Jamf Nation Community

fsurucu · ‎12-01-2020

If you have to install version 6 and above of crowdstrike on bigsur, have to install their unsigned profile first. This profile only be uploaded and distributed with MDM solutions.

In order to upload to MDM, that profile needs to be signed first.

Original location of the profile --- > https://supportportal.crowdstrike.com/s/article/Tech-Alert-Preparing-for-macOS-Falcon-Sensor-6-11

1 - Follow Steps explained here,
https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority

If jamf freezes during generate of pem, ignore it & refresh the page

2- After it is generated under keychain, please locate the certificate and look for "Subject Key Identifier" Value. Copy it to clipboard and remove spaces.

3- Generate signed version of the mobile config profile following below command at terminal

sudo /usr/bin/security cms -S -Z SubjectKeyIdentifierValue -i ActualPathofUnSignedProfile -o OutPutWhereYouLiketoSaveSignedProfile

ubcoit · ‎01-21-2021

@mallen13

Yes, I see I missed a command there. I already snapped my VM back so I couldn't run the command. Just running through some more tests.

Q. The sql information output, I'm guessing that is kernel extensions and not system extensions?

I ask because I just removed the kernel extensions from my profile, applied the profile to the system, rebooted. Installed CrowdStrike, within 10 seconds of it installing, I disabled network and let the system idle. Not prompts, Falcon is running. When I checked systemextensionsctl list I see the System Extension. When I run the sql commands, I see nothing listed which if these are kernel extensions, that's expected. Enabled network again, wait, 1-2 minutes usually but sometime longer but eventually the prompt comes up that System Extensions have been updated... Run systemextensionsctl list again, no obvious change from that output. But running the sql commands again I now have entries in there. This last go mine had a 20 at the end, not a 4. So is CrowdStrike still trying to load kernel extensions once it's talks back to the cloud? I'm just guessing here.

mallen13 · ‎01-21-2021

Well... so I guess that is the mystery then...

the dreaded "To finish the update, you must approve it in the Security & Privacy System Preferences" dialog is my arch-enemy at this point. - CS does do an update via it's own client.... but even though it's "trusted" -- it still produces this bleemin' dialog.
( on BigSur only.... Catalina seems to work as designed, and does not prompt... )

When I find a solution, I will certainly share it here... -- this is driving me CRAZY.... :-)
I was hoping you had gotten something back from CS/JAMF....

ubcoit · ‎01-21-2021

@mallen13

I have a video of it but can't upload it here. :( But if in fact the output of sqlite is kernel extension related, isn't the problem with CrowdStrike as on Big Sur, their client should be using System Extensions ONLY and not attempting to do anything with kernel extensions?

To be honest, support from both have been on going but not overly helpful at this point. And to top it off, it's slow. Send email, wait a day, reply, wait a day... or longer. At some point someone needs to call someone and do a remote session. CS support is just pointing the finger at Jamf, not there problem. But if the above findings are correct, it seems to be there is a flaw in the CrowdStrike software if it's trying to use kernel extensions on Big Sur. I'm not a software engineer, I just have to deploy this stuff.

mallen13 · ‎01-21-2021

That is correct. -- BigSur should be using SYSTEMEXTENSIONS only, no longer KEXTs. -- but the CS template they provided covers both SYSEX and KEXT. ( hence my trying to separate them out... )

IKR? I feel you pain. -- the deployment seems to go smooth / quiet, but the 'update' is throwing the flag.

It sounds like you and I are in the same boat... fighting the same dialog box... sigh

Do let me know if you get anywhere... ( and yes, I have similar video I'm sure.... )
likewise, I'll let you know if I find an answer in the meantime. --- you are most likely correct though, CS is probably the party that needs to fix it... I'm sure you will notice that theirs ( and most vendors ) instructions read something like....

"Make sure you tell your end-user to click on the allow/ok button or the software will not function"

whereas clearly, we can NOT rely on end-users to allow something as critical as AV to function.... smh

mallen13 · ‎01-21-2021

@franton sorry to tag you / pull you into this... but is this the behavior you were able to circumvent by splitting out SYSEX / KEXT / PPPC and scoping out separately for Catalina vs. BigSur ?

I am having NO ISSUES on Catalina, but am fighting BigSur to avoid the 'allow update' prompt for CS

nascheid · ‎01-26-2021

I too am having difficulty getting the CS provided Profile to install on both Intel Big Sur and M1 Big Sur. I uploaded the Falcon Profile 4 times and trimmed them so I have 1 PPPC profile, 1 Sys Ext, 1 KExt, and 1 web filter profile. Same error as @davidi4 :

<Exception> -[__NSCFConstantString objectForKeyedSubscript:]: unrecognized selector sent to instance 0x7fff80233030

ubcoit · ‎01-27-2021

@nascheid

Sorry, can't say I've seen that error yet. :/ Did you sign and upload the CS profile to your JSS? It needs to be signed first. Having said that, I don't think we need to use it and we can manually create it in JAMF, provided you are running the latest version 10.26.1. I haven't tested M1 yet, getting to it one of these days but it's my understanding it has it's own problems (need to separate profiles - kernel/system specifically) as well as the CS client isn't native.

