- Jamf Nation Community
- Products
- Jamf Pro
- Re: "The same team ID may not appear in both Allow...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2022 07:05 AM
Ever since our Jamfcloud instance was updated to 10.40.1 over the weekend I have seen this error in every Mac enrollment for a couple of our config profiles (Cisco AnyConnect and Crowdstrike Falcon): The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions. We have made zero changes to the profiles in question, so I can only assume the reason we're seeing it now is because of a change in Jamf Pro that now reports this condition where before it would not. I looked it up and it appears that according to Apple's developer documentation, this is a true error. The question I have is how do we fix it? Which would be the better fix? Removing it from AllowedTeamIdentifiers or removing it from AllowedSystemExtensions?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2022 02:10 PM
Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA
The relevant "Allowed System Extensions" section:
Configure System Extension: Scroll down to System Extensions under Options
Select Configure
Allow users to approve system extensions = checked (Default)
Display Name = com.crowdstrike.falcon.Agent
System Extension Types = Allowed System Extensions
Team Identifier = X9E956P446
Select + Add under Allowed System Extensions
Allowed System Extensions = com.crowdstrike.falcon.Agent
This is definitely different from the instructions we originally followed, which contained all thee of the following:
- System Extension Types = Allowed System Extensions
- System Extension Types = Allowed System Extension Types
- System Extension Types = Allowed Team Identifiers
I suppose the fix would be to remove the following two:
- System Extension Types = Allowed System Extension Types
- System Extension Types = Allowed Team Identifiers
Has anyone made this change successfully, without breaking existing CrowdStrike installations?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2022 07:46 AM
I noticed the same exact thing yesterday. For us, it was the Falcon profile. Just like you mentioned, nothing was changed. Interested in knowing the reason or solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2022 07:55 AM - edited 08-18-2022 07:58 AM
@AVmcclint @arnoldtaw If you download the latest CrowdStrike signed Configuration Profiles they don't trigger this error. There is also a walkthrough for setting up the CrowdStrike Configuration Profile if you prefer to build it manually: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ
I don't know if Cisco has any updates for the AnyConnect profiles, but if I were to guess I'd suggest removing the AllowedTeamIdentifiers setting and stick with the AllowedSystemExtensions one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2022 07:19 AM - edited 08-24-2022 12:48 PM
deleted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2022 02:10 PM
Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA
The relevant "Allowed System Extensions" section:
Configure System Extension: Scroll down to System Extensions under Options
Select Configure
Allow users to approve system extensions = checked (Default)
Display Name = com.crowdstrike.falcon.Agent
System Extension Types = Allowed System Extensions
Team Identifier = X9E956P446
Select + Add under Allowed System Extensions
Allowed System Extensions = com.crowdstrike.falcon.Agent
This is definitely different from the instructions we originally followed, which contained all thee of the following:
- System Extension Types = Allowed System Extensions
- System Extension Types = Allowed System Extension Types
- System Extension Types = Allowed Team Identifiers
I suppose the fix would be to remove the following two:
- System Extension Types = Allowed System Extension Types
- System Extension Types = Allowed Team Identifiers
Has anyone made this change successfully, without breaking existing CrowdStrike installations?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2022 09:32 AM
Thank you for sharing we are testing this now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2022 02:20 PM
Looks like the answer is yes. Examples on the MacAdmins Slack: https://macadmins.slack.com/archives/C04QVP86E/p1660554939647719
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-23-2022 07:53 PM
Thank you for posting this. Using this information I updated our Cisco AMP configuration profile to resolve this error.
