Jamf Nation Community

You should be able to contact your support engineer as they have a Crowdstrike&JAMF integration document they can provide.

here is mine which seems to be working so far, please test though

@tlarkin Thanks for sharing the mobileconfig file, mine is almost the same but I noticed that yours says com.company.sensor.payload identifier ID (line13). Mine only has payload identifier ID (see below), Do I need to add it? Also, did you see falcond in Security&Privacy>Privacy>Full Disk Access? I don't see it listed on mine.

<key>PayloadIdentifier</key> <string>EAB58228-70E2-424C-934A-C5CB9E95C708</string>

You cannot trust the GUI, you need to search for an MDM Override file in /Library/Application Support/com.apple.TCC

plutil -p MDMOverrides.plist
{
  "/Library/CS/falcond" => {
    "kTCCServiceSystemPolicyAllFiles" => {
      "Allowed" => 1
      "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446"
      "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 35365034 34360000 }
      "Identifier" => "/Library/CS/falcond"
      "IdentifierType" => "path"
      "StaticCode" => 0
    }
  }

I'm struggling with this one too. I can't seem to get the full disk access to work. I've tried using the PPPC utility and I must be missing something.

@robert.guzman This is a common confusion point. Your only methods to verify whats installed/controlled via mdm deployed configuration profiles is to look at the Profiles pane in System Preferences for the payloads pushed down or look at the MDMOverrides.plist with the following command:

/usr/libexec/PlistBuddy -c "print" /Library/Application Support/com.apple.TCC/MDMOverrides.plist

FYI, Terminal needs Full Disk Access/SystemPolicyAllFiles to read that file otherwise you get the message Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist. So basically it's a chicken or the egg scenario, you need TCC access granted to read MDM TCC applied settings. Fun times.

Whats displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them and not settings pushed via Profiles. Its essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db

So, this is 100% confusing and I had to confirm some of this stuff with an actual Crowdstrike employee on Slack. The actual TCC.db is for Apple Internal use only, and you are not guaranteed anything from it at all. I have two systems right now where one displays the TCC settings for falcond in the TCC.db properly, and the other system it doesn't show up at all.

If you properly deploy the profile you will see the setting in the MDMOverrides.plist file mentioned above. You then should also see very few deny messages in Console.app. Just open up Console.app and search for falcond deny and you will still see some denies, probably around the /prviate/var/folders, and this is expected. Apple does not actually grant full disk access when you enable full disk access, certain parts are still fully denied on disk. Your deny messages should go way down if properly enabled.

Yes, this is lame, yes CS should have better documentation, but in my testing the profile I linked above is working for us so far. Open up tickets with CS and request better docs and profile examples moving forward.

@robert.guzman the payload identifier isn't a required/unique field I don't think, you can put in acme company or the like if you wish.

I am pretty sure this dictionary item here isn't even required for a profile payload to work, so you can fill out whatever you want here:

        <dict>
            <key>PayloadDescription</key>
            <string>Allows CrowdStrike Falcon Sensor disk access</string>
            <key>PayloadDisplayName</key>
            <string>CrowdStrike Sensor Access</string>
            <key>PayloadIdentifier</key>
            <string>com.company.sensor.A3B7521C-EEA7-11E9-A8DF-ACDE48001122</string>
            <key>PayloadOrganization</key>
            <string>Your Company</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>A3B7521C-EEA7-11E9-A8DF-ACDE48001122</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>

Thank you @tlarkin for your work on this. Your Mobileconfig script worked as is.

Glad it worked for you, I had to hack at it myself since TCC/PPPC is really not very clear and Apple is using ambiguous terminology. Like when Apple states it needs the identifier for an app to be approved, I assume bundle-id but in fact identifier in this scenario can just be a file path. I don't expect many people to fully understand the ins and outs of TCC/PPPC, and in fact I typically remove it from memory every time I have to deal with it.

Sorry for the late responses guys, but I was able to utilize the PPPC utility successfully. It was pretty simple too, "Full Disk access" just equals "All files" in the utility. I just pointed it to falcond, allowed all files access and created the xml. Thanks for eveyones responses on this.

@Roan How did you get it to take the falconctl and falcond executables? The PPPC utility won't take it.

@Roan We're running into an issue where we get everything setup in PPPC properly but the permissions do not show up in systems preferences. Did you have to do anything afterwards?

Having the same issue as @danielgrm, PPPC Utility (v1.1.2) won't ingest falcond.

Hi @tlarkin in your script https://gist.github.com/t-lark/7fa2896a0dd9135025fc2c309599b907
The line that says <string>com.company.sensor.A3B7521C-EEA7-11E9-A8DF-ACDE48001122</string>
Is that number different with companies?

