"The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions"

AVmcclint
Honored Contributor

Ever since our Jamfcloud instance was updated to 10.40.1 over the weekend I have seen this error in every Mac enrollment for a couple of our config profiles (Cisco AnyConnect and Crowdstrike Falcon): The same team ID may not appear in both AllowedTeamIdentifiers and AllowedSystemExtensions. We have made zero changes to the profiles in question, so I can only assume the reason we're seeing it now is because of a change in Jamf Pro that now reports this condition where before it would not.  I looked it up and it appears that according to Apple's developer documentation, this is a true error. The question I have is how do we fix it? Which would be the better fix? Removing it from AllowedTeamIdentifiers or removing it from AllowedSystemExtensions?

1 ACCEPTED SOLUTION

lucas_cantor
New Contributor III

Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

 

The relevant "Allowed System Extensions" section:

Configure System Extension: Scroll down to System Extensions under Options

  1. Select Configure

  2. Allow users to approve system extensions = checked (Default)

  3. Display Name = com.crowdstrike.falcon.Agent

  4. System Extension Types = Allowed System Extensions

  5. Team Identifier = X9E956P446

  6. Select + Add under Allowed System Extensions

  7. Allowed System Extensions = com.crowdstrike.falcon.Agent

 

This is definitely different from the instructions we originally followed, which contained all thee of the following:

  • System Extension Types = Allowed System Extensions
  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

I suppose the fix would be to remove the following two:

  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

Has anyone made this change successfully, without breaking existing CrowdStrike installations?

View solution in original post

8 REPLIES 8

arnoldtaw
New Contributor III

I noticed the same exact thing yesterday. For us, it was the Falcon profile. Just like you mentioned, nothing was changed. Interested in knowing the reason or solution. 

sdagley
Esteemed Contributor II

@AVmcclint @arnoldtaw If you download the latest CrowdStrike signed Configuration Profiles they don't trigger this error. There is also a walkthrough for setting up the CrowdStrike Configuration Profile if you prefer to build it manually: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ

I don't know if Cisco has any updates for the AnyConnect profiles, but if I were to guess I'd suggest removing the AllowedTeamIdentifiers setting and stick with the AllowedSystemExtensions one.

mikegetchell
New Contributor III

deleted.

lucas_cantor
New Contributor III

Here's a direct link to the CrowdStrike doc on how to build a config profile for this in Jamf Pro: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxpQAA

 

The relevant "Allowed System Extensions" section:

Configure System Extension: Scroll down to System Extensions under Options

  1. Select Configure

  2. Allow users to approve system extensions = checked (Default)

  3. Display Name = com.crowdstrike.falcon.Agent

  4. System Extension Types = Allowed System Extensions

  5. Team Identifier = X9E956P446

  6. Select + Add under Allowed System Extensions

  7. Allowed System Extensions = com.crowdstrike.falcon.Agent

 

This is definitely different from the instructions we originally followed, which contained all thee of the following:

  • System Extension Types = Allowed System Extensions
  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

I suppose the fix would be to remove the following two:

  • System Extension Types = Allowed System Extension Types
  • System Extension Types = Allowed Team Identifiers

Has anyone made this change successfully, without breaking existing CrowdStrike installations?

Thank you for sharing we are testing this now.

 

lucas_cantor
New Contributor III

Looks like the answer is yes. Examples on the MacAdmins Slack: https://macadmins.slack.com/archives/C04QVP86E/p1660554939647719

jhbush
Valued Contributor II

Thank you for posting this. Using this information I updated our Cisco AMP configuration profile to resolve this error. 

MrBombadil
New Contributor III

I followed the Crowdstrike documentation to setup the Config Profile to the tee. There is a script with a smart group that reports back any Macs that do not have the Falcon System Extension "Not Installed" Some Macs are successfully installing the System Extension portion of the Config Profile while others are not. any feedback on this?

 

Here is the script I am using for the reporting of the custom Extension Attribute: 

 

#!/bin/bash

# Gets the installation status of the CrowdStrike Falcon Agent System Extension
#
# Returns:
# Installed - Falcon Agent system extension is installed and running
# Requires Approval - Falcon Configuration Profile from Jamf is not installed
# Not Installed - Falcon Agent is not installed

CheckIfRoot() {
	if [[ $(id -u) -ne 0 ]]; then
		echo "This script must be run as root" 1>&2
		exit 1
	fi
}

CheckAgentStatus() {
	active_version=$(/Applications/Falcon.app/Contents/Resources/falconctl stats agent_info 2>/dev/null | awk '/version/ {print $2}')

	# Prints Enabled if an active agent was found, otherwise print Disabled
	if [[ -n $active_version ]]; then
	    echo "<result>Installed</result>"
	else
	    active_version=$(systemextensionsctl list 2>/dev/null | grep -Eo "(.(.|\s))+X9E956P446\scom\.crowdstrike\.falcon\.Agent \((\d+)\.(\d+)/(\d+)\.(\d+)\)\sAgent\s\[activated waiting for user]")
		if [[ -n $active_version ]]; then
	    	echo "<result>Requires Approval</result>"
		else
	    	echo "<result>Not Installed</result>"
		fi
	fi
}

if [[ "${BASH_SOURCE[0]}" -ef "$0" ]]; then
	CheckIfRoot
	CheckAgentStatus
fi

 

Screenshot 2023-08-17 at 10.31.41 AM.png