Crowdstrike system extension updates keep prompting to be allowed

AVmcclint
Honored Contributor

I have built a config profile exactly to Crowdstrike's specifications to preapprove the Crowdstrike system extension, but I still see prompts every now and then on the computers to allow it because the system extension was updated. I am pretty sure the updates are being pushed by the crowd strike server, but why would we need to re-allow the system extension every time it is updated? Shouldn't the config profile take care of this no matter how many times it was updated? Is there a setting in the config profile I may be missing?

4 REPLIES 4

L-plateAdmin
Contributor

we are seeing this with a pretty updated agent (6.31) and older macbooks like the 2015 in our place, not seeing it pop up with T2 devices..

mm2270
Legendary Contributor III

I'm also seeing this, and it's quite annoying. I mean, I get that updates are pushed from the CS server, but with an existing profile in place to allow the System Extension, we shouldn't be getting re-prompted for allowance. It's still the same Team Identifier, still the same System Extension as what is already defined in the profile. The underlying code may have been updated, but it's still the same System Extension.

OU812
New Contributor

I was seeing this also but resolved the issue by using the M1 profile (without the KEXT) on the later OS's (Monterey actually) regardless of wether they are Intel or M1. Seems later OS's just don't like that KEXT being there in the profile.

I still have the issue though of the Full Disk Access not ticking in system prefs, although I've run faulsepositive Malware tests and CS seems to work across all directories so maybe it does and just doesn't tick in the GUI. 

 

Anyway hope this helps

donmontalvo
Esteemed Contributor II

We are seeing the System Extension being blocked as well, despite following their deployment documentation information on how to configure the payloads. Users should not have to allow the System Extension. Hope to get a response with an answer.

--
https://donmontalvo.com