How to see if user has "Allowed" Crowdstrike, Inc in Security Settings

That particular approval is for a kernel extension. We know that because it says "CrowdStrike" and not "Falcon". It's using a KEXT because your have "Firmware analysis" enabled, which is not available with a system extension because Apple has not given vendors that level of hardware access via system extensions (yet?). You can't pre-approve a KEXT anymore in Big Sur without requiring a reboot. Consider asking your security team to disable that firmware analysis (it might have another name?), you're probably not using it anyway honestly.

But to answer your question, now that you know that's a KEXT, you can use an extension attribute to check for if that kext is loaded. You would use "kmutil showloaded | grep com.crowdstrike" (I'm guessing here since I don't have it) to see if it's loaded.

any luck on this?
thanks

We have something similar with Carbon Black on Big Sur, where it needs a kext for some functions that we can't do without. However, with Carbon Black, there is a cli tool that has lots of nice status info that I can parse. It tells me if the sensor is enabled or disabled, and I know if it's disabled that the user hasn't approved/restarted yet. So I use that information to nag them.

The MDM command in 10.28 is on the right track, but is API-only and looks like a bit of a PITA to use (and I won't use the API from clients in scripts like I want to, since I can't properly secure the credentials). I'm really hoping they improve it, but I'm guessing they aren't planning to, instead hoping that our vendors move to system extensions faster.

We were running into similar issues and had reports of "Crowdstrike extension blocked" popup messages coming in. However, our Crowdstrike rep sent us a profile config that we were able to use and it worked like a charm after signing it, importing it into JAMF, and then pushing it out as part of a new configuration policy.

@jpuebs I think it's great when vendors supply sample config profiles - I get that every environment is different, but it helps speed deployment of their product when you don't have to follow a complex set of steps and include bundle identifiers et cetera. Would that more vendors included the necessary config profiles for getting their product working with PPPC, approved kernel extensions, system extensions, and everything else Apple seems to want to relegate to an obtuse and poorly documented config profile paradigm or forcing enterprise management decisions into the hands of our unwitting users!

I had so many problems getting this work right that I wrote an extension attribute to monitor it. So on Catalina or lower, they run the kext, on Big Sur it is on the system extension so I monitor for both

#!/bin/sh

STATUS=$(systemextensionsctl list | grep 'com.crowdstrike.falcon.Agent' | awk -F'	' {'print $6'})

if [ -z $STATUS ]; then
    # System extension not loaded, check for kext
    KEXTSTATUS=$(kextstat | grep 'com.crowdstrike.sensor')
    if [ -z $KEXTSTATUS ]; then
        echo "<result>[not detected]</result>"
    else
        echo "<result>[kext running]</result>"
    fi
else
    echo "<result>$STATUS</result>"
fi

exit 0

This hopefully helps us, too. thanks.

@mgrafstein that's awesome, totally going to use the ext att. All these vendors need to get on the Jamf train and play nice lol. You guys are the best, thanks for the responses.