If you have to install version 6 and above of crowdstrike on bigsur, have to install their unsigned profile first. This profile only be uploaded and distributed with MDM solutions.
In order to upload to MDM, that profile needs to be signed first.
Original location of the profile --- > https://supportportal.crowdstrike.com/s/article/Tech-Alert-Preparing-for-macOS-Falcon-Sensor-6-11
1 - Follow Steps explained here,
If jamf freezes during generate of pem, ignore it & refresh the page
2- After it is generated under keychain, please locate the certificate and look for "Subject Key Identifier" Value. Copy it to clipboard and remove spaces.
3- Generate signed version of the mobile config profile following below command at terminal
sudo /usr/bin/security cms -S -Z SubjectKeyIdentifierValue -i ActualPathofUnSignedProfile -o OutPutWhereYouLiketoSaveSignedProfile
After configuration is in place, please create policy to push the install package with a below bash script
either you can place CID in the script or add as a parameter to jamf script options part
if [ -f "/Applications/Falcon.app/Contents/Resources/falconctl" ] ; then
sudo /Applications/Falcon.app/Contents/Resources/falconctl license Your CID Here
fi echo "Crowdstrike installed successfully" exit 0
Thanks for this but I'm still having issues getting CrowdStrike working, specifically the System Extension. Any advise would be great. I've signed the provided profile from CrowdStrike and still no go. I've also built a clean profile from scratch best guessing the system extension section from the download config. No matter what I've tried after installing CrowdStrike in a clean VM I'm always prompted to approve the System Extension.
Signed profile from Crowdstrike, System Extension is blank??
Configuration profile I built based on the provided CrowdStrike profile
I tried the original method exactly but still came up with this error:
"IMXXX-X0:~ root# /usr/bin/security cms -S -Z "SubjectKeyIdentifierwithnospaces" -i /Users/xxx/Desktop/Falcon Profile.mobileconfig -o /Users/xxx/Desktop/Signed Falcon Profile.mobileconfig
security: failed to find identity with subject key ID: "SubjectKeyIdentifierwithnospaces": The specified item could not be found in the keychain.
security: could not find signing identity for subject key ID: "SubjectKeyIdentifierwithnospaces"
security: problem signing
I tried searching on that error message but to no avail. Any guidance/troubleshotting steps I can take to help would be appreciated
@inflicted I'm not certain I'm doing this right but this is how I signed the provided configuration profile from CrowdStrike. Having said that, even after signing it and uploading it to Jamf (jamf shows it as signed as does the client), I still get prompts for the System Extension but it's not that the System Extension is blocked, it's that it's been updated.
Follow this guide, create a CSR and I used Jamf to sign it.
Search on page for the headings:
Signing Profiles for Trust Only by Jamf-enrolled Clients
Create A CSR on Your Mac
Upload the CSR to your Jamf Pro Server
Once I had the pem file, I loaded it into the keychain, note I didn't get the prompt that they do in their post as to where to install it (10.15 here). It just appeared for me under login. I set the certificate to trusted in the keychain then attempted to sign it while it was in login and it failed for me with the same error as you get. I moved the certificate, private and public key to "System" and ran the security command again. It creates a signed profile but I do get the following warning on create.
Warning: unable to build chain to self-signed root for signer "(null)"
Checking a client with the profile installed, it shows CrowdStrike Inc. Verified and it's signed by my organization (Common name).
I used -N instead of -Z with the security command.
sudo /usr/bin/security cms -S -N COMMON_NAME -i "Falcon Profile.mobileconfig" -o Signed.mobileconfig
@DanielHirt I pulled a fresh profile down from CS today and signed it, uploaded it to jamf, snapped my VM back, installed the config profile and then installed CS 6.12. I still get the System Extension prompt as noted above, "A program has updated the system extension...". Now that I look, I see you are correct, a new PPPC addition. Checking the profile I manually created as well I have Socket Filter and a Network Filter in Content Filter whereas the profile from today only seems to have a Network Filter.
I've asked a coworker for a second set of eyes on this to work through the process fresh and see their result.
Coworker had the same results I did. CS provided signed profile or building a profile in Jamf, System Extension needs to be approved as it's been updated. My coworker thought of something and tested, disable the network shortly after (10 - 15 seconds) the installation and licensing of CrowdStrike. You'll notice no prompts and CS is running (assuming your profile is correct). If you check System Preferences > Security it will show "New system extensions require a restart before they can be used" but there were no prompts indicating this and CS is running, or appears to be.
Click restart (make sure network is still disabled)
Once back in to Big Sur, confirm cs is running /Applications/Falcon.app/Contents/Resources, falconctl stats and/or falconftl load/unload. In the stats command it will show as not connected. Check System Preferences > security and everything is happy. Let it sit for 10 minutes, nothing. Now enable network. Within a few minutes you'll get the System Extensions updated prompt. So what's changing?
If anyone would like to try the above to confirm that would be great!
@ubcoit Just my 2 cents... I manually setup the config profile in Jamf pretty much identical to what you have above without the Approved Kernel Extensions and don't receive any prompts for approval/update and don't have to restart because of approved kernel extensions. I've tested this on macOS 10.15 and 11.
