Crowdstrike TCC.xml for PPPC

Roan
New Contributor

Anyone have to create a TCC.xml for crowdstrike yet? Looking for some assistance as I am having some troubles getting the proper informaiton needed to build it out.

38 REPLIES 38

iJake
Valued Contributor

We don't use Crowdstrike so can't specifically help with that but if you haven't already seen jamf's PPPC-Utility it can assist you in build the profile if you know which binary to grant access.

https://github.com/jamf/PPPC-Utility

andrew_nicholas
Valued Contributor

You should be able to contact your support engineer as they have a Crowdstrike&JAMF integration document they can provide.

tlarkin
Honored Contributor

here is mine which seems to be working so far, please test though

robert_guzman
New Contributor

@tlarkin Thanks for sharing the mobileconfig file, mine is almost the same but I noticed that yours says com.company.sensor.payload identifier ID (line13). Mine only has payload identifier ID (see below), Do I need to add it? Also, did you see falcond in Security&Privacy>Privacy>Full Disk Access? I don't see it listed on mine.
9edd27d5ef2746bbafb5b74100906955

<key>PayloadIdentifier</key> <string>EAB58228-70E2-424C-934A-C5CB9E95C708</string>

tlarkin
Honored Contributor

You cannot trust the GUI, you need to search for an MDM Override file in /Library/Application Support/com.apple.TCC

plutil -p MDMOverrides.plist
{
  "/Library/CS/falcond" => {
    "kTCCServiceSystemPolicyAllFiles" => {
      "Allowed" => 1
      "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446"
      "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 35365034 34360000 }
      "Identifier" => "/Library/CS/falcond"
      "IdentifierType" => "path"
      "StaticCode" => 0
    }
  }

LovelessinSEA
Contributor II

I'm struggling with this one too. I can't seem to get the full disk access to work. I've tried using the PPPC utility and I must be missing something.

mike_paul
Contributor III

@robert.guzman This is a common confusion point. Your only methods to verify whats installed/controlled via mdm deployed configuration profiles is to look at the Profiles pane in System Preferences for the payloads pushed down or look at the MDMOverrides.plist with the following command:

/usr/libexec/PlistBuddy -c "print" /Library/Application Support/com.apple.TCC/MDMOverrides.plist

FYI, Terminal needs Full Disk Access/SystemPolicyAllFiles to read that file otherwise you get the message Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist. So basically it's a chicken or the egg scenario, you need TCC access granted to read MDM TCC applied settings. Fun times.

Whats displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them and not settings pushed via Profiles. Its essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db

tlarkin
Honored Contributor

So, this is 100% confusing and I had to confirm some of this stuff with an actual Crowdstrike employee on Slack. The actual TCC.db is for Apple Internal use only, and you are not guaranteed anything from it at all. I have two systems right now where one displays the TCC settings for falcond in the TCC.db properly, and the other system it doesn't show up at all.

If you properly deploy the profile you will see the setting in the MDMOverrides.plist file mentioned above. You then should also see very few deny messages in Console.app. Just open up Console.app and search for falcond deny and you will still see some denies, probably around the /prviate/var/folders, and this is expected. Apple does not actually grant full disk access when you enable full disk access, certain parts are still fully denied on disk. Your deny messages should go way down if properly enabled.

Yes, this is lame, yes CS should have better documentation, but in my testing the profile I linked above is working for us so far. Open up tickets with CS and request better docs and profile examples moving forward.

tlarkin
Honored Contributor

@robert.guzman the payload identifier isn't a required/unique field I don't think, you can put in acme company or the like if you wish.

I am pretty sure this dictionary item here isn't even required for a profile payload to work, so you can fill out whatever you want here:

        <dict>
            <key>PayloadDescription</key>
            <string>Allows CrowdStrike Falcon Sensor disk access</string>
            <key>PayloadDisplayName</key>
            <string>CrowdStrike Sensor Access</string>
            <key>PayloadIdentifier</key>
            <string>com.company.sensor.A3B7521C-EEA7-11E9-A8DF-ACDE48001122</string>
            <key>PayloadOrganization</key>
            <string>Your Company</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>A3B7521C-EEA7-11E9-A8DF-ACDE48001122</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>

77Baron
New Contributor II

Thank you @tlarkin for your work on this. Your Mobileconfig script worked as is.

tlarkin
Honored Contributor

Glad it worked for you, I had to hack at it myself since TCC/PPPC is really not very clear and Apple is using ambiguous terminology. Like when Apple states it needs the identifier for an app to be approved, I assume bundle-id but in fact identifier in this scenario can just be a file path. I don't expect many people to fully understand the ins and outs of TCC/PPPC, and in fact I typically remove it from memory every time I have to deal with it.

Roan
New Contributor

Sorry for the late responses guys, but I was able to utilize the PPPC utility successfully. It was pretty simple too, "Full Disk access" just equals "All files" in the utility. I just pointed it to falcond, allowed all files access and created the xml. Thanks for eveyones responses on this.

danielgrm
New Contributor III

@Roan How did you get it to take the falconctl and falcond executables? The PPPC utility won't take it.

ng113
New Contributor

@Roan We're running into an issue where we get everything setup in PPPC properly but the permissions do not show up in systems preferences. Did you have to do anything afterwards?

tyra_robertson
New Contributor II

Having the same issue as @danielgrm, PPPC Utility (v1.1.2) won't ingest falcond.

peterdao_panw
New Contributor

Hi @tlarkin in your script https://gist.github.com/t-lark/7fa2896a0dd9135025fc2c309599b907
The line that says <string>com.company.sensor.A3B7521C-EEA7-11E9-A8DF-ACDE48001122</string>
Is that number different with companies?

