How to see if user has "Allowed" Crowdstrike, Inc in Security Settings

Switchfly_IT
New Contributor III

Howdy,

Been on a long road trying to get Big Sur and Crowdstrike to play nice together. Almost there.

We've pushed a signed config profile to all our Catalina machines (BS is still restricted) and our Falcon sensors are up to date. The issue just seems that there is no way around the user having to allow "Crowdstrike, Inc" in Privacy settings.

I'm happy to let users know they should do this. My question is how do we double check without having to take their word for it. Per Crowdstrike we can't check it on their side so I'm hoping there's some jamf magic.

Curious if any Jamf/Crowdstrike folks been dealing with this?

Cheers
e15c5cb7ddbd43659246b25c5ce24994

8 REPLIES 8

patgmac
Contributor III

That particular approval is for a kernel extension. We know that because it says "CrowdStrike" and not "Falcon". It's using a KEXT because your have "Firmware analysis" enabled, which is not available with a system extension because Apple has not given vendors that level of hardware access via system extensions (yet?). You can't pre-approve a KEXT anymore in Big Sur without requiring a reboot. Consider asking your security team to disable that firmware analysis (it might have another name?), you're probably not using it anyway honestly.

But to answer your question, now that you know that's a KEXT, you can use an extension attribute to check for if that kext is loaded. You would use "kmutil showloaded | grep com.crowdstrike" (I'm guessing here since I don't have it) to see if it's loaded.

bayareaautomato
New Contributor II

any luck on this?
thanks

alexjdale
Valued Contributor III

We have something similar with Carbon Black on Big Sur, where it needs a kext for some functions that we can't do without. However, with Carbon Black, there is a cli tool that has lots of nice status info that I can parse. It tells me if the sensor is enabled or disabled, and I know if it's disabled that the user hasn't approved/restarted yet. So I use that information to nag them.

The MDM command in 10.28 is on the right track, but is API-only and looks like a bit of a PITA to use (and I won't use the API from clients in scripts like I want to, since I can't properly secure the credentials). I'm really hoping they improve it, but I'm guessing they aren't planning to, instead hoping that our vendors move to system extensions faster.

jpuebs
New Contributor III

We were running into similar issues and had reports of "Crowdstrike extension blocked" popup messages coming in. However, our Crowdstrike rep sent us a profile config that we were able to use and it worked like a charm after signing it, importing it into JAMF, and then pushing it out as part of a new configuration policy. 3a440310f0e74344a48a7e96e7d8a6d7

gabester
Contributor III

@jpuebs I think it's great when vendors supply sample config profiles - I get that every environment is different, but it helps speed deployment of their product when you don't have to follow a complex set of steps and include bundle identifiers et cetera. Would that more vendors included the necessary config profiles for getting their product working with PPPC, approved kernel extensions, system extensions, and everything else Apple seems to want to relegate to an obtuse and poorly documented config profile paradigm or forcing enterprise management decisions into the hands of our unwitting users!

mgrafstein
New Contributor

I had so many problems getting this work right that I wrote an extension attribute to monitor it. So on Catalina or lower, they run the kext, on Big Sur it is on the system extension so I monitor for both

#!/bin/sh

STATUS=$(systemextensionsctl list | grep 'com.crowdstrike.falcon.Agent' | awk -F'	' {'print $6'})

if [ -z $STATUS ]; then
    # System extension not loaded, check for kext
    KEXTSTATUS=$(kextstat | grep 'com.crowdstrike.sensor')
    if [ -z $KEXTSTATUS ]; then
        echo "<result>[not detected]</result>"
    else
        echo "<result>[kext running]</result>"
    fi
else
    echo "<result>$STATUS</result>"
fi

exit 0

easyedc
Valued Contributor II

This hopefully helps us, too. thanks.

Switchfly_IT
New Contributor III

@mgrafstein that's awesome, totally going to use the ext att. All these vendors need to get on the Jamf train and play nice lol. You guys are the best, thanks for the responses.