Has anyone successfully deployed Crowdstrike Falcon on Big Sur silently? Perhaps this is not possible?
I'm using the Falcon Profile.mobileconfig provided by Crowdstrike and pushing that out first, but it doesn't seem to suppress any of the pop ups or notifications. Also, the MDM profile doesn't seem to allow full disk access, which is necessary for Falcon to auto update itself.
Hi @boatymcboatface ..
I currently have deployed CS in my environment .. so far you can only suppress both System Ext + Network filter but not the Notification ..
Hop the below images help!
I honestly don't even know why the latest releases of CS pop up a notification approval. The "Falcon.app" doesn't do anything on it's own per se. No-one would ever run it like a normal application, so why does it pop up a Notification Center message like that? Seems silly, and like something Crowdstrike should suppress on their own.
@rkeleghan Thanks so much for this, it is great to have it all laid out and easy to follow.
I built my config just as you have shown, applied it, installed Falcon, and activated it. Falcon is running and CS sees the new host, however in SysPref > Privacy, the Agent is still unchecked for Full Disk Access. I had thought that the PPPC settings were specifically supposed to allow that?
@rkeleghan Thanks so much for this, it is great to have it all laid out and easy to follow.
I built my config just as you have shown, applied it, installed Falcon, and activated it. Falcon is running and CS sees the new host, however in SysPref > Privacy, the Agent is still unchecked for Full Disk Access. I had thought that the PPPC settings were specifically supposed to allow that?
From what I've seen, when JAMF deploys a Configuration Profile that grants the permissions rather than having the users manually approve the access it won't show up as checked. As long as the application itself is reporting properly and not prompting to grant access you've done everything just fine.
Hi @boatymcboatface ..
I currently have deployed CS in my environment .. so far you can only suppress both System Ext + Network filter but not the Notification ..
Hop the below images help!
Hi @rkeleghan ,
Thanks for sharing the settings, i am following this for my deployment.
Did this work even if you don't have a distribution point configuration?
For everyone who has successfully deployed Crowdstrike, are you doing so on Intel based Macs? Have you had any success with M1 based Macs?
For everyone who has successfully deployed Crowdstrike, are you doing so on Intel based Macs? Have you had any success with M1 based Macs?
I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)
I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)
Thank for the help in advance!
Do you have a reference step by step guide in deploying Crowdstrike from Jamf?
I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.
My second question is, Where did you put the Crowdstrike installer/Package in Jamf?
Thank for the help in advance!
Do you have a reference step by step guide in deploying Crowdstrike from Jamf?
I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.
My second question is, Where did you put the Crowdstrike installer/Package in Jamf?
Sure, before making a policy you will need upload your package into your JAMF portal, to do so, log in to your JAMF page and click on the gear/settings icon at the top-right. Scroll down to the "Computer Management" section and click on "Packages"
Select your .PKG file and upload. Once uploaded, it may take a minute or two to fully sync. You can then go back into your Policies, create a new Policy, configure the "Packages" payload and select "Configure" to choose the PKG file you just uploaded
Once you save and scope your policy to your test machines, you should be able to see the installation go through. Per Crowdstrike's documentation I also added a short script to license and activate Falcon after installation similar to below:
/Applications/Falcon.app/Contents/Resources/falconctl license ENTERFALCONLICENSECODEHERELet me know if that helps!
I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)
Thanks for the reply. Do you happen to know what version of MacOS your M1 devices are running?
I recently tried to deploy Crowdstrike but we ended up with many M1 Macs running Big Sur rebooting into "Boot Recovery Assistant" and asking for an admin password to "verify startup disk". Very similar to what was going on in this other thread.
https://community.jamf.com/t5/jamf-pro/big-sur-m1-mac-filevailt-2-admin-user-big-problems/m-p/224622
Sure, before making a policy you will need upload your package into your JAMF portal, to do so, log in to your JAMF page and click on the gear/settings icon at the top-right. Scroll down to the "Computer Management" section and click on "Packages"
Select your .PKG file and upload. Once uploaded, it may take a minute or two to fully sync. You can then go back into your Policies, create a new Policy, configure the "Packages" payload and select "Configure" to choose the PKG file you just uploaded
Once you save and scope your policy to your test machines, you should be able to see the installation go through. Per Crowdstrike's documentation I also added a short script to license and activate Falcon after installation similar to below:
/Applications/Falcon.app/Contents/Resources/falconctl license ENTERFALCONLICENSECODEHERELet me know if that helps!
Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.
Package installation profile
Package installation failed with errors below
It looks like its failing to download. Any idea? Thanks for helping
Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.
Package installation profile
Package installation failed with errors below
It looks like its failing to download. Any idea? Thanks for helping
just to share - the package is now deployed successfully however then latest error i'm getting is shown in the screenshot.
This error appears whenever i tried to activate the falcon using the script from Jamf. It looks like Jamf is looking for a directory that doesn't exist.
I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)
Are you pushing the kernel extensions and system extensions in the same config profile to both M1 and Intel? I am setting up for deploying and was told to break out system and kernel extensions from each other
Are you pushing the kernel extensions and system extensions in the same config profile to both M1 and Intel? I am setting up for deploying and was told to break out system and kernel extensions from each other
I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?
I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?
According to their docs is warns of not using a profile that includes kernel extensions on M1 machines
I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?
Hey,
The configuration profile for Crowdstrike for M1 and Intel based macs should be separate due to the fact that M1 don't support Kernel extensions.
So basically the Config Pro for M1 is the Intel Config Pro minus the kernel extension.
Hope that helps.
just to share - the package is now deployed successfully however then latest error i'm getting is shown in the screenshot.
This error appears whenever i tried to activate the falcon using the script from Jamf. It looks like Jamf is looking for a directory that doesn't exist.
In the policy used to deploy CS, you can add this line of code in the "Files and Processes" for the licensing:
sudo /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXX-YY
where XXXXX-YY represent your license (see my screenshot)
I believe you're adding a script on its own when one line of code was enough.
It also looks like your script is grabbing or deploying the license to the wrong location.
Let me know if this help.
Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.
Package installation profile
Package installation failed with errors below
It looks like its failing to download. Any idea? Thanks for helping
It looks like you were having some connectivity issues that interrupted your deployment.
One good suggestion to keep in mind when it comes to these type of "heavy" deployments, is to maybe use one policy to "cache" the pkg and then another policy to deploy it.
That way, even if the user looses connection, the deployment will be able to complete.
Thank for the help in advance!
Do you have a reference step by step guide in deploying Crowdstrike from Jamf?
I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.
My second question is, Where did you put the Crowdstrike installer/Package in Jamf?
This should help.
In the policy used to deploy CS, you can add this line of code in the "Files and Processes" for the licensing:
sudo /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXX-YY
where XXXXX-YY represent your license (see my screenshot)
I believe you're adding a script on its own when one line of code was enough.
It also looks like your script is grabbing or deploying the license to the wrong location.
Let me know if this help.
Thank you!
I had a separate script for license activation.
I tried yours and it worked perfectly.
Hey,
The configuration profile for Crowdstrike for M1 and Intel based macs should be separate due to the fact that M1 don't support Kernel extensions.
So basically the Config Pro for M1 is the Intel Config Pro minus the kernel extension.
Hope that helps.
Hi,
You mentioned that the M1 and Intel configuration profiles should be different. Is there an example for this? I used the profile configuration file that Crowdstrike distributed. but I could not provide full disk access on neither m1 nor Intel devices. Where could we be going wrong?
Hi @boatymcboatface ..
I currently have deployed CS in my environment .. so far you can only suppress both System Ext + Network filter but not the Notification ..
Hop the below images help!
Late to this post, but I'm doing this now and thought I'd share about the notifications:
Thanks to for This article it really helped me out ! I'm still looking to suppress login items and login items notifications in macOS ventura
I honestly don't even know why the latest releases of CS pop up a notification approval. The "Falcon.app" doesn't do anything on it's own per se. No-one would ever run it like a normal application, so why does it pop up a Notification Center message like that? Seems silly, and like something Crowdstrike should suppress on their own.
I totally agree!
Late to this post, but I'm doing this now and thought I'd share about the notifications:
This worked perfectly thank you!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.