@mallen13

CS support got back to me with the issue with the "Extensions have been updated prompt" and they believe it's a option called "Firmware analysis" and that it's using a kernel extension. I haven't confirmed this but I'm hoping to test this today with the Team that administrates CrowdStrike (I only install it). Perhaps you can test on your end if you have more access.

If this turns out to be the case, it does make sense, since CS runs fine until it talks back to the cloud to get it's settings. Also makes sense as to why it works for some and not others as it would depend if this feature is enabled or not.

mallen13 · ‎01-27-2021

It sounds like we're in the same boat. - I also just re-created the profile manually ( to separate SYSEX from KEXT )
Everything is working just fine for me on Catalina... -- no prompting, even on upgrade... but kexts/kext-trusts are/were employed.

BigSur is the one being a jerk. ( especially the M1, a.k.a. "crashy-boi" if you feed it any sort of legacy config-profile... )
It does also seem that machines (intel) STARTING on Catalina, with my 'both kext+sysex' config-profiles present BEFORE the BigSur upgrade, don't get angry.... ( still testing this... )

I'll see if I can get the 'Firmware analysis' bit flipped off for me // get my own CS thread going.
I'll let you know when I get somewhere.

It does seem like maybe a bit of progress is being made...
( 6.12 -> 6.14 ; 6.14 -> 6.15 / 6.16.... all seem to behave just a little differently.... )

ghart · ‎01-27-2021

Hi all... I faced a similar issue and I think I've got it resolved (at least on our fleet of Intel MBPs). I had to manually edit the CrowdStrike provided profile to disable the ability to approve system extensions and kernel extensions. I'll put my modified falcon profile below. Feel free to copy and paste into your plaintext editor of your choice, save as a .mobileconfig file and sign it using JAMFs instructions. You WILL have to sign it before uploading it so that JAMF doesn't alter it... JAMF doesn't play nice with the system extension payloads and doesn't translate them into the GUI properly if the profile is unsigned.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>FilterBrowsers</key>
            <false/>
            <key>FilterDataProviderBundleIdentifier</key>
            <string>com.crowdstrike.falcon.Agent</string>
            <key>FilterDataProviderDesignatedRequirement</key>
            <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
            <key>FilterGrade</key>
            <string>inspector</string>
            <key>FilterPacketProviderBundleIdentifier</key>
            <string>com.crowdstrike.falcon.Agent</string>
            <key>FilterPacketProviderDesignatedRequirement</key>
            <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
            <key>FilterPackets</key>
            <false/>
            <key>FilterSockets</key>
            <true/>
            <key>FilterType</key>
            <string>Plugin</string>
            <key>Organization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadDisplayName</key>
            <string>Web Content Filter</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.webcontent-filter.2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string>
            <key>PayloadType</key>
            <string>com.apple.webcontent-filter</string>
            <key>PayloadUUID</key>
            <string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PluginBundleID</key>
            <string>com.crowdstrike.falcon.App</string>
            <key>UserDefinedName</key>
            <string>Falcon</string>
        </dict>
        <dict>
            <key>AllowedTeamIdentifiers</key>
            <array>
                <string>X9E956P446</string>
            </array>
            <key>PayloadDescription</key>
            <string>Controls the system extension loading/unloading</string>
            <key>PayloadDisplayName</key>
            <string>App System Extension Control</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.system-extensions.admin.E45B5986-74A6-4B6A-A4CA-E179516A7F52</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.system-extensions.admin</string>
            <key>PayloadUUID</key>
            <string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string>
        </dict>
        <dict>
            <key>AllowUserOverrides</key>
            <false/>
            <key>AllowedTeamIdentifiers</key>
            <array>
                <string>X9E956P446</string>
            </array>
            <key>PayloadDescription</key>
            <string>Configures Kernel Extension Policy settings</string>
            <key>PayloadDisplayName</key>
            <string>Kernel Extensions</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.syspolicy.kernel-extension-policy.5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.syspolicy.kernel-extension-policy</string>
            <key>PayloadUUID</key>
            <string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string>
        </dict>
        <dict>
            <key>PayloadDescription</key>
            <string>Configures Privacy Preferences Policy Control settings</string>
            <key>PayloadDisplayName</key>
            <string>Privacy Preferences</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.TCC.configuration-profile-policy.9A10BE5D-5E46-4C22-89C9-20597A04B616</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string>
            <key>Services</key>
            <dict>
                <key>SystemPolicyAllFiles</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.crowdstrike.falcon.Agent</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>StaticCode</key>
                        <false/>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.crowdstrike.falcon.App</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>StaticCode</key>
                        <false/>
                    </dict>
                </array>
            </dict>
        </dict>
        <dict>
            <key>AllowUserOverrides</key>
            <false/>
            <key>AllowedSystemExtensionTypes</key>
            <dict>
                <key>X9E956P446</key>
                <array>
                    <string>EndpointSecurityExtension</string>
                    <string>NetworkExtension</string>
                </array>
            </dict>
            <key>AllowedSystemExtensions</key>
            <dict>
                <key>X9E956P446</key>
                <array>
                    <string>com.crowdstrike.falcon.Agent</string>
                </array>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures System Extensions Policy settings</string>
            <key>PayloadDisplayName</key>
            <string>System Extensions</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.system-extension-policy.20258B06-5866-4424-8893-A3AF1AFAAEDC</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.system-extension-policy</string>
            <key>PayloadUUID</key>
            <string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Kernel Extensions, System Extensions, and Privacy Preferences</string>
    <key>PayloadDisplayName</key>
    <string>Falcon Profile</string>
    <key>PayloadEnabled</key>
    <true/>
    <key>PayloadIdentifier</key>
    <string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string>
    <key>PayloadOrganization</key>
    <string>CrowdStrike Inc.</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>BED12142-1459-41BF-B50B-66A27E702725</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Edit: I can't word good.

