How to configure JAMF/CS to provide Full Disk Access for Crowdstrike Falcon Agent

MPL
Contributor II

We currently are trying to setup Crowdstrike Falcon to deploy to all of our end users. We are running into an issue with the Configuration profile we setup for falcon (guide provided by CS) where it's not providing FDA access to the Agent. It places the Agent in the FDA area in System Prefs -> Security & Privacy -> Privacy -> Full Disk Access but it leaves it unchecked. 

 

Does anyone know a solution to getting this checked with JAMF?

 

Here is a screenshot of what  I'm referring to:

 

Screen Shot 2022-02-11 at 1.12.15 PM.png

Please find screenshots of our current config profile for Falcon in JAMF below:

Screen Shot 2022-02-11 at 1.12.45 PM.png

Screen Shot 2022-02-11 at 1.12.53 PM.png

Screen Shot 2022-02-11 at 1.12.59 PM.png

Screen Shot 2022-02-11 at 1.13.07 PM.png

  

1 ACCEPTED SOLUTION

MPL
Contributor II

@VintageMacGuy 

Documentation on how to create the profiles:

https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

 

Additional documentation on how to create a profile for KEXTs (you'll want to make both config profiles following the above doc, but for the Intel, include these steps in that profile as well, or create a separate profile for KEXTs alone for the Intel, but still create two separate profiles for M1 and Intel from the first article.): https://supportportal.crowdstrike.com/s/article/ka16T000000wwxuQAA

 

Extra documentation

How to package Falcon sensor for Mac Installer for Jamf deployments: https://supportportal.crowdstrike.com/s/article/ka16T000000wwydQAA

 

How to license the Falcon sensor for Mac for Jamf Pro using a script: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxzQAA

View solution in original post

21 REPLIES 21

DBrowning
Valued Contributor II

When pushing a profile to provide FDA, it will not always put the check box there, but understand that FDA has been provided.

MPL
Contributor II

We aren't receiving alerts in our CS console for sample detections. We receive these alerts when the Checkbox is ticked for the CS Falcon agent. When unticked, those alerts do not work.

cbrewer
Valued Contributor II

Another nice-to-have in your config profile is allowing notifications for com.crowdstrike.falcon.UserAgent.

merlin
New Contributor III

Hi, you're missing a couple of System Extension settings from Crowdstrike guide.
Screenshot 2022-02-14 at 3.34.07 pm.png

cbrewer
Valued Contributor II

The guide has been updated. The only System Extension approval needed is your middle one.

Screen Shot 2022-02-14 at 8.26.00 AM.png

Content filter settings are also required.

Screen Shot 2022-02-14 at 8.29.28 AM.png

 

merlin
New Contributor III

Screenshot 2022-02-14 at 6.13.39 pm.png

cbrewer
Valued Contributor II

Unfortunately, their documentation doesn't all align at the moment.

 

I would go with this which was just updated last week.

Hi there, we're using the exact same configuration that you are but we're having some crashing issues, do you happen to run a vpn on your devices? as soon as we install global protect, our devices start crashing overnight. 

cbrewer
Valued Contributor II

We've seen some crashing as well. At this point, we believe it is tied to the combination of running CrowdStrike along with an app called AirServer. We haven't seen any problems that trace back to GlobalProtect.

MPL
Contributor II

The current issue we are experiencing is that CS terminal test commands are not being successfully pushed/detected in our CS console and we believe the cause is related to FDA not being ticked for the CS agent.

We noticed that when the Agent is ticked off (in the System Prefs -> Security & Privacy -> Privacy -> Full Disk Access area) in system preferences, these commands do successfully get pushed/detected in the CS console.

 

Some of the commands we are using to test are:

bash crowdstrike_test_critical

bash crowdstrike_test_high

bash crowdstrike_test_medium

bash crowdstrike_test_low

etc

 

If FDA is still granted despite not being ticked off in system preferences, why are we having this issue with these test commands not generating alerts in our console?

