Jamf Nation Community

Hi @rkeleghan ,

Thanks for sharing the settings, i am following this for my deployment.

Did this work even if you don't have a distribution point configuration?

Late to this post, but I'm doing this now and thought I'd share about the notifications:

• It looks like "Falcon Notifications" is a separate app from "Falcon" and is located here: "/Applications/Falcon.app/Contents/Library/LaunchServices/Falcon Notifications.app"
• The bundle ID from that app's Info.plist file is "com.crowdstrike.falcon.UserAgent"
• Using that bundle ID in a config profile notifications payload took care of things for me.

This worked perfectly thank you!

This will suppress the Network Content Filter and the System Extension popups? Looks like it is displaying/enabling them. Sorry for my confusion. Are there any other options that need to be configured? Does this need to be put anywhere...
"/Applications/Falcon.app/Contents/Library/LaunchServices/Falcon Notifications.app"

I totally agree!

From what I've seen, when JAMF deploys a Configuration Profile that grants the permissions rather than having the users manually approve the access it won't show up as checked. As long as the application itself is reporting properly and not prompting to grant access you've done everything just fine.

I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)

Thank for the help in advance!

Do you have a reference step by step guide in deploying Crowdstrike from Jamf?

I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.

My second question is, Where did you put the Crowdstrike installer/Package in Jamf?

Sure, before making