Add full disk access for Puppet on macOS 10.14 and newer

Beginning with macOS 10.14, you must add Puppet to the full disk access list, or allowlist, in order to run Puppet with full permissions and for it to properly manage resources like user and group on your system.

Complete these steps before attempting to install macOS agents.
  1. Run the following command to remove the .sh extension from the wrapper.sh file: 
    mv /opt/puppetlabs/puppet/bin/wrapper.sh /opt/puppetlabs/puppet/bin/wrapper
  2. Run the following commands to relink facter, hiera, and puppet with the newly renamed file: 
    ln -sf /opt/puppetlabs/puppet/bin/wrapper /opt/puppetlabs/bin/facter
    ln -sf /opt/puppetlabs/puppet/bin/wrapper /opt/puppetlabs/bin/hiera
    ln -sf /opt/puppetlabs/puppet/bin/wrapper /opt/puppetlabs/bin/puppet
  3. In your Mac Preferences, click Security & Privacy, select the Privacy tab, and click Full Disk Access in the left column.
  4. Click the lock icon, enter your password, and click Unlock.
  5. Click the + button, then type the ⌘ (Command) + Shift + G shortcut key.
  6. Enter /opt/puppetlabs/bin, then click Go.
  7. Click on the puppet file, then click Open.