Crowdstrike Falcon Sensor v6.11+ Big Sur and M1 Deployment help

j_allenbrand
Contributor

Hi

It looks like we need to deploy/upgrade our base sensor for Crowdstrike Falcon. It seems the previous script does not work and the sensor requires more permissions on Big Sur.

Any help/insight would be greatly appreciated.

30 REPLIES 30

gachowski
Valued Contributor II

I don't think SC is supporting M1 CPU yet.. Also SC has a profile, available on their support web site. You should be able to just sign that profile, before you up load to Jamf .. I also think that the current version is 6.12.x

C

VintageMacGuy
Contributor II

I am going through the same thing. We have the old install, which seems to auto-update itself to the new version (with the app in Applications and the new paths).

I reached out to CrowdStrike asking about M1 support and they replied that it was on schedule for Q1 2021, which ends at the end of April. So, basically, no promises that Falcon Sensor will work until May 2021. I am sure it can be earlier - but how often does that happen?

I have tried to sign the .mobileconfig using the PPPC utility and it did not let me import the .mobileconfig file to the PPPC utility to even try. Maybe creating a new one from scratch will do the trick.

The sensor version I have is 6.12.12505.0, but was in a folder labeled 6.11 - however that may have come from our admin possibly dropping the installer in an existing folder?

So it looks like we have three hurdles to overcome here:

1 - Getting the .mobileconfig signed by PPPC so it can be imported to JAMF Pro (or create a new one from scratch, or manually enter the info).

2 - Getting the script updated so Falcon Sensor will be properly registered.

3 - Find out what to use while we wait for Crowd Strike to update Falcon Sensor for M1 support sometime early next year, since not having an antivirus type product for six months on new hardware seems like a poor idea.

j_allenbrand
Contributor

Im on the same thing, I've got to install under rosetta but not serialize and when running their "profile" they recommend it doesn't want to upload and error out.

pbenware1
Release Candidate Programs Tester

We had to stop deploying CS at enrollment due to too many issues (the security guy was not happy about that, but understands the confluence of events that is causing it). We do have an architecture limitation to prevent installation on anything but Intel, but I do not yet have an M1 device to test it against. We also ran into problems with Big Sur and the significant changes to Crowdstrike itself to work with Big Sur.

j_allenbrand
Contributor

@pbenware1 What changes are you having to do in order to get it to work with Big Sur? I am trying to figure those out now.

j_allenbrand
Contributor

Do you know what extension approval's you used? We tried to deploy on Big Sure and it prompted the user to add/approve.

We would like to bypass that if possible

pbenware1
Release Candidate Programs Tester

@j_allenbrand We don't have it working yet on Big Sur. Falcon has provided a config profile to use, but according to their documentation, the profile they've provided won't work as is with Jamf Pro as it needs to be signed first. I have not had success yet in signing it. And it appears to be missing the Team Identifier under the System Extensions payload, so (I'm guessing) even I get it signed as is, it will still not work correctly.

j_allenbrand
Contributor

Per Crowdstrike

This indicates that there is an error in the configuration you're trying to upload. Were you able to make the necessary changes to the profile to meet your network's requirements? The profile we have provided is just a baseline and is unlikely to work without additional configuration. As long as you are able to make those changes to the configuration, there aren't any changes to the way the sensor is packaged in Jamf. Any errors there would be indicating an issue with their software which is not something CrowdStrike is able to resolve. Can you please provide some detail on the changes you made and the process you went through?

Thank you,

VintageMacGuy
Contributor II

This is for Big Sur more than M1 as it seems like we are waiting on an M1 compatible version of Falcon from Crowdstrike - which may not happen until as late as May 2021.

There is a script for uninstalling CS and for registering it. Both scripts contain the old path of "/Library/CS". Since the old version of the app is what we currently have in the environment, I left the path alone in the uninstall script, but changed the path in the register script to "/Applications/Falcon.app/Contents/Resources/falconctl" and it seems to work. When I do a:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

I get the stats and it shows no errors or failures.

The policy would run the uninstall script as the 'before' script, install the .pkg, then run the register script as the 'after' script and then do an update inventory for housekeeping.

These instructions seem to work for the policy to whitelist Crowdstrike, but I have not fully tested it - YMMV:

  1. In Jamf Pro > Computers tab > Configuration Profiles ; click "New" in the upper right corner.
  2. Here is how I configured each payload. All of the information is correct so you can copy and paste to make it easier.

General payload : - Name : CrowdStrike Falcon Profile

Privacy Preferences Policy Control payload
- Identifier : com.crowdstrike.falcon.Agent
- Identifier Type : select "Bundle ID"
- Code Requirement : identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"
- click the "+Add" button to the right, and select "SystemPolicyAllFiles" under App or Service, and "Allow" under Access. Then click the small Save button directly to the right.

Approved Kernel Extensions payload
- Enable both “Allow users to approve kernel extensions” AND “FIELD_ALLOW_NON_ADMIN_USER_APPROVALS” options
- Display Name : CrowdStrike
- Team ID : X9E956P446

System Extensions payload
- Enable “Allow users to approve system extensions” option
- Display Name : CrowdStrike
- System Extension Types : select "Allowed Team Identifiers"
- Team Identifier : X9E956P446

  1. Then I added a Test Computer to the Scope tab, and clicked Save in the lower right.

fsurucu
New Contributor III

https://www.jamf.com/jamf-nation/discussions/37488/crowdstrike-configuration-profile-bigsur

gachowski
Valued Contributor II

@VintageMacGuy

So Crowdstrike Doc and support say 1st quarter, so we are planning around March. Rich can May is extra scary can you give me some vision on how sure you are of May?

