Apple made a security decision a few years back that prohibits any applications, including those running as root, from being able to read the underlying device (disk(s)/volume(s)) as raw devices.

This is across the board and part of the new security layers Apple has added to the core OS.

If you are looking for a full disk image, your options are limited from remote. You can try disabling (System Integrity Protection) SIP and using traditional F-Response (Intel macs only), but the very act of disabling SIP is a two reboot process and requires physical access to the machine. In many cases this is impossible to do given the circumstances. In addition, some organizations are unwilling to disable SIP.

However, if your goal is just to collect files from that remote Apple machine, we have a couple of options:

  1. F-Response Collect now contains subject executables for Apple OSX including both the ARM (M1/M2) and Intel (x86_64) architectures.
  2. F-Response Collect lets you acquire user home directories and custom selections of logical files and folders. For more information, check out the latest mission guide on our website, F-Response Collect for Apple OSX.

F-Response (Consultant and above, including Universal) offers Agentless Collection, an SSH/SFTP mechanism for accessing and collecting file and folder content. While not full physical access, this method provides logical file/folder collection over a direct connection.

Best of all, neither of the above options require disabling SIP.

Check out F-Response Collect, or the Agentless section in the manuals (F-Response Classic, F-Response Universal) for more information.