Posted on 11-21-2020 08:52 AM
Hi
It looks like we need to deploy/upgrade our base sensor for Crowdstrike Falcon. It seems the previous script does not work and the sensor requires more permissions on Big Sur.
Any help/insight would be greatly appreciated.
Posted on 11-23-2020 10:24 PM
I don't think SC is supporting M1 CPU yet.. Also SC has a profile, available on their support web site. You should be able to just sign that profile, before you up load to Jamf .. I also think that the current version is 6.12.x
C
Posted on 11-24-2020 09:09 AM
I am going through the same thing. We have the old install, which seems to auto-update itself to the new version (with the app in Applications and the new paths).
I reached out to CrowdStrike asking about M1 support and they replied that it was on schedule for Q1 2021, which ends at the end of April. So, basically, no promises that Falcon Sensor will work until May 2021. I am sure it can be earlier - but how often does that happen?
I have tried to sign the .mobileconfig using the PPPC utility and it did not let me import the .mobileconfig file to the PPPC utility to even try. Maybe creating a new one from scratch will do the trick.
The sensor version I have is 6.12.12505.0, but was in a folder labeled 6.11 - however that may have come from our admin possibly dropping the installer in an existing folder?
So it looks like we have three hurdles to overcome here:
1 - Getting the .mobileconfig signed by PPPC so it can be imported to JAMF Pro (or create a new one from scratch, or manually enter the info).
2 - Getting the script updated so Falcon Sensor will be properly registered.
3 - Find out what to use while we wait for Crowd Strike to update Falcon Sensor for M1 support sometime early next year, since not having an antivirus type product for six months on new hardware seems like a poor idea.
Posted on 11-25-2020 08:04 AM
Im on the same thing, I've got to install under rosetta but not serialize and when running their "profile" they recommend it doesn't want to upload and error out.
Posted on 11-25-2020 08:46 AM
We had to stop deploying CS at enrollment due to too many issues (the security guy was not happy about that, but understands the confluence of events that is causing it). We do have an architecture limitation to prevent installation on anything but Intel, but I do not yet have an M1 device to test it against. We also ran into problems with Big Sur and the significant changes to Crowdstrike itself to work with Big Sur.
Posted on 11-25-2020 09:38 AM
@pbenware1 What changes are you having to do in order to get it to work with Big Sur? I am trying to figure those out now.
Posted on 11-25-2020 11:51 AM
Do you know what extension approval's you used? We tried to deploy on Big Sure and it prompted the user to add/approve.
We would like to bypass that if possible
Posted on 11-25-2020 02:29 PM
@j_allenbrand We don't have it working yet on Big Sur. Falcon has provided a config profile to use, but according to their documentation, the profile they've provided won't work as is with Jamf Pro as it needs to be signed first. I have not had success yet in signing it. And it appears to be missing the Team Identifier under the System Extensions payload, so (I'm guessing) even I get it signed as is, it will still not work correctly.
Posted on 11-27-2020 11:36 AM
Per Crowdstrike
This indicates that there is an error in the configuration you're trying to upload. Were you able to make the necessary changes to the profile to meet your network's requirements? The profile we have provided is just a baseline and is unlikely to work without additional configuration. As long as you are able to make those changes to the configuration, there aren't any changes to the way the sensor is packaged in Jamf. Any errors there would be indicating an issue with their software which is not something CrowdStrike is able to resolve. Can you please provide some detail on the changes you made and the process you went through?
Thank you,
Posted on 12-01-2020 10:39 AM
This is for Big Sur more than M1 as it seems like we are waiting on an M1 compatible version of Falcon from Crowdstrike - which may not happen until as late as May 2021.
There is a script for uninstalling CS and for registering it. Both scripts contain the old path of "/Library/CS". Since the old version of the app is what we currently have in the environment, I left the path alone in the uninstall script, but changed the path in the register script to "/Applications/Falcon.app/Contents/Resources/falconctl" and it seems to work. When I do a:
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
I get the stats and it shows no errors or failures.
The policy would run the uninstall script as the 'before' script, install the .pkg, then run the register script as the 'after' script and then do an update inventory for housekeeping.
These instructions seem to work for the policy to whitelist Crowdstrike, but I have not fully tested it - YMMV:
General payload : - Name : CrowdStrike Falcon Profile
Privacy Preferences Policy Control payload
- Identifier : com.crowdstrike.falcon.Agent
- Identifier Type : select "Bundle ID"
- Code Requirement : identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"
- click the "+Add" button to the right, and select "SystemPolicyAllFiles" under App or Service, and "Allow" under Access. Then click the small Save button directly to the right.
Approved Kernel Extensions payload
- Enable both “Allow users to approve kernel extensions” AND “FIELD_ALLOW_NON_ADMIN_USER_APPROVALS” options
- Display Name : CrowdStrike
- Team ID : X9E956P446
System Extensions payload
- Enable “Allow users to approve system extensions” option
- Display Name : CrowdStrike
- System Extension Types : select "Allowed Team Identifiers"
- Team Identifier : X9E956P446
Posted on 12-01-2020 06:09 PM
https://www.jamf.com/jamf-nation/discussions/37488/crowdstrike-configuration-profile-bigsur
Posted on 12-11-2020 11:31 AM
So Crowdstrike Doc and support say 1st quarter, so we are planning around March. Rich can May is extra scary can you give me some vision on how sure you are of May?
