CrowdStrike Veryifing install via Jamf

nnguyen71
New Contributor II

Hi is there anyone on here that has created a smart group for Macs that have CrowdStrike Endpoint protection installed? It doesnt install as a app so having trouble. Goal is to make a smart group to see which machines actually have it installed, since on my policy it says completed but in logs failed for some reason

13 REPLIES 13

DBrowning
Valued Contributor II

We are actually looking at CS as well. I thinking of creating an extension attribute with a script using the command

sysctl cs

if there are no results i would say it didn't install correctly.

Their documentation says to use that command to verify the install. 8fca689dc5eb44eb934726c729c615d4

dennisnardi
Contributor

Like mentioned, if you do a "sysctl cs" and get nothing, it's not installed right. I have the following EA setup to report the connection state of CS, it's either "connected" or "not connected:

#!/bin/sh
#  CS Connection State
#  
falconConnState=`sudo /Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}'`
echo "<result>$falconConnState</result>"

I think CrowdStrike may have recently moved away from installing as a kernel extension, but I'm not 100%. If not, you'll have to make a kernel extension whitelist config profile. The teamid of CS is X9E956P446. You will also likely want to build a PPPC profile to allow full disk access to CS.

nnguyen71
New Contributor II

so i can do that manually for one machine. but i am looking at a way to look at a view in JAMF to see if there is a way to create a filter or dashboard

pdye
New Contributor II

So what was posted above is the code to use for an Extension Attribute within JAMF. You can then create a custom search or Smart group based on the criteria that the Extension Attribute is pulling for you. That's how we are doing it with Crowdstrike.

cgreid
New Contributor III

This is what we use: https://www.jamf.com/jamf-nation/third-party-products/files/995/crowdstrike-falcon. I then have a Smart Group set up based on the value returned by the EA.

nnguyen71
New Contributor II

@cgreid

Did you edit the XML at all since it was for an older version? i added that XML to the EA for computer management and created a smart group but nothing shows up for any machines with CS installed

swallace
Contributor

Following- we are evaluating Crowd Strike as well.

chase_g
New Contributor III

@nnguyen71 Have you had all of your computers do an inventory update since you added the extension attribute? I just installed and tested this EA today with the latest version of sensor and it worked fine for me.

pbenware1
Release Candidate Programs Tester

We've been using CrowdStrike for several years.
We had issues with it not being properly activated post install. This can be seen by running sysctl cs, and getting nothing or an error like "invalid oid".
This occurred because our central IT department that manages CrowdStrike started deploying the pkg file without the licensing xml. We found out the hard way, after discovering several dozen computers that were not properly reporting a version #.
We built a script to run the license command after the installation, and an EA that checks for the existence of the License.bin file. The license.bin is created when Crowdstrike is properly activated. We then use that, a Smart Group and policy w/ check in trigger to run the licensing script.

The EA is not especially bullet proof, as it just looks for the existence of a file, but it's been working for us so far.

#!/bin/sh
if [ -f "/Library/CS/License.bin" ]; then
    echo "License Valid"
    else
    echo "Not licensed"
fi

wwhite36
New Contributor II

Possible to see an example of license command script? Tired to use what CS had on support site but doesnt work for us. 

pbenware1
Release Candidate Programs Tester

This is the basic command.  It can be wrapped in an if or test statement to check for the existence of Falcon.app.  Note that this command is for Crowdstrike v 6.x; earlier versions use a different command.

Obviously enter your org's CrowdStrike CID in place of the <CID goes here>.

/Applications/Falcon.app/Contents/Resources/falconctl license <CID goes here>
 

FleetBeat_AMART
New Contributor II

Whats this systctl: unkknown old 'cs' response when I test with sysctl cs?

FleetBeat_AMART
New Contributor II

discovering the use of cmd -> /falconctl diagnose