getting-started/sensor-full-disk-access.asciidoc

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>

* Update docs/getting-started/sensor-full-disk-access.asciidoc

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>

* Update docs/getting-started/sensor-full-disk-access.asciidoc

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>

* Update docs/getting-started/sensor-full-disk-access.asciidoc

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>

* Replace system-extension image. Give final pieces of feedback

* One final tweak

* Add back missing word.

* Capitalize Full Disk Access

* Merge final pieces of feedback

Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com>
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>

Author: 3 people

docs/getting-started/images/install-endpoint/endpoints-enrolling.png

@@ -3,7 +3,7 @@
 
 To ingest data, you can use:
 
-* The Elastic Agent with the **Endpoint Security Integration**, which protects
+* The Elastic Agent with the **Elastic Endpoint Integration**, which protects
 your hosts and sends logs, metrics, and endpoint security data to {es-sec}
 (see <<install-endpoint>>).
 * *{beats}* shippers installed for each system you want to monitor.

docs/getting-started/images/system-extension-prompt.png

@@ -13,11 +13,11 @@ NOTE: Configuring the Endpoint Integration on the Elastic Agent requires that th
 [[security-before-you-begin]]
 == Before you begin
 
-If you're using the Elastic Agent on macOS Mojave (10.14) or later, ensure that you have enabled <<sensor-full-disk-access,Full Disk Access>>. Lastly, review the <<sec-requirements>>.
+Depending on the version of macOS you're using, macOS requires that you give full disk access to different kernels, system extensions, or files. Review <<sensor-full-disk-access>> for details.
 
 [discrete]
 [[add-security-integration]]
-== Add Elastic Security integration
+== Add Elastic Endpoint integration
 
 1. In Kibana, select **Security** > **Administration**. If this is not your first time using Elastic Security, select **Ingest Manager** > **Integrations** and search for "Elastic Endpoint Security".
 +
@@ -63,9 +63,9 @@ To unenroll an agent from your host, see {ingest-guide}/unenroll-elastic-agent.h
 [[enable-kernel-extension]]
 == Enable Elastic Endpoint kernel
 
-When running the {agent} with endpoint integrated on macOS, you might be prompted to approve a kernel extension from "Endgame, Inc". To approve the extension:
+When running the {agent} with endpoint integrated on macOS 10.13, 10.14 and 10.15, you will be prompted to approve a kernel extension from "Endgame, Inc". To approve the extension:
 
-TIP: JAMF users can approve the Kernel the same way for the **Elastic Endgame** app.
+TIP: Endgame Sensor users can approve the kernel the same way for the **Elastic Endgame** app.
 
 1. Select **Open Security Preferences**. The **Security and Privacy** window opens.
 +
@@ -83,7 +83,7 @@ image::images/install-endpoint/unlock-security-panel.png[]
 image::images/install-endpoint/allow-endgame.png[]
 
 
-If the prompt does not appear when trying to run the Elastic Agent:
+If the prompt does not appear because you're using a version before macOS Big Sur (11.0), enable the extension by:
 
 1. Open a Terminal application.
 2. Enter `kextload /Library/Extension/kendpoint.kext`. Prepend the command with `sudo` if necessary.
@@ -106,3 +106,12 @@ After you have installed the agent, malware prevention is automatically enabled
 
 [role="screenshot"]
 image::images/install-endpoint/malware-protection.png[]
+
+[discrete]
+[[verify-endpoint-enrollment]]
+== Verify Endpoint Enrollment
+
+After installing the {agent}, there's a lag time of several hours between when the Elastic Endpoint begins detecting and sending alerts to {Kibana}. To ensure that the installation of Elastic Endpoint on your host was successful,  go to **Administration > Endpoints**. A message appears that says, "Endpoints are enrolling. View agents to track progress".
+
+[role="screenshot"]
+image::images/install-endpoint/endpoints-enrolling.png[]

docs/getting-started/ingest-data.asciidoc

@@ -1,25 +1,93 @@
 [[sensor-full-disk-access]]
-= Enable full disk access
+= Enable Full Disk Access
 
-Elastic Endpoint Security requires full disk access to protect you from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. This means you need to manually grant permission for Elastic Endpoint Security to access these protected areas of your Mac.
+Elastic Endpoint Security requires Full Disk Access to protect you from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. This means you need to manually grant permission for the Endgame sensor and Elastic Endpoint to access these protected areas of your Mac.
 
