Falcon Sensor - System Extension approval

alessio_tedesco
New Contributor III

Hi all,
I'm actually using this config profile for pushing system/kernel approval and PPPC control.
Everything looks to be working except for the "System extension approval", it keeps asking for the approval.

It is actually working in macOS Catalina, but I'm not that lucky for macOS bigSur. Any advice?

a4386646dd504a4da3c3aa1db83c2567

735e6d4619024cf9ad21faee9d1968c1

22 REPLIES 22

dlondon
Contributor III

Hi @alessio.tedesco The message is about System Extensions but you showed the Kernel Extension section in the Jamf Pro setup of a Configuration Profile

1409bf87f99b416cb578e54de72ab4a8

Scroll down to the end in the sidebar and you will find System Extensions

e182705acadf45f2890e35b31f4e9d84

alessio_tedesco
New Contributor III

Hi @dlondon ,
I'm sorry, attached the correct screenshot.

bd380a741d2f4da89602f4ec3df63895

ubcoit
Contributor

@alessio.tedesco You are missing some System Extension options in your profile. Having said that, I don't have an answer for you but I'm actively working with both CrowdStrike and Jamf support right now. When I know more I'll post to the following thread.

https://www.jamf.com/jamf-nation/discussions/37488/crowdstrike-configuration-profile-bigsur#responseChild210650

gachowski
Valued Contributor II

CrowdStrike has a profile on their support site that includes all the setting needed PPPC/System Extension..... You have to sign it before you upload it but it is working for me...

C

JG3741
New Contributor III

Agreed ^ self signing the configuration profile worked for our institution.

alessio_tedesco
New Contributor III

I decided to copy-paste without signing the profile to avoid dependencies, opened it in Notepad++ and managed to have it fully working both in Catalina and bigSur, I was just missing a part in the settings, thank you all!

ubcoit
Contributor

@alessio.tedesco Glad you got it working. I'd love to see some screenshots if possible cause no matter what I've tried I can't get it to work.

Also couldn't hurt seeing what the profile looks like on a client in System Preferences > Policies as well.

Thanks.

alessio_tedesco
New Contributor III

Sure @ubcoit ,
there you go!

This has been deployed through a configuration profile, kindly let me know if you need the text to be pasted here in a comment 🙂

Attached all the screenshots of the policy:
46991c9f14f147b8b9150c01f9d2075c

f5f3c0f5fd564110bea7e3d7894b277f

8c302d827b484e7f86169525ae7342e5

551c68389b784d58b6c65db54691f1e0

3b72509f3b6c418b9f30305b9473d7a9

0dfc57c91ae245209c1c4d30e9e58afc

b28efe5c5cd541d7877d52ce20fd93bf

Attaching how the policy looks like in System Preferences:

869460be5f424976bae957f8ec2cb807

22f3cc6d994c4f19b5317d71cc9710b4

47c41740620242d48923bb6fe6cbde4d

ubcoit
Contributor

Thanks @alessio.tedesco Still no dice for me. I mirrored your settings, I believe, and other than some of the order of things which I can't seem to control, I don't think I missed anything. End result, CS is running but I get the update prompt in my last photo.

PPPC

a368ae50accf4e1f9c699ea7e4ea85c2

cf6f1210ac044ca9ad11076810f0b05d

Kernel Extensions

c3f15875de71452b94b412658d0f6f7f

System Extensions

e230b9dc716e4e52870133e0a2be0aa2

79bc4e20b0174e3f83d43d6dbb77f020

87b49bfe800945098cad1f02cefb565a

Content Filters

38ae8d25801547f8a909a5270a36b46b

205835384f144b19b1eedf1d9fdf476d

Client Profiles Pane in System Preferences

e32a88d4be914efe910cabb8ef5ab9c4

94b6fece339c4daa82a3415d4d1313a4

ed4380ba8a564d12a5e8f4d15fa815e7

Prompt and other information

10bdab595efa4f439e701f48267632f6

franton
Valued Contributor II

So i've been doing a lot of work with version 6.14. First thing ... split up your profiles! Make the PPPC it's own, the KEXT it's own, the SysExt it's own and so on... Trust me, your Apple Silicon macs will eventually thank you. I've attached how the System Extension payload should look.

051c2f62e4e84533b72c0be9c8728d08

philburk
New Contributor III

Hey @franton, best practices question here. I've been lumping ALL of the kernel extension payloads into one profile and ALL of the system extension payloads into another. Do you have discreet profiles for each extension or do you also group them?

TIA

gachowski
Valued Contributor II

Do you guys have it working? We had it working with the CS provide profile in December 100% sure, but now we are seeing a few different OS notifications saying CS has been updated please approve

alessio_tedesco
New Contributor III

I actually have it working with macOS bigSur, noticed that using the same profile for both Catalina and bigSur broke for Cata.
We don't have M1 chips yet so I can't test, but yes, I suggest to split profiles by macOS version

kfbbt
New Contributor III

I believe you need to further modify the provided .mobileconfig.

The last two sections don't have the bundle id string defined and instead show "StaticCode" and you need to add X9E956P446 so they look like this:

<string>bundleID</string>
<key>X9E956P446</key>

Worked on Catalina as of this week.

franton
Valued Contributor II

@philburk I have all my kexts, SysExts and other profiles all split apart for better scoping.

philburk
New Contributor III

@franton Thanks, I figured as much. It makes sense, especially if SysExts/kexts are no longer needed. This would avoid the potential for removing the all of the payloads when only one needs removing.

danny_gutman
New Contributor III

How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.

You guys are getting a prompt to approve or deny Notifications for Falcon?

fabianhartmann
New Contributor II
New Contributor II

@danny.gutman You can use the BundleID com.crowdstrike.falcon.UserAgent to configure notification. It is the BundleID of the Falcon Notification.app located in the Falcon.app /Applications/Falcon.app/Contents/Library/LaunchServices/Falcon Notifications.app

Jason33
Contributor II

Here's my problem - I have two different profiles, one for Catalina, one for Big Sur. The Catalina profile has KEXT, and the Big Sur does not. Everything is fine and working smooth, except when I upgrade from Catalina to Big Sur. Then, at log in, I get the prompt that system extensions were blocked from launching. Anyone tested the upgrade and figured this out?

JG3741
New Contributor III

How are you guys taking the XML provided by CS and importing it to Jamf Pro?

jtrant
Contributor III

@Jason33 it's recommended to deploy the system extension profile to Catalina and above to avoid this. The profile should exist before the system extensions are activated and this was the best way we accomplished this for clients upgrading from Catalina to Big Sur.

Jason33
Contributor II

@jtrant doh! You're right! Thanks for the guidance