tlarkin
Honored Contributor

@peterdao_expanse I don't believe that key is required, as I posted a scrubbed config profile to GitHub. You can probably remove a lot of those keys that are descriptive. The only thing you need to accomplish is to tell macOS to give a folder path of falcond full disk access, and then verify that is returns FDA via that MDMOverrides file

AVmcclint
Valued Contributor III

@tyra.robertson @danielgrm I figured out how to get the falcond to be recognized in PPPC Utility. The default permissions on the falcond file is -rwx------ I had to change it to -rwx---r-- and then PPPC Utility would allow me to add it and create a profile with All Files > Allow set

5d9bb1379c414b5684dead3f5e0cad35

tlarkin
Honored Contributor

See attached screen shot to do it via MDM payload

7d12ff1ec6474a6398224858e9c641e2

beeboo
Contributor

we have CS installed but no PPPC/config file for the above, we only have KEXT enabled per the original documentation.

curiously, what is the need for the whitelisting?

Admittedly ours is used for monitoring purposes now as we move away from another AV app, but I assume once the AV portion of CS is enabled for our environment we would need to whitelist the app?

tlarkin
Honored Contributor

You should open a ticket with CS and ask them to explain it to you, but the TL;DR version is that in Catalina new TCC/PPPC controls now require that falcond have full disk access to operate

beeboo
Contributor

i just saw their new doc, updated oct 2019 😞

ill just add this to my workflow!

mykool
New Contributor III

AVmcclint This was what I was trying to accomplish. It adds the app when going to look at system preferences, however, it isn't checked.

beeboo
Contributor

i get the same issue, albeit i allowed another option or two just to be extra safe.

30410c8b1714449d8e0f1c1a2efc0f31

Thats what i get, but SSHD is auto checked for me, so im not sure why that is vs the rest of my PPPC.
and to be frank, ONLY SSHD is auto checked, the rest are just entries there with no check mark.

bitbankinforsys
New Contributor

plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plist

{ "/Library/CS/falcond" => { "kTCCServiceSystemPolicyAllFiles" => { "Allowed" => 1 "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = X9E956P446" "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 35365034 34360000 } "Identifier" => "/Library/CS/falcond" "IdentifierType" => "path" "StaticCode" => 0 }

fsurucu
New Contributor III

After each Catalina version updates, it looks like CrowdStrike asking authorization to run even though Kext & Full Disk access granted via Jamf

stephanpeterson
Contributor

I thought I had everything worked out and my Config Profile looks correct in Profiles pref pane. However, I don't see falcond listed in Full Disk Access section of Security & Privacy pref pane. Not listed at all, checkmark or no. Very curious.

I'm starting to think that when FDA is given via a config profile that there's no indication shown in Security & Privacy. Is that right?

stephanpeterson
Contributor

I finally pieced it together. You need to use the following command:

plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plist

In the output you need to find a section for falcond:

    {
      "/Library/CS/falcond" => {
        "kTCCServiceSystemPolicyAllFiles" => {
          "Allowed" => 1
          "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446"
          "CodeRequirementData" => <fade0c00 00000094 00000001 00000006 00000006 00000006 00000006 00000002 00000007 66616c63 6f6e6400 0000000f 0000000e 00000001 0000000a 2a864886 f7636406 02060000 00000000 0000000e 00000000 0000000a 2a864886 f7636406 010d0000 00000000 0000000b 00000000 0000000a 7375626a 6563742e 4f550000 00000001 0000000a 58394539 35365034 34360000>
          "Identifier" => "/Library/CS/falcond"
          "IdentifierType" => "path"
          "StaticCode" => 0
        }
      }

jeanviales
New Contributor II

So I've uploaded the pkg to JAMF, it gets installed on my test vm and I can see all the contents within /Library/CS/falcond. I've applied a simple script for the license and created the PPPC that CS documentation calls for, however, the client won't run and I can't see it on Activity Monitor.

Am I missing something?
7612da26692d4e5baa36afd8af154b5f

48d30ebaabda4935b80761230226f52b

patgmac
Contributor III

@jeanviales do you have the kernel extension approved? CrowdStrike would be able to run even without the PPPC policy (that's only needed for the agent to be able to read data in certain places), but it wouldn't keep the agent from running. Not having the kernel extension loaded would keep it from running.

jeanviales
New Contributor II

Hi @patgmac ,

I set the kernel extension and entered the following attributes for it: 1955a1ebc2a54dc1be18f46d473207a7

Isn't this the way it is supposed to go?

I ran the: kextstat | grep crowd command and it returns: com.crowdstrike.sensor which according to CS means that the sensor is approved but i cant see it.

jeanviales
New Contributor II

@patgmac So I literally just accessed CS admin portal and went to see the dashboard and somehow my vm is showing there even tho I can't see the falcond process running within the vm.

j_allenbrand
New Contributor III

Anyone know the folder location for Big Sur or Catalina? I don't see it under /Library/CS

rlandgraf
Contributor

It is built into the Application:
/Applications/Falcon.app/Contents/Resources/falconctl

mykool
New Contributor III

Did it change locations? Used to be under /Library/CS

patgmac
Contributor III

@mismith223 yes, it changed because Big Sur needs things to be in Applications.

mykool
New Contributor III

@patgmac Thanks. Scared the crap out of me. I have a smart group that shows devices that don't have CS and they all popped up showing I didn't have AV on them.

fsurucu
New Contributor III

CrowdStrike with BigSur - > https://www.jamf.com/jamf-nation/discussions/37488/crowdstrike-configuration-profile-bigsur