Help

CrowdStrike generates login items added alerts despite being allowed by a profile

howie_isaacks
Valued Contributor II

Posted on ‎06-08-2023 08:21 AM

I am working on deploying CrowdStrike initially to a test group of Macs for later deployment companywide. The one thing we are having problems with is the "Managed Login Items Added" alerts that users are seeing when CrowdStrike gets deployed to their Mac. The profile I created for CrowdStrike configures the Content Filter settings, Notifications, PPPC, and System Extensions along with Managed Login Items. On my own test Mac, I have only seen this alert pop up once. I have uninstalled CrowdStrike and either allowed it to reinstall at check-in, and I have ran the command to run the policy in Terminal. Most of the time, I don't see the alert. I'm wondering what I may have done wrong. This security feature in macOS debuted with macOS Ventura. I did not have to deal with this until now since I was working in other areas of Jamf Pro for the last several months. Allowing login items is still new to me. I would appreciate some help on this. I checked the other apps we are deploying that include login items. The profiles we made for those apps match what I did for CrowdStrike. I'm confused. It's the only thing keeping me from being able to deploy CrowdStrike companywide. We want this deployment to be completely silent.

CS Login Item.pngScreenshot 2023-06-08 at 10.21.06 AM.png

0 Kudos
Reply
6 REPLIES 6

mm2270
Legendary Contributor III

Posted on ‎06-08-2023 08:31 AM

Not sure how much this helps or if it's what you're looking for, but I used the profile posted by @scottb on the thread here to completely turn off the whole Managed Login Items warnings for Ventura Macs. I get why Apple wants to add these things to the OS, but frankly, the amount of warnings, pop ups and other stuff that Apple has been adding the last 4 or so years to the OS is getting to the point of being a nuisance rather than a help.

Reply

howie_isaacks
Valued Contributor II
In response to mm2270

Posted on ‎06-08-2023 08:55 AM

I agree about it being a nuisance. As a Mac user personally, I have no issues with seeing alerts about login items, apps wanting access to my camera, documents and desktop folders, etc., but these features have been a HUGE pain for Apple admins. Apple could have at least made it easier for us to manage rather than do all of this one by one.

0 Kudos
Reply

scottb
Honored Contributor
In response to mm2270

Posted on ‎06-08-2023 08:59 AM

The nice thing about this setup is that you can just add new team ID's or whatever you choose and update the profile. While I too understand Apple's wisdom here, it's truly more of a pita than a help.

Reply

howie_isaacks
Valued Contributor II
In response to scottb

Posted on ‎06-08-2023 10:47 AM

I just started with a new company and I have been given the job of running things in Jamf Pro. My first approach was to not put everything into a single profile. I learned a few years ago not to do that. One good reason for this is that if there are issues with one payload, we can make modifications to it, push out the changed profile but leave all of the other things alone. Right now, the CrowdStrike profile is whitelisting system extensions, setting content filtering, PPPC for the CrowdStrike Falcon agent, and also allowing the managed login items. I stopped loading everything into a single profile years ago. I don't want to be like a rogue planet passing through the solar system disrupting things so I'm going to make changes slowly until I have it all working right.

Reply

mm2270
Legendary Contributor III
In response to howie_isaacks

Posted on ‎06-08-2023 10:58 AM

Definitely a good approach. Despite this being the common sense granular way to do it (and the way Apple recommends it) I still see some admins out there trying to lump a bunch of unrelated payloads into one or a few profiles. I think it's a psychological thing. Maybe they feel uneasy about seeing dozens of profiles installed under the Profiles preference pane, but the truth is, the OS has no issue with having a lot of them installed, as long as there are no overlapping competing settings anyway. I'm not sure what the upper limit is to how many installed profiles macOS can handle before it runs into problems, but I think it's pretty high.

Reply

scottb
Honored Contributor
In response to mm2270

Posted on ‎06-08-2023 11:01 AM

Agree.
This profile only does ONE thing, but it covers many apps.  And even if you stopped using a software title that's been added, it won't hurt anything.

So, I too have gotten used to lots of Profiles for my setups.  More specific = less chance of them stepping on each other and having a nightmare when trying to troubleshoot.

One Profile for whitelisting all the "login items" for me means I have ONE place to look for issues, should they arise. 

0 Kudos
Reply