C
Posted on 01-13-2021 01:55 PM
I followed VintageMacGuy's instructions verbatim, however, when i installed the new Falcon sensor after deploying the new configuration profile, it prompted me to approve the system extension for Falcon. I did not get any other approval prompts, just that one. Any idea how to silently approve that through the config profile?
Posted on 01-14-2021 02:10 PM
@gachowski - Sorry for the delay in replying. When trying to get info from Crowdstrike on when they may be ready, they said their Q1 starts in February (Feb, Mar, Apr), so I took the worse case scenario of it being a day later than their Q1 end date - May 1st.
That would be the first possible day, based on what info they provided, that I can reasonably guess it will be ready. Other than that, I am just as much in the dark as you.
Posted on 01-14-2021 02:23 PM
@ecohler I am glad you had some luck with my instructions!
Based on some other threads I have seen, CrowdStrike may be doing an unadvertised upgrade from their management servers, so I am curious if that has anything to do with the prompt you got?
I also had a curious thing happen and maybe you can help confirm/deny what I am seeing. After CS installed and I approved the prompt, I run the STATS command (see above post with the full path ending in 'stats') and it shows errors and failures. But when I reinstall CS from Self Service and restart, then run stats again, everything is fine. I am not sure if this has something to do with me testing on the same Mac each time and CS back end already has that machine registered when JAMF tries to install it again?
At the end of the day, I have to click one approval message and reinstall it from self service and after that it seems to work fine in Big Sur. So it does work in Big Sur eventually. Now just have to work the kinks out.
Posted on 01-14-2021 04:52 PM
Thank you very much Rich!!! my org was thinking 1 quarter of the year. : )
Posted on 01-15-2021 10:01 AM
In order for the system extension to automatically be approved for us, we added the following to the config profile.
System Extensions payload
- Enable “Allow users to approve system extensions” option
- Display Name : CrowdStrike
- System Extension Types : select "Allowed System Extensions"
- System Extension: com.crowdstrike.falcon.Agent
Posted on 01-19-2021 09:39 AM
Just to be clear you added those to the CS profile you downloaded from the CS support site?
C
Posted on 01-21-2021 07:13 AM
The Configuration Profile above only works for Intel Based machines running Big Sur. If you want it work on M1 Silicon, you'll have to modify it for it to load properly and not give you issues down the road.
Just remove the Kernel Extensions section completely and it should do the trick.
System Extensions > Change to > "Allowed System Extension"
add it to the list: com.crowdstrike.falcon.Agent
Posted on 01-28-2021 11:28 AM
@Mr_Suaz - will removing the Kernel Extension part affect Intel Macs in our fleet? We'd like to have one configuration profile to install on all Macs, not have to break it up by M1 vs. every other Mac.
Thanks!
Posted on 01-28-2021 11:40 AM
I've gone ahead and followed the post from @Mr_Suaz - but now am getting this failed error:
<Exception> -[__NSCFConstantString objectForKeyedSubscript:]: unrecognized selector sent to instance 0x1fd77af58
Posted on 01-28-2021 02:02 PM
@vogel I was getting that too and someone mentioned it was due to the signing issue. What I did to get around it (mainly because I was too lazy to mess with certificates, lol) is I just recreated the profile from scratch within Jamf and that worked.
Posted on 01-28-2021 02:08 PM
@vogel You do not want to have the CS config profile with Kernel Extension scoped to your M1 devices; it will only cause you problems. In my case the profile caused the machine to not boot, and I had to reinstall the OS using another Mac and Apple Configurator 2.
Posted on 02-17-2021 02:36 PM
How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.
You guys are getting a prompt to approve or deny Notifications for Falcon?
Posted on 02-24-2021 03:55 PM
I got this from CS today... As we have been having issues with M1's on our end...
They say Q1 support and Q1 is almost over... so fingers crossed..
we cannot recommend having the sensor installed on any machines using the M1 chipset, as unexpected and dramatic behavior, from networking issues to complete brick, could occur.Again, I do apologize. As always, please let me know if you have any additional questions. Thanks,
Posted on 02-24-2021 03:58 PM
Posted on 02-25-2021 03:53 PM
@danny.gutman You can configure a Notifications payload using the bundle identifier
com.crowdstrike.falcon.UserAgent
Posted on 04-08-2021 12:07 PM
@afarnsworth like this?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.crowdstrike.falcon.UserAgent</string>
<key>NotificationsEnabled</key>
<false/>
<key>AlertType</key>
<integer>1</integer>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>BadgesEnabled</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
</dict>
</plist>
Doesn't seem to stop the user from getting macOS Notification about the app.
Posted on 04-12-2021 06:52 AM
@afarnsworth Hi, I was wondering how you found the correct bundle ID to use for the notifications payload. I tried doing the osascript -e "id of app "appName"' method but got a different one, and couldn't find the correct one until I saw your post here.
@donmontalvo You can use the notifications payload in Configuration Profiles in jamf to do this for you.
Posted on 12-05-2021 08:05 PM
Any updates on this?
08-26-2022 08:13 AM - edited 08-26-2022 08:22 AM
Here is my setup in JAMF. It works at surpassing the initial notification from the Falcon sensor installer. As @afarnsworth said you need to use "com.crowdstrike.falcon.UserAgent" as the bundle ID for the notifications payload.
Not really sure if Falcon ever sends out messages via notifications and if you want to disable or enable them.