"The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions"

AVmcclint
Honored Contributor

Ever since our Jamfcloud instance was updated to 10.40.1 over the weekend I have seen this error in every Mac enrollment for a couple of our config profiles (Cisco AnyConnect and Crowdstrike Falcon): The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions. We have made zero changes to the profiles in question, so I can only assume the reason we're seeing it now is because of a change in Jamf Pro that now reports this condition where before it would not.  I looked it up and it appears that according to Apple's developer documentation, this is a true error. The question I have is how do we fix it? Which would be the better fix? Removing it from AllowedTeamIdentifiers or removing it from AllowedSystemExtensions?

1 ACCEPTED SOLUTION

lucas_cantor
New Contributor III

Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

 

The relevant "Allowed System Extensions" section:

Configure System Extension: Scroll down to System Extensions under Options

  1. Select Configure

  2. Allow users to approve system extensions = checked (Default)

  3. Display Name = com.crowdstrike.falcon.Agent

  4. System Extension Types = Allowed System Extensions

  5. Team Identifier = X9E956P446

  6. Select + Add under Allowed System Extensions

  7. Allowed System Extensions = com.crowdstrike.falcon.Agent

 

This is definitely different from the instructions we originally followed, which contained all thee of the following:

  • System Extension Types = Allowed System Extensions
  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

I suppose the fix would be to remove the following two:

  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

Has anyone made this change successfully, without breaking existing CrowdStrike installations?

View solution in original post

7 REPLIES 7

arnoldtaw
New Contributor III

I noticed the same exact thing yesterday. For us, it was the Falcon profile. Just like you mentioned, nothing was changed. Interested in knowing the reason or solution. 

sdagley
Honored Contributor III

@AVmcclint @arnoldtaw If you download the latest CrowdStrike signed Configuration Profiles they don't trigger this error. There is also a walkthrough for setting up the CrowdStrike Configuration Profile if you prefer to build it manually: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ

I don't know if Cisco has any updates for the AnyConnect profiles, but if I were to guess I'd suggest removing the AllowedTeamIdentifiers setting and stick with the AllowedSystemExtensions one.

deleted.

lucas_cantor
New Contributor III

Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

 

The relevant "Allowed System Extensions" section:

Configure System Extension: Scroll down to System Extensions under Options

  1. Select Configure

  2. Allow users to approve system extensions = checked (Default)

  3. Display Name = com.crowdstrike.falcon.Agent

  4. System Extension Types = Allowed System Extensions

  5. Team Identifier = X9E956P446

  6. Select + Add under Allowed System Extensions

  7. Allowed System Extensions = com.crowdstrike.falcon.Agent

 

This is definitely different from the instructions we originally followed, which contained all thee of the following:

  • System Extension Types = Allowed System Extensions
  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

I suppose the fix would be to remove the following two:

  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

Has anyone made this change successfully, without breaking existing CrowdStrike installations?

Thank you for sharing we are testing this now.

 

lucas_cantor
New Contributor III

Looks like the answer is yes. Examples on the MacAdmins Slack: https://macadmins.slack.com/archives/C04QVP86E/p1660554939647719

jhbush
Valued Contributor II

Thank you for posting this. Using this information I updated our Cisco AMP configuration profile to resolve this error.