mallen13 · ‎01-27-2021

I think I've got literally every other key in there except my profile is set true here...

" <key>AllowUserOverrides</key> <false/>
"

Thanks! -- will dig into/try this.

ghart · ‎01-27-2021

That key, in both the System Extensions and Kernel Extensions payload/sections, was the only change I made to CrowdStrike's profile. What's so terrible about this is that pretty much any app you can use to build profiles doesn't recognize the Kernel Extension or System Extension payloads, so you're forced into manually editing and referring to Apple's developer docs to make sure you're not breaking something.

mallen13 · ‎01-27-2021

I'm going to fresh load another BigSur test machine to be sure... but I think you might have hit the nail on the head...

Hey JAMF.... feature request: change "Allow Users to approve system extensions" to: "Prompt Users to approve system extensions" :-)

and yes, I agree. -- as slick as CS was out of the gate... I'd really love to see them get on top of this kind of thing... ( and an arm64 port... )

mallen13 · ‎01-28-2021

So it was a combination of things...

Removing the check-box for 'Allow Users to approve system extensions' helped... but the final nag was, indeed, the 'BIOS/Firmware Standard Visibility' -- I managed to get our Sr. CS admin to DISABLE this feature in my test group, and now there are no more KEXTs in play. -- no prompts...

ubcoit · ‎01-28-2021

@mallen13

Also confirmed on my end. Disabling the BIOS/Firmware feature has resolved the additional prompt to approve the KEXT. CS support is now aware of the issue but unsure if they can work around it.

I need to spend some time now building out the configuration profiles separately and testing again to confirm.

KBNet · ‎01-28-2021

@mallen13

So unchecking the "allow users to approve system extensions" actually worked? I don't have the Firmware / BIOS Standard Visibility enabled, so I'm not hung up on a kext but I still am getting prompts to enable the system extension.

Even running

systemextensionsctl list

shows me that the system extension is "loaded" but waiting on user approval, which I want to avoid.

What version of CS are you running that played nicely for you?

ubcoit · ‎01-28-2021

@KBNet

I've been testing with 6.14.12704 at this point. I'm just in the process of moving my profiles from dev to prod to test things again. I'm separating my profiles into each component, PPPC, KEXT, System Ext and Content and will test again. I'm building all my profiles off the CS provided profile, to the best of my knowledge. Having said that, I have successfully applied PPPC, System Ext and Content to a Big Sur 11.1 workstation without reboot. Clean machine, enroll to jamf, on enrollment profiles are applied, install CS, no prompts, everything is happy since Firmware/bios is now disabled. On this test, this is what my System Extension looked like but in prod once I test again I plan all mirroring the settings in the provided CS profile that are available in Jamf. Are they all required, no idea! I'd hope CS knows better than me.

ubcoit · ‎01-28-2021

@KBNet

And just cause I'm all setup for this, I snapped my vm back and retested with "Allow users to approve system extensions" enabled in the above System Extension profile and tested, no prompts again. In the CS provided profile this option is selected.

KBNet · ‎01-29-2021

@ubcoit

Thanks for the details. Was this on a fresh install of Big Sur? I am attempting to upgrade machines. specifically from varying versions of macOS (Mojave and Catalina are really the two big ones).