Is there another way to get FDA ticked/enabled through a config profile in JAMF? 

stilden1978
New Contributor

Hi all.

Just got off of a long call with CrowdStrike and you will never see the "Agent" box checked in the "Security and Privacy" and that has to do with the MDM and Apple's Full Disk Access security, however that doesn't mean that the Agent and the CS Sensor still does not have Full Disk Access to your machine.   If you find where you are still not getting events reporting in, here is the fix: 1) Re-run the profile to all your machines 2)Flush all your Crowdstrike install policy logs to your machines.  This will not re-install the Sensor on your machines but will force two things to happen.  It will force the System Extension to reactivate on the machine and the Sensor to reactivate on the machine.   You should see this in Activity monitor if it is done correctly. Screen Shot 2022-03-11 at 5.49.05 PM.png Then run 

 

 

bash crowdstrike_test_low

 

on a test machine.

This should give you a sample detection on your CS console to look at.

MPL
Contributor II

Just wanted to provide an update. We received an updated doc from Crowdstrike which actually worked. Theres so many different docs out there so its super confusing.

Nice! Where can we find this Doc, or did you get it from their Support folks? Does it have a name or some version number we can reference when asking for it?

MPL
Contributor II

@VintageMacGuy 

Documentation on how to create the profiles:

https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

 

Additional documentation on how to create a profile for KEXTs (you'll want to make both config profiles following the above doc, but for the Intel, include these steps in that profile as well, or create a separate profile for KEXTs alone for the Intel, but still create two separate profiles for M1 and Intel from the first article.): https://supportportal.crowdstrike.com/s/article/ka16T000000wwxuQAA

 

Extra documentation

How to package Falcon sensor for Mac Installer for Jamf deployments: https://supportportal.crowdstrike.com/s/article/ka16T000000wwydQAA

 

How to license the Falcon sensor for Mac for Jamf Pro using a script: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxzQAA

VintageMacGuy
Contributor II

Thank you!

No problem! Just wanted to also note that you will not see the FDA box checked but CS still does have FDA access nonetheless.

nlam
New Contributor

Hello All

I created a configuration profiles exactly the same as the instruction; however, it shows Pending in the logs.  Does anybody know what the issue is? Thanks.

Screen Shot 2022-05-27 at 12.08.51 PM.png

Screen Shot 2022-05-27 at 12.10.43 PM.png

Screen Shot 2022-05-27 at 12.11.28 PM.png

nlam
New Contributor

I'm testing with M1 MacBook Air

edselgas
New Contributor

I am still having issues with getting Agent and Falcon.app in Privacy to be ticked for FDA. I also want to confirm what everyone is saying here. Are you all saying that FDA is allowed for both Agent and Falcon.app even though it is not showing in Privacy for FDA. I am looking at the Zero Trust Assessment in CrowdStrike and I am getting an alert that it does not detect FDA for CrowdStrike. I checked and saw my PPPC matches what has been suggested by CS, JAMF, and the screenshots here. Is anyone still having problems?

I'm still having problems. The full disk access box is not checked. In the full disk access section, it is said that full disk access is required for both "Agent" and "Falcon". When I send the configuration file to the clients, only the object named "Agent" comes. However, the full disk access box is not checked. I haven't seen anyone able to fix this problem. The object named "Falcon" never comes to the full disk access section. Is there anyone who can solve this problem? I've looked at both the Crowdstrike and Jamf forums but haven't found a solution. Some here are saying that Falcon actually has the FDA, even if the full disk access box is unchecked. How could this be? This explanation makes no sense to me.

scottb
Honored Contributor

There are a number of apps that are correctly managed and don't show it in the GUI.

If you have it setup properly, I'd not worry about it.  It's been stated in most places I'm frequenting that this is how it is and it is as well in my environment...no issues that we've found.

IF this isn't to your liking, open a case with Falcon and have them work with you.