Help

FDA config for Crowdstrike

Switchfly_IT
New Contributor III

Posted on ‎06-19-2020 09:08 AM

Hi. Annoying new JAMFer here.

Trying to configure FDA for Crowdstrike falcon sensor by using the Privacy Preferences Policy Control.

I've uploaded screenshot of what I have.

Flummoxed because so many folks say deployment is a breeze but I can't deploy company wide until I figure this out. Package installation and registration seems to work fine so I think this is the missing piece.

Any advice welcome.

0 Kudos
Reply
9 REPLIES 9

Switchfly_IT
New Contributor III

Posted on ‎06-19-2020 09:09 AM

ae086ab1a1f142c3bd90863b12cd473f

fb78519a78f243da8a733d83e4aa0c3a

0 Kudos
Reply

jamesandre
Contributor

Posted on ‎06-21-2020 05:19 PM

I'm not sure that you have the correct identifier there. Ive got... be8bb25a8b6f4f088e7ad6826d368acb

Reply

drtaru
New Contributor III

Posted on ‎06-22-2020 07:47 AM

This is ours, Was having issues on catalina with using the bundleid and switched to Path, was also having issues without falconctl added with the same entitlement.

9cc4a714c6ee4abba26faf1a2b316fbd

Reply

patgmac
Contributor III

Posted on ‎06-22-2020 07:59 AM

Also, you won't see the approval reflected in System Preferences. Check it with: 

plutil -p /Library/Application Support/com.apple.TCC/MDMOverrides.plist
Reply

tomt
Valued Contributor

Posted on ‎06-22-2020 09:05 AM

@patgmac (or anyone else), have you seen any nice gui apps built around plutil anywhere? If I can chisel out some time, I'd like to build something that makes the output easier to read at a glance. It may be a long time until I get to it though.

Reply

drtaru
New Contributor III

Posted on ‎07-30-2020 08:47 AM

That plutil command doesn't seem to work on Catalina, I get an Operation Not Permitted error even when running as root.

0 Kudos
Reply

tlarkin
Honored Contributor

Posted on ‎07-31-2020 08:23 AM

the plutil -p works for me just fine and I have several MDM Overrides in my configs. @patgmac is 100% correct, you cannot trust the GUI as Apple has not properly implemented that yet. The only way to be certain is to check the overrides file

0 Kudos
Reply

drtaru
New Contributor III

Posted on ‎07-31-2020 08:53 AM

Ah, Figured out my issue, I didn't have iTerm set to have Full Disk Access.

Reply

j_chase
New Contributor

Posted on ‎09-01-2020 04:14 PM

@patgmac So then after running the plutil command this output is saying that falcond has Full Disk Access?

"/Library/CS/falcond" => { "kTCCServiceSystemPolicyAllFiles" => { "Allowed" => 1 "CodeRequirement" => "identifier falcond and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = X9E956P446" "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 35365034 34360000 } "Identifier" => "/Library/CS/falcond" "IdentifierType" => "path" "StaticCode" => 0

0 Kudos
Reply