Anyone have to create a TCC.xml for crowdstrike yet? Looking for some assistance as I am having some troubles getting the proper informaiton needed to build it out.
Question
Crowdstrike TCC.xml for PPPC
+4After each Catalina version updates, it looks like CrowdStrike asking authorization to run even though Kext & Full Disk access granted via Jamf
+12I thought I had everything worked out and my Config Profile looks correct in Profiles pref pane. However, I don't see falcond listed in Full Disk Access section of Security & Privacy pref pane. Not listed at all, checkmark or no. Very curious.
I'm starting to think that when FDA is given via a config profile that there's no indication shown in Security & Privacy. Is that right?
+12I finally pieced it together. You need to use the following command:
plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plistIn the output you need to find a section for falcond:
{
 "/Library/CS/falcond" => {
  "kTCCServiceSystemPolicyAllFiles" => {
   "Allowed" => 1
   "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446"
   "CodeRequirementData" => <fade0c00 00000094 00000001 00000006 00000006 00000006 00000006 00000002 00000007 66616c63 6f6e6400 0000000f 0000000e 00000001 0000000a 2a864886 f7636406 02060000 00000000 0000000e 00000000 0000000a 2a864886 f7636406 010d0000 00000000 0000000b 00000000 0000000a 7375626a 6563742e 4f550000 00000001 0000000a 58394539 35365034 34360000>
   "Identifier" => "/Library/CS/falcond"
   "IdentifierType" => "path"
   "StaticCode" => 0
  }
 }
+1So I've uploaded the pkg to JAMF, it gets installed on my test vm and I can see all the contents within /Library/CS/falcond. I've applied a simple script for the license and created the PPPC that CS documentation calls for, however, the client won't run and I can't see it on Activity Monitor.
Am I missing something?
+9@jeanviales do you have the kernel extension approved? CrowdStrike would be able to run even without the PPPC policy (that's only needed for the agent to be able to read data in certain places), but it wouldn't keep the agent from running. Not having the kernel extension loaded would keep it from running.
+1Hi @patgmac ,
I set the kernel extension and entered the following attributes for it:
Isn't this the way it is supposed to go?
I ran the: kextstat | grep crowd command and it returns: com.crowdstrike.sensor which according to CS means that the sensor is approved but i cant see it.
+1@patgmac So I literally just accessed CS admin portal and went to see the dashboard and somehow my vm is showing there even tho I can't see the falcond process running within the vm.
+10Did it change locations? Used to be under /Library/CS
+10@patgmac Thanks. Scared the crap out of me. I have a smart group that shows devices that don't have CS and they all popped up showing I didn't have AV on them.
+4CrowdStrike with BigSur - > https://www.jamf.com/jamf-nation/discussions/37488/crowdstrike-configuration-profile-bigsur
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.