@peterdao_expanse I don't believe that key is required, as I posted a scrubbed config profile to GitHub. You can probably remove a lot of those keys that are descriptive. The only thing you need to accomplish is to tell macOS to give a folder path of falcond full disk access, and then verify that is returns FDA via that MDMOverrides file

@tyra.robertson @danielgrm I figured out how to get the falcond to be recognized in PPPC Utility. The default permissions on the falcond file is -rwx------ I had to change it to -rwx---r-- and then PPPC Utility would allow me to add it and create a profile with All Files > Allow set

See attached screen shot to do it via MDM payload

we have CS installed but no PPPC/config file for the above, we only have KEXT enabled per the original documentation.

curiously, what is the need for the whitelisting?

Admittedly ours is used for monitoring purposes now as we move away from another AV app, but I assume once the AV portion of CS is enabled for our environment we would need to whitelist the app?

You should open a ticket with CS and ask them to explain it to you, but the TL;DR version is that in Catalina new TCC/PPPC controls now require that falcond have full disk access to operate

i just saw their new doc, updated oct 2019 :(

ill just add this to my workflow!

AVmcclint This was what I was trying to accomplish. It adds the app when going to look at system preferences, however, it isn't checked.

i get the same issue, albeit i allowed another option or two just to be extra safe.

Thats what i get, but SSHD is auto checked for me, so im not sure why that is vs the rest of my PPPC.
and to be frank, ONLY SSHD is auto checked, the rest are just entries there with no check mark.

plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plist

{ "/Library/CS/falcond" => { "kTCCServiceSystemPolicyAllFiles" => { "Allowed" => 1 "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = X9E956P446" "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 35365034 34360000 } "Identifier" => "/Library/CS/falcond" "IdentifierType" => "path" "StaticCode" => 0 }

After each Catalina version updates, it looks like CrowdStrike asking authorization to run even though Kext & Full Disk access granted via Jamf

I thought I had everything worked out and my Config Profile looks correct in Profiles pref pane. However, I don't see falcond listed in Full Disk Access section of Security & Privacy pref pane. Not listed at all, checkmark or no. Very curious.

I'm starting to think that when FDA is given via a config profile that there's no indication shown in Security & Privacy. Is that right?

I finally pieced it together. You need to use the following command:

plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plist

In the output you need to find a section for falcond:

    {
      "/Library/CS/falcond" => {
        "kTCCServiceSystemPolicyAllFiles" => {
          "Allowed" => 1
          "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446"
          "CodeRequirementData" => <fade0c00 00000094 00000001 00000006 00000006 00000006 00000006 00000002 00000007 66616c63 6f6e6400 0000000f 0000000e 00000001 0000000a 2a864886 f7636406 02060000 00000000 0000000e 00000000 0000000a 2a864886 f7636406 010d0000 00000000 0000000b 00000000 0000000a 7375626a 6563742e 4f550000 00000001 0000000a 58394539 35365034 34360000>
          "Identifier" => "/Library/CS/falcond"
          "IdentifierType" => "path"
          "StaticCode" => 0
        }
      }

So I've uploaded the pkg to JAMF, it gets installed on my test vm and I can see all the contents within /Library/CS/falcond. I've applied a simple script for the license and created the PPPC that CS documentation calls for, however, the client won't run and I can't see it on Activity Monitor.

Am I missing something?

@jeanviales do you have the kernel extension approved? CrowdStrike would be able to run even without the PPPC policy (that's only needed for the agent to be able to read data in certain places), but it wouldn't keep the agent from running. Not having the kernel extension loaded would keep it from running.

Hi @patgmac ,

I set the kernel extension and entered the following attributes for it:

Isn't this the way it is supposed to go?

I ran the: kextstat | grep crowd command and it returns: com.crowdstrike.sensor which according to CS means that the sensor is approved but i cant see it.

@patgmac So I literally just accessed CS admin portal and went to see the dashboard and somehow my vm is showing there even tho I can't see the falcond process running within the vm.

Anyone know the folder location for Big Sur or Catalina? I don't see it under /Library/CS

It is built into the Application:
/Applications/Falcon.app/Contents/Resources/falconctl

Did it change locations? Used to be under /Library/CS

@mismith223 yes, it changed because Big Sur needs things to be in Applications.

@patgmac Thanks. Scared the crap out of me. I have a smart group that shows devices that don't have CS and they all popped up showing I didn't have AV on them.

CrowdStrike with BigSur - > https://www.jamf.com/jamf-nation/discussions/37488/crowdstrike-configuration-profile-bigsur