Jamf Nation Community

Like mentioned, if you do a "sysctl cs" and get nothing, it's not installed right. I have the following EA setup to report the connection state of CS, it's either "connected" or "not connected:

#!/bin/sh
#  CS Connection State
#  
falconConnState=`sudo /Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}'`
echo "<result>$falconConnState</result>"

I think CrowdStrike may have recently moved away from installing as a kernel extension, but I'm not 100%. If not, you'll have to make a kernel extension whitelist config profile. The teamid of CS is X9E956P446. You will also likely want to build a PPPC profile to allow full disk access to CS.

so i can do that manually for one machine. but i am looking at a way to look at a view in JAMF to see if there is a way to create a filter or dashboard

So what was posted above is the code to use for an Extension Attribute within JAMF. You can then create a custom search or Smart group based on the criteria that the Extension Attribute is pulling for you. That's how we are doing it with Crowdstrike.

This is what we use: https://www.jamf.com/jamf-nation/third-party-products/files/995/crowdstrike-falcon. I then have a Smart Group set up based on the value returned by the EA.

@cgreid

Did you edit the XML at all since it was for an older version? i added that XML to the EA for computer management and created a smart group but nothing shows up for any machines with CS installed

Following- we are evaluating Crowd Strike as well.

@nnguyen71 Have you had all of your computers do an inventory update since you added the extension attribute? I just installed and tested this EA today with the latest version of sensor and it worked fine for me.

We've been using CrowdStrike for several years.
We had issues with it not being properly activated post install. This can be seen by running sysctl cs, and getting nothing or an error like "invalid oid".
This occurred because our central IT department that manages CrowdStrike started deploying the pkg file without the licensing xml. We found out the hard way, after discovering several dozen computers that were not properly reporting a version #.
We built a script to run the license command after the installation, and an EA that checks for the existence of the License.bin file. The license.bin is created when Crowdstrike is properly activated. We then use that, a Smart Group and policy w/ check in trigger to run the licensing script.

The EA is not especially bullet proof, as it just looks for the existence of a file, but it's been working for us so far.

#!/bin/sh
if [ -f "/Library/CS/License.bin" ]; then
    echo "License Valid"
    else
    echo "Not licensed"
fi

Whats this systctl: unkknown old 'cs' response when I test with sysctl cs?

discovering the use of cmd -> /falconctl diagnose