-This article describes how to enable full disk access for both the Elastic Agent, required in order to enable Elastic Endpoint Security, and the legacy Endgame sensor.
+This article describes how to enable Full Disk Access for the required security system extensions, the Elastic Endpoint sensor, and the legacy Endgame sensor.
+
+[discrete]
+[[macos-permissions]]
+== macOS permissions
+
+The behavior of the Endgame sensor and Elastic Endpoint differs based on your macOS version. MDM/JAMF users can pre-approve all Full Disk Access without granting permission to the sensors. However, depending on the macOS version and sensor type, non-MDM/JAMF users may be prompted to enable Full Disk Access for required security files.
+
+**Endgame Sensor**
+
+- `10.13, 10.14, 10.15`: Users cannot proceed with installation without first granting the sensor the ability to load a <<enable-kernel-extension,kernel extension>>. During installation, you will be prompted to go to **System preferences** and approve loading the kernel. Upon approval, installation proceeds. 
+
+- `11.0` (Big Sur): Users cannot proceed with installation without first granting the sensor the ability to load <<system-extension>>. During installation, you will be prompted to go to **System preferences** and approve loading the system extension. Upon approval, a second prompt appears to enable **Network Filtering**. Approve this final prompt for installation to proceed.
++
+You also must grant Full Disk Access to `com.endgame.systemextension`.
+
+- `10.14.6+, 10.15, 11.0`: Grant the <<endpoint-endgame-sensor,esensor>> Full Disk Access.
+
+
+**Elastic Endpoint**
+
+No prompts appear to approve the <<enable-kernel-extension,kernel>>, <<system-extension>>, or <<endpoint-endgame-sensor,elastic-endpoint>>, due to installation happening through the {agent}. After installation, Endpoint policies **will fail** to detect events until you approve and enable kernel or system extension loading and Full Disk Access for each version, as reflected in the **Administration > Endpoints** page of the security application.
+
+- `10.13, 10.14, 10.15`: Approve the <<enable-kernel-extension,kernel-extension>>.
+
+- `11.0` (Big Sur): Give Full Disk Access to the <<system-extension>>, as well as `co.elastic.systemextension`.
+
+- - `10.14.6+, 10.15, 11.0`: Grant the <<endpoint-endgame-sensor,elastic-endpoint>> Full Disk Access.
+
+[discrete]
+[[system-extension]]
+== System extension
+
+To fully protect endpoints from malware and other cybersecurity threats when using Elastic Endpoint with system extensions, Full Disk Access must be enabled for the system extension during <<install-endpoint,installation>> on macOS Big Sur (11.0) and later.  
+
+--
+image::images/system-extension-prompt.png[System Extension Prompt]
+--
+
+If you select **OK** and continue installation, you'll receive a prompt to **Filter Network Content**. Select **Allow**, and then use the following steps to enable Full Disk Access for the system extension.
 
 1. Open the **System Preferences** application.
 +
-2. Click **Security and Privacy**. On the Security and Privacy panel, select the **Privacy** tab.
+2. Click **Security and Privacy**. On the Security and Privacy panel, select the **Privacy** tab. 
 +
 3. In the left pane, select **Full Disk Access**.
 +
 --
 image::images/select-fda.png[Select Full Disk Access]
 --
 +
-4. In the lower-left corner of the panel, click the **Lock button** and enter your username and password. You can now add the `elastic-agent` or `esensor` file.
+4. In the lower-left corner of the panel, click the **Lock button** and enter your username and password. 
++
+5. Click the + button to view Finder. Find the system extension `com.endgame.systemextension` (Endgame sensor) or `co.elastic.systemextension` (Elastic Endpoint) and select. 
+
+The system extension now has Full Disk Access. However, for both the {agent} and Elastic Endgame sensor to detect events from a macOS host, you must enable Full Disk Access for the file most relevant to your security setup.
+
+[discrete]
+[[endpoint-endgame-sensor]]
+== Elastic Endpoint and Endgame sensor
+
+The `elastic-endpoint` files appear after you've downloaded and installed the {agent} with <<install-endpoint,Endpoint Security Integration>>. Similarly, the `esensor` file for Elastic Endgame appears once you've downloaded the sensor on your host. 
+
+
+1. Open the **System Preferences** application.
++
+2. Click **Security and Privacy**. On the Security and Privacy panel, select the **Privacy** tab.
++
+3. In the left pane, select **Full Disk Access**. 
++
+--
+image::images/select-fda.png[Select Full Disk Access]
+--
++
+4. In the lower-left corner of the panel, click the **Lock button** and enter your username and password. You can now add the `elastic-endpoint` or `esensor` file.
+
+5. Click the + button to view Finder. Select the file that pertains most to your Endpoint configuration: 
++
+- Endpoint Security: Navigate to `/Library/Elastic/Endpoint/` and select the `elastic-endpoint` file.
++
+- Elastic Endgame: Navigate to `/Library/Endgame` and select the `esensor` file.
 
-5. Click the + button to view Finder. Navigate to the `/Library/Endgame` directory, select the `elastic-agent` or `esensor` file, and then click *Open*.
+6. After you've selected the applicable file, click **Open**. 
 
-6. In the **Privacy** tab, confirm that the `elastic-agent` or `esensor` file appears in the list of applications that have full access permission, as seen in the following image:
+7. In the **Privacy** tab, confirm that the `elastic-agent` or `esensor` file appears in the list of applications that have Full Disk Access permissions.
 
 
-Elastic Endpoint Security now has the access required to fully protect your system.
+Elastic Endpoint now has the access required to fully protect your system.