My process is: upgrade CS from 6.15 to 6.16, install the profiles prior to upgrade (no prompts received on old macOS versions), upgrade straight to Big Sur, wait the 30 minutes to only be devastated by the "System Extension Blocked" pop-up after the upgrade.

I feel like I've been through absolutely everything to try to figure this out, and I can't. I just want to confirm, with the profiles you have your users are not seeing a single prompt (i.e. the one above)?

I have also decided to abandon the CS profile and roll my own. The system extension from what I can tell is identical to yours, and I still get the bloody prompts.

PPPC:

Content Filter:

System Extension:

Ultimately, after running the cmd to show the loaded extensions, I see that it is there and activated but for some reason waiting for the user, which I want to avoid.

We don't have firmware analysis on so a kext isn't needed either.

We have a ticket open with CS but I am a little worried that they will push the blame onto Jamf as others have described here.

I feel like my scenario of installing CS then upgrading to BS might be the cause here. I think it might be time I roll up a fresh install of Big Sur and see if that works, rather than an upgrade. If that's the case though, I'm not quite sure how we're going to handle the plethora of machines not running BS.

Have you had an upgrade path work with CS and Big Sur with this profile, where users are not required to approve the system extension?

ubcoit · ‎01-29-2021

@KBNet

I suspect your issue is the upgrade and you are having any number of problems. Notice the prompt is mentioning Falcon instead of CrowdStrike Inc? I believe this is because in 10.15 and earlier the process for CrowdStrike is falcond but in Big Sur the process is called com.crowdstrike.falcon.Agent. It's also possible that even though the profile was installed in 10.15, the system extensions aren't used and therefore aren't installed/linked or whatever happens in the backend. When you upgrade to Big Sur they can't load or something. Perhaps try applying new profiles once you upgrade to Big Sur? But then you'll also have the falcond vs com.crowdstrike.falcon.Agent issue until "something" triggers that switch, 30 minutes later?

Have you checked to see if "falcond" is actually a KEXT and not a System Extension?

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
select from kext_policy_mdm;
select from kext_policy;

TBH, this has certainly been a mess. I'm not sure we'll be able to do much in an upgrade scenario.

KBNet · ‎01-29-2021

@ubcoit

I'll have to do some further testing but it seems like you might be right, installing CS once Big Sur is installed seems to work the best, no prompts using the same profiles. I'm still testing though, but initially that seems to be the case.

Just checking though, have you been able to upgrade between OS versions without prompts from CS after the upgrade?

ubcoit · ‎01-29-2021

@KBNet

No, I've only tested on a clean Big Sur. I'm in the process right now of spinning up and updating three VM's, 10.13, 14 and 15 to confirm these profiles work correctly on them (they should). From there, I'll upgrade one or all of them to BS and see what happens. I'm expecting prompts. Even if you create your System Extensions profile and only deploy it to BS when the machine comes back online, CS will load and the profile won't have applied yet since Jamf won't know the machine has upgrade until an inventory runs. Pretty sure we are screwed. :)

KBNet · ‎01-29-2021

@ubcoit

Please let me know how your testing goes, I'm curious to see if your results are different to mine. I really hoped that once the system extension profile was deployed the system wouldn't care if CS tried loading before or not, but I fear that is the case.

Maybe BS 11.2 changes that... or more realistically it will make it worse.. :P

Jason33 · ‎01-30-2021

@KBNet I have done upgrades from both Mojave and Catalina, and still get prompted that a system extension was blocked from running. I'd not received any prompts or warning messages prior to upgrading to Big Sur.

KBNet · ‎02-01-2021

@Jason33

Thanks - did some testing this morning and it looks like if I uninstall CS before the upgrade from Catalina to Big Sur, then upgrade to BS, then reinstall CS the profile works fine. Just seems the upgrade is the cause.

11.2 released today, here's hoping that there are some changes that address this but I'm not holding my breath.

bilal_habib · ‎02-02-2021

Just an fyi, if you load the system extension payloads whilst on Mojave and then upgrade to Big Sur the system extension payloads will not be recognised hence the "Falcon" prompts.

You can read more at the macadmins slack community on the crowdstrike_falcon channel

ubcoit · ‎02-03-2021

@KBNet @Jason33 @bilal.habib

I've now completed some macOS upgrades and to my surprise I haven't been prompted after upgrading. ??? This wasn't expected.

My profiles, all are separate scoped to the appropriate version of macOS.

CrowdStrike Content Filter - Scope = macOS 10.15 or later

CrowdStrike Kernel Extensions - Scope = macOS 10.13.2 to macOS 10.15.x

CrowdStrike PPPC - Scope = macOS 10.14 or later

CrowdStrike System Extensions - Scope = macOS 10.15 or later

macOS 10.13.6, CrowdStrike 5.34.11501
Configuration Profile assigned before installation:
- CrowdStrike Kernel Extensions