Jamf Nation Community

AVmcclint · ‎08-18-2022

Ever since our Jamfcloud instance was updated to 10.40.1 over the weekend I have seen this error in every Mac enrollment for a couple of our config profiles (Cisco AnyConnect and Crowdstrike Falcon): The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions. We have made zero changes to the profiles in question, so I can only assume the reason we're seeing it now is because of a change in Jamf Pro that now reports this condition where before it would not. I looked it up and it appears that according to Apple's developer documentation, this is a true error. The question I have is how do we fix it? Which would be the better fix? Removing it from AllowedTeamIdentifiers or removing it from AllowedSystemExtensions?

lucas_cantor · ‎08-18-2022

Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

The relevant "Allowed System Extensions" section:

Configure System Extension: Scroll down to System Extensions under Options

Select Configure
Allow users to approve system extensions = checked (Default)
Display Name = com.crowdstrike.falcon.Agent
System Extension Types = Allowed System Extensions
Team Identifier = X9E956P446
Select + Add under Allowed System Extensions
Allowed System Extensions = com.crowdstrike.falcon.Agent

This is definitely different from the instructions we originally followed, which contained all thee of the following:

System Extension Types = Allowed System Extensions
System Extension Types = Allowed System Extension Types
System Extension Types = Allowed Team Identifiers

I suppose the fix would be to remove the following two:

System Extension Types = Allowed System Extension Types
System Extension Types = Allowed Team Identifiers

Has anyone made this change successfully, without breaking existing CrowdStrike installations?

View solution in original post

arnoldtaw · ‎08-18-2022

I noticed the same exact thing yesterday. For us, it was the Falcon profile. Just like you mentioned, nothing was changed. Interested in knowing the reason or solution.

sdagley · ‎08-18-2022

@AVmcclint @arnoldtaw If you download the latest CrowdStrike signed Configuration Profiles they don't trigger this error. There is also a walkthrough for setting up the CrowdStrike Configuration Profile if you prefer to build it manually: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ

I don't know if Cisco has any updates for the AnyConnect profiles, but if I were to guess I'd suggest removing the AllowedTeamIdentifiers setting and stick with the AllowedSystemExtensions one.

mikegetchell · ‎08-19-2022

deleted.

lucas_cantor · ‎08-18-2022

Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

The relevant "Allowed System Extensions" section:

Configure System Extension: Scroll down to System Extensions under Options

Select Configure
Allow users to approve system extensions = checked (Default)
Display Name = com.crowdstrike.falcon.Agent
System Extension Types = Allowed System Extensions
Team Identifier = X9E956P446
Select + Add under Allowed System Extensions
Allowed System Extensions = com.crowdstrike.falcon.Agent

This is definitely different from the instructions we originally followed, which contained all thee of the following:

System Extension Types = Allowed System Extensions
System Extension Types = Allowed System Extension Types
System Extension Types = Allowed Team Identifiers

I suppose the fix would be to remove the following two:

System Extension Types = Allowed System Extension Types
System Extension Types = Allowed Team Identifiers

Has anyone made this change successfully, without breaking existing CrowdStrike installations?

dvasquez · ‎08-25-2022

Thank you for sharing we are testing this now.

lucas_cantor · ‎08-18-2022

Looks like the answer is yes. Examples on the MacAdmins Slack: https://macadmins.slack.com/archives/C04QVP86E/p1660554939647719

jhbush · ‎08-23-2022

Thank you for posting this. Using this information I updated our Cisco AMP configuration profile to resolve this error.

MrBombadil · ‎08-17-2023

I followed the Crowdstrike documentation to setup the Config Profile to the tee. There is a script with a smart group that reports back any Macs that do not have the Falcon System Extension "Not Installed" Some Macs are successfully installing the System Extension portion of the Config Profile while others are not. any feedback on this?

Here is the script I am using for the reporting of the custom Extension Attribute:

#!/bin/bash

# Gets the installation status of the CrowdStrike Falcon Agent System Extension
#
# Returns:
# Installed - Falcon Agent system extension is installed and running
# Requires Approval - Falcon Configuration Profile from Jamf is not installed
# Not Installed - Falcon Agent is not installed

CheckIfRoot() {
	if [[ $(id -u) -ne 0 ]]; then
		echo "This script must be run as root" 1>&2
		exit 1
	fi
}

CheckAgentStatus() {
	active_version=$(/Applications/Falcon.app/Contents/Resources/falconctl stats agent_info 2>/dev/null | awk '/version/ {print $2}')

	# Prints Enabled if an active agent was found, otherwise print Disabled
	if [[ -n $active_version ]]; then
	    echo "<result>Installed</result>"
	else
	    active_version=$(systemextensionsctl list 2>/dev/null | grep -Eo "(.(.|\s))+X9E956P446\scom\.crowdstrike\.falcon\.Agent \((\d+)\.(\d+)/(\d+)\.(\d+)\)\sAgent\s\[activated waiting for user]")
		if [[ -n $active_version ]]; then
	    	echo "<result>Requires Approval</result>"
		else
	    	echo "<result>Not Installed</result>"
		fi
	fi
}

if [[ "${BASH_SOURCE[0]}" -ef "$0" ]]; then
	CheckIfRoot
	CheckAgentStatus
fi

Jamf Nation Community

"The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions"