Crowdstrike Strikes Again

VintageMacGuy
Contributor II

Deploying Crowdstrike Falcon here via policy and manually approving them before deployment. So far they have been pretty stable as far as we can tell.

Just this week I got notice that "Falcon" was not approved in the Security System Prefs on a Mac that was not reporting in to Crowdstrike. The user unlocked the System Preference and approved it and it started reporting in again. Looking closer into the situation, we found a few dozen Macs that had Crowdstrike installed, but not reporting in to Crowdstrike. Checking into a few of these showed the same story - it was not approved and needed to be approved in the Security System Prefs. In once case I reinstalled from Self Service and it was happy again. We are not using a PPPC to set it up, but probably should - however there doesn't seem to be any great consensus on how to do it yet.

To find the Macs that were not reporting in to Crowdstrike, I had to take a report from CS of the ones that were reporting and then subtract that from our list of all Macs. I did that through some Excel magic, but would like to find a way to catch these in JAMF so I can make a smart group and target that group for a reinstall. But I don't know what to look for. The Falcon.app is already installed. I don't see anything under "Services" in JAMF that would seem to be a match. And I am stuck there - not knowing what else to look for to create a smart group that shows Macs with a broken Crowdstrike Falcon install.

Part II is trying to find out why some number of our Macs suddenly decided to 'unapprove' Falcon. I am sorting through the specs of the machines I found and no common thread yet - different OS levels, different hardware, different techs who initially set the machines up, different locations. Curious if anyone else has seen something similar.

"Save me, JAMF Nation - you're my only hope"

8 REPLIES 8

Tribruin
Valued Contributor II

You could create an EA that checks if Crowdstrike is checking in. Here are bunch of EAs for CS:

zoocoup/CrowdstikeEAsforJamfPro: Extension Attributes for use with Jamf Pro to retrieve information ...

Maybe use LastConnection and see if you can find the computers not checking in. 

 

Also, not sure what issues you are having creating profiles, but have been pushed the profiles for Crowdstrike for a while now without issue. Crowdstrike installs silently. 

That sounds interesting. I will have to read up on how to use an Extension Attribute. I found where to add the script in the Settings under Extension Attributes, but I didn't see an "Extension Attribute" under the search criteria for a smart group. How do I retrieve the data that the EA Script collects? Maybe in a custom search?

Tribruin
Valued Contributor II

Once you have created the EA, you will be able to use it for criteria in both Searches and Smart Groups. It will just be another selection alongside the regular Jamf criteria. 

Script based EAs are populated during an inventory. Unless you have changed the default, that would be daily.  So, it could take a few days for the attribute to populate. 

EAs are one of the most powerful parts of Jamf. Once you start using them, your ability to manage computers will be much better. Definately read up on them. Also, take a look at the Training Catalog for some videos. 

Thank you - I will be digging into this for sure and learning more about EAs in my sandbox environment before I break anything in production. Any gotchas I should watch out for that may affect managed Macs? Or is this mainly a way to add a custom "search for this attribute"?

Tribruin
Valued Contributor II

The biggest thing to remember is that, once you create a script EA, it runs on ALL computers (unlike a policy that can be scoped.) So make sure you test, test again, and then test one more time before you put in to production. Think about the data you are collecting and what errors might occur (in our example, what if Crowdstrike is not installed, what is the script going to report?) Make sure the scripts to end up in some sort of loop. Otherwise, your recon will never finish.

 

Also, it is best practice to NOT to do any sort of changes to the computer in the EA scripts. EAs should only collect data and report it back to Jamf. 

Does the script get copied to the computer and will live on the computer forever?

How often does it run?

For example, if I do have a script that causes an error - will I need to pull it out of every Mac, or just delete/disable/change it in JAMF and I will be good?

 

Thanks for the crash course in EAs. I do appreciate learning new things!

cbrewer
Valued Contributor II

You should definitely create a profile that has the PPPC settings and approves the system extension and content filter. It'll make things much easier and more consistent. Follow this:
https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA 

 

As for checking the status, you could make an extension attribute that looks for whether or not the system extension is loaded. A basic start:

#!/bin/zsh

result=$(systemextensionsctl list | grep -o "com\.crowdstrike\.falcon\.Agent\s.*")

echo "<result>$result</result>"

 

Thanks for the link - but I don't have access to the crowdstrike portal - yet. So I am going from the kindness of strangers and coworkers who have copied the site info into a PDF for me. 

 

I will try your code out and see how it goes. It looks to me like it is creating a list of system extensions, then pulling out any extensions that contain "com.crowdstrike.falcon.agents.*" (I think you have a typo there where you escaped the s in Agents rather than the dot?), then putting the results into $result, where JAMF can pull it into whatever needs it (like a search). Is that about right?