Skip to main content
Question

Crowdstrike Full Disk Access for M1 MacBook

  • May 27, 2022
  • 7 replies
  • 187 views
N
Forum|alt.badge.img+3

Hello All

I successfully deployed the CrowdStrike with this instruction; however, the user has to manually allow the Full Disk Access in the Security & Privacy.

https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ

Does anybody know how to do it or can lead me to the instruction?  I have read several articles and got confused.

Thanks

Nam

    7 replies

    Macweazle
    Forum|alt.badge.img+5
    • Macweazle
    • Contributor
    • May 30, 2022

    This article seems to cover the topic pretty well. 

    https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

     

     

    B
    Forum|alt.badge.img+1

    As a note, working with Crowdstrike we discovered if you use the firmware scanning of the Falcon sensor, you will be unable to make it fully silent.

    H
    Forum|alt.badge.img+4
    • hdagidir
    • Contributor
    • June 27, 2022

    Has anyone had success with this? We could not provide full disk access with the profile configuration file on devices with neither Intel nor M1 chipsets.

    Macweazle
    Forum|alt.badge.img+5
    • Macweazle
    • Contributor
    • June 28, 2022

    Sure. Otherwise it would have been very, very, painful to deploy. The PPPC should look something like this:

    <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <integer>1</integer> <key>CodeRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string> <key>Comment</key> <string></string> <key>Identifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <integer>0</integer> </dict> </array>

     

    H
    Forum|alt.badge.img+4
    • hdagidir
    • Contributor
    • June 28, 2022

    Sure. Otherwise it would have been very, very, painful to deploy. The PPPC should look something like this:

    <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <integer>1</integer> <key>CodeRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string> <key>Comment</key> <string></string> <key>Identifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <integer>0</integer> </dict> </array>

     


    Thanks  Macweazle

    Could you make a healthy distribution in this way? Could you make a healthy distribution in this way? Is there a medium where you can share this PPPC file? There is one more thing that I am wondering about. Should I send the Profile file to the client before installing the Falcon agent? Or later?

    Macweazle
    Forum|alt.badge.img+5
    • Macweazle
    • Contributor
    • June 28, 2022

    You need to distribute the config profile first, otherwise your users will get those dialogs.
    Just enter the value in the PPPC like this:

     

    You'll probably want to allow the system extension as well:

    H
    Forum|alt.badge.img+4
    • hdagidir
    • Contributor
    • June 28, 2022

    Hi,

     

    Although I created a configuration file in this way, I could not get a positive result.

    Terms & ConditionsCookie settingsAccessibility statement