Skip to main content

Hi all,
I'm actually using this config profile for pushing system/kernel approval and PPPC control.
Everything looks to be working except for the "System extension approval", it keeps asking for the approval.

It is actually working in macOS Catalina, but I'm not that lucky for macOS bigSur. Any advice?

So i've been doing a lot of work with version 6.14. First thing ... split up your profiles! Make the PPPC it's own, the KEXT it's own, the SysExt it's own and so on... Trust me, your Apple Silicon macs will eventually thank you. I've attached how the System Extension payload should look.


Hello

What criteria are you using for pushing sys ext vs kernel extensions? or are you just pushing all policies PPPC,sys ext, kernel ext, etc.. to all machines?


Hello

What criteria are you using for pushing sys ext vs kernel extensions? or are you just pushing all policies PPPC,sys ext, kernel ext, etc.. to all machines?


I've got smart groups for our machines, per OS back to 10.13 and assign each smart group as per what needs what.

System Extensions

10.15.x
11.x.x
12.x.x

PPPC

10.14.x
10.15.x
11.x.x
12.x.x

Content Filter

10.15.x
11.x.x
12.x.x

Kernel Extensions

10.13.x
10.14.x
10.15.x


I've got smart groups for our machines, per OS back to 10.13 and assign each smart group as per what needs what.

System Extensions

10.15.x
11.x.x
12.x.x

PPPC

10.14.x
10.15.x
11.x.x
12.x.x

Content Filter

10.15.x
11.x.x
12.x.x

Kernel Extensions

10.13.x
10.14.x
10.15.x


Awesome, thanks so much for this info. I have smart groups for each OS as well, will scope it out as you have done. Last question, does the Processor type matter as in Intel or M1? When creating and scoping these smart groups


Awesome, thanks so much for this info. I have smart groups for each OS as well, will scope it out as you have done. Last question, does the Processor type matter as in Intel or M1? When creating and scoping these smart groups


I don't believe CPU type makes a difference but I do have smart groups per Intel/M1 for these just for more control and who knows what's happening tomorrow.


I have an answer for those like me who got here with a Google search. If you have the "System Extension Updated/Blocked" window (first it's a lie, it's a legacy kernel extension), it's because the BIOS Standard Visiblity is enabled on a Falcon policy. This will not only show up at the sensor installation (on Big Sur and above), but at every sensor update going forward. Note that whatever the end user does, Falcon is still running and working. It just won’t gather firmware data until the kext is approved and the computer rebooted.

The popup won't show up on M1 computers because this firmware analysis feature doesn't seem to exist.


FYI - We are running Crowdstrike at my organisation and we've just been informed that the BIOS visibility settings for any Mac running at T2 chip should be disabled

 

See extract from Crowdstrike email:

BIOS Visibility is not supported on M-series Apple Silicon (M1)-based Macs.
BIOS Integrity Check is not supported on Macs with T2 chips - which at this point is the vast majority of Mac hardware.

Given the limited percentage of Mac hardware that can take advantage of BIOS Visibility, we no longer recommend to customers that this feature be enabled on Macs.


The BIOS stuff requires a KEXT to work period, no matter the device type or OS.  That's the reason it should be disabled as the functionality isn't exposed via system extensions.

The CS guys on mac admins slack highly recommend disabling it, and we've had zero issues since doing that at my org.