C

ecohler
New Contributor

I followed VintageMacGuy's instructions verbatim, however, when i installed the new Falcon sensor after deploying the new configuration profile, it prompted me to approve the system extension for Falcon. I did not get any other approval prompts, just that one. Any idea how to silently approve that through the config profile?

VintageMacGuy
Contributor II

@gachowski - Sorry for the delay in replying. When trying to get info from Crowdstrike on when they may be ready, they said their Q1 starts in February (Feb, Mar, Apr), so I took the worse case scenario of it being a day later than their Q1 end date - May 1st.

That would be the first possible day, based on what info they provided, that I can reasonably guess it will be ready. Other than that, I am just as much in the dark as you.

VintageMacGuy
Contributor II

@ecohler I am glad you had some luck with my instructions!
Based on some other threads I have seen, CrowdStrike may be doing an unadvertised upgrade from their management servers, so I am curious if that has anything to do with the prompt you got?

I also had a curious thing happen and maybe you can help confirm/deny what I am seeing. After CS installed and I approved the prompt, I run the STATS command (see above post with the full path ending in 'stats') and it shows errors and failures. But when I reinstall CS from Self Service and restart, then run stats again, everything is fine. I am not sure if this has something to do with me testing on the same Mac each time and CS back end already has that machine registered when JAMF tries to install it again?

At the end of the day, I have to click one approval message and reinstall it from self service and after that it seems to work fine in Big Sur. So it does work in Big Sur eventually. Now just have to work the kinks out.

gachowski
Valued Contributor II

Thank you very much Rich!!! my org was thinking 1 quarter of the year. : )

@VintageMacGuy

syoung17
New Contributor II

In order for the system extension to automatically be approved for us, we added the following to the config profile.
System Extensions payload
- Enable “Allow users to approve system extensions” option
- Display Name : CrowdStrike
- System Extension Types : select "Allowed System Extensions"
- System Extension: com.crowdstrike.falcon.Agent

gachowski
Valued Contributor II

@syoung17

Just to be clear you added those to the CS profile you downloaded from the CS support site?

C

Mr_Suaz
New Contributor II

The Configuration Profile above only works for Intel Based machines running Big Sur. If you want it work on M1 Silicon, you'll have to modify it for it to load properly and not give you issues down the road.

Just remove the Kernel Extensions section completely and it should do the trick. System Extensions > Change to > "Allowed System Extension"
add it to the list: com.crowdstrike.falcon.Agent

372475d319f04a2c8d97b58676ca627d

vogel
New Contributor

@Mr_Suaz - will removing the Kernel Extension part affect Intel Macs in our fleet? We'd like to have one configuration profile to install on all Macs, not have to break it up by M1 vs. every other Mac.

Thanks!

vogel
New Contributor

I've gone ahead and followed the post from @Mr_Suaz - but now am getting this failed error:

<Exception> -[__NSCFConstantString objectForKeyedSubscript:]: unrecognized selector sent to instance 0x1fd77af58

markopolo
Contributor

@vogel I was getting that too and someone mentioned it was due to the signing issue. What I did to get around it (mainly because I was too lazy to mess with certificates, lol) is I just recreated the profile from scratch within Jamf and that worked.

Jason33
Contributor III

@vogel You do not want to have the CS config profile with Kernel Extension scoped to your M1 devices; it will only cause you problems. In my case the profile caused the machine to not boot, and I had to reinstall the OS using another Mac and Apple Configurator 2.

danny_gutman
New Contributor III

How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.

You guys are getting a prompt to approve or deny Notifications for Falcon?

jezza
New Contributor III

I got this from CS today... As we have been having issues with M1's on our end...

They say Q1 support and Q1 is almost over... so fingers crossed..

we cannot recommend having the sensor installed on any machines using the M1 chipset, as unexpected and dramatic behavior, from networking issues to complete brick, could occur.Again, I do apologize. As always, please let me know if you have any additional questions. Thanks,

gachowski
Valued Contributor II

@coasttech

Sorry CS Q1 starts in February (Feb, Mar, Apr).

C

afarnsworth
Contributor

@danny.gutman You can configure a Notifications payload using the bundle identifier

com.crowdstrike.falcon.UserAgent

donmontalvo
Esteemed Contributor III

@afarnsworth like this?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>NotificationSettings</key>
        <array>
            <dict>
                <key>BundleIdentifier</key>
                <string>com.crowdstrike.falcon.UserAgent</string>
                <key>NotificationsEnabled</key>
                <false/>
                <key>AlertType</key>
                <integer>1</integer>
                <key>ShowInLockScreen</key>
                <false/>
                <key>ShowInNotificationCenter</key>
                <false/>
                <key>BadgesEnabled</key>
                <false/>
                <key>SoundsEnabled</key>
                <false/>
            </dict>
        </array>
    </dict>
</plist>

Doesn't seem to stop the user from getting macOS Notification about the app.

--
https://donmontalvo.com

Eltord
Contributor

@afarnsworth Hi, I was wondering how you found the correct bundle ID to use for the notifications payload. I tried doing the osascript -e "id of app "appName"' method but got a different one, and couldn't find the correct one until I saw your post here.

@donmontalvo You can use the notifications payload in Configuration Profiles in jamf to do this for you.

mmardini13
New Contributor

Any updates on this? 

McGinn
Contributor

Here is my setup in JAMF.  It works at surpassing the initial notification from the Falcon sensor installer.  As @afarnsworth said you need to use "com.crowdstrike.falcon.UserAgent" as the bundle ID for the notifications payload.

 

Not really sure if Falcon ever sends out messages via notifications and if you want to disable or enable them.

 

Screen Shot 2022-08-26 at 11.12.35 AM.png