If you have Mac's that are below macOS 10.15 I would recommend creating a separate config profile for the Approved Kernel Extensions, anything above 10.15 will use the System Extension. You are seeing the note to restart in Sys Prefs because of the kernel extension approval.
@Joyrex Thanks for the suggestion. I removed the Kernel Extensions portion from my Configuration Profile and tested again. Snapped my VM back, applied the configuration profile and then installed CS (tried both v6.12.125.05 and v6.14.12704.0) and licensed. I still get the "New system extensions require a restart before they can be used" after install. Letting the machine idle for a minute or two, I then get the below prompt which is different than past prompts.
System Extension Blocked
A program tried to load new system extensions(s) signed by "CrowdStrike Inc." that need to be updated by the developer
This sure sounds like a kernel extension trying to load.
@Joyrex "New system extensions require a restart before they can be used" shows up immediately after installation.
This prompt appears within a couple minutes after installation.
All my testing has been done in the same VM, just snapping back to a clean state (enrolled in Jamf but no CS installed). A coworker was doing testing as well (prior to removing the kernel extension) with the same results on actual hardware.
I'll see if I can find hardware to test on.
@Joyrex I did a clean installation of Big Sur on a Mac Mini and tested, same result. I get the prompt "System Extension Blocked" A Program tried to laod new system extension(s) signed by "CrowdStrike Inc." the need to be updated by the developer."
I will mention though that the "New system extensions require a restart before they can be used" appearing in System Preferences > Security is actually a result of the configuration profile applying. This is not a result of the installation of CrowdStrike. On this Mac Mini I noticed this and rebooted the Mac Mini prior to installing CrowdStrike. So to be clear, before I installed CrowdStrike I checked System Preferences > Security and there was nothing to approve there.
I've engaged CrowdStrike support and they are indicating that it's a known problem with Jamf Pro and have documentation on to sign the configuration profile from them. To which I told them I've done but it's still not working. They said to contact Jamf support anyways as perhaps there is a signature problem with the signed and uploaded configuration profile.
I'll be reaching out to Jamf support in the morning.
Cisco AMP is working, we've built the configuration profile and as long as it's sent to the device before AMP is installed, it's all good.
Thanks again for your suggestions.
@ubcoit I am having the same exact issue, and have gone through all the steps in this thread before searching for it on Jamf Nation. I'm both happy and sad that I'm not the only one with this issue (sad because I'm not sure what the issue is). I've built manually, pulled from CS and signed, tried CS unsigned. All attempts unsuccessful. Has Jamf support been able to get back to you with anything on this?
@araney That's the problem I'm having. Either with a signed CS configuration profile uploaded or manually creating it in Jamf, same result.
"A program has updated a system extension(s) signed by CrowdStrike..."
If you disconnect network after you install/license Crowdstrike you won't get a prompt. CS is running, no prompts, reboot and let it sit, with no network life is good. Turn network back on and within a few minutes the prompt comes up. Seems to me CS is getting an update from the cloud.
@lukasindre Yes, Jamf confirmed a known product issue (PI) in regards to this. Still working with Jamf and CS support.
I'm using the one CS provided (https://falcon.crowdstrike.com/support/documentation/22/falcon-sensor-for-mac#prerequisite:-using-mdm-to-sync-profiles-before-installing-or-upgrading), and I get the following error filling my Jamf console for all devices: "<Exception> -[__NSCFConstantString objectForKeyedSubscript:]: unrecognized selector sent to instance 0x7fff8ad8b0e0"
I'm still working with Jamf and CrowdStrike support on this. The last go I sent CS wireshark data and logs for them to analyze and with Jamf I've sent them demo videos of the process and my CS installer and activation code in hopes that they attempt the process on their end. It's the back and forth email tag. Tag, their it!
I'm having the same issue.... but only on machines that start on BigSur. -- Machines that have Catalina installed, then upgrade to BigSur, do not receive the prompt for systemextension update.
I suspect it's related to how BigSur is handling kext_extension trust vs. those inherited via MDM, and how CS 'reconfigures its self'
I also used the demo profile from CS as my template...
The Catalina -> BigSur machines do not have this pesky little '4' in the kext_policy table, but those that start on BigSur do...
I've definitely been beating my head against the wall on this 'prompt to allow update' nonsense....
@ubcoit -- I'm anxious to hear what JAMF/CS were able to figure out here...
The kext_policy_mdm table doesn't have the mystery '4' -- but the kext_policy table does. ( inherited )
Oddly enough, the upgrade from catalina machines are NOT having any issue as long as they had the config profile ahead of time... it's the ones STARTING on BigSur that do...
There was another post ( https://www.jamf.com/jamf-nation/discussions/37623/falcon-sensor-system-extension-approval )
that suggested completely separating out KEXT from SYSEX from PPPC etc.... which makes perfect sense...
Especially since the M1 machines absolutely HATE LIFE when you have anything legacy in a cfg profile...
I'm going to see if separating out KEXT/SYSEX solves the issue...
If you could share your raw config profile that might be super-helpful as well...
e.g. download .mobileconfig file from JSS, then: security cms -D -i Falcon SYSEX BigSur.mobileconfig