CrowdStrike Falcon - Filter Network Content Prompt

TMPlatform
New Contributor

Hi team,

Is there any way to suppress the notification asking permission for Falcon to filter network content (screenshot below).

TMPlatform_0-1631153790123.png

Our fleet is on either Catalina or Big Sur. I have created the relevant Configuration Profiles as per the deployment guide supplied by CrowdStrike. Functionally everything works as expected. I am wondering if it is possible to have that message automatically approve or if this is just part of macOS?

Thanks!

1 ACCEPTED SOLUTION
11 REPLIES 11

Thanks for the link. I have gone through and all the settings provided are set to how they should be however still getting the pop-up to allow for the network content.

AJPinto
Honored Contributor II

We have problems with this popup from AnyConnect. What JAMF support told me months back is it has something to do with what loads first. If the System Extension loads before the approval from the JAMF configuration profile it will prompt the user regardless. This answer does not sit well with me, but it is what I was given and I have not had a chance to dig deeper. Network extensions seem to be a mess all around.

gachowski
Valued Contributor II

I don't think there is a way to avoid those prompts. I we have CS and another vendor that requires network filters. I have not found any documentation from Apple or the vendors that helped. 

seanhansell
Contributor

Create a "Content Filter" configuration profile payload that accepts the content filter.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>FilterDataProviderBundleIdentifier</key>
			<string>com.crowdstrike.falcon.Agent</string>
			<key>FilterDataProviderDesignatedRequirement</key>
			<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
			<key>FilterGrade</key>
			<string>inspector</string>
			<key>FilterPackets</key>
			<false/>
			<key>FilterSockets</key>
			<true/>
			<key>FilterType</key>
			<string>Plugin</string>
			<key>Organization</key>
			<string>CrowdStrike Inc.</string>
			<key>PayloadDisplayName</key>
			<string>Web Content Filter Payload</string>
			<key>PayloadOrganization</key>
			<string>JAMF Software</string>
			<key>PayloadType</key>
			<string>com.apple.webcontent-filter</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PluginBundleID</key>
			<string>com.crowdstrike.falcon.App</string>
			<key>UserDefinedName</key>
			<string>Falcon</string>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>Crowdstrike Falcon Content Filter</string>
	<key>PayloadEnabled</key>
	<true/>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

 

- Sean

Sorry, I cant get it to make it work, would you be kid and make a screenshot of it ?

gachowski
Valued Contributor II

Screen Shot 2023-03-30 at 8.23.55 AM.png

howie_isaacks
Valued Contributor II

This screenshot helped me. Thanks for posting!

Does this enable the Network Filter? I placed this into one of the Falcon Configuration Profiles I thought was set for testing and it ended up knocking all my MAC users offline and off internet. Lesson learned on my part but trying to make sure I understand what this does.

hepvd
Contributor

Thanks for the invaluable help ! Issue solved !

seanhansell
Contributor

@TMPlatform would you be so kind as to mark my reply as the solution to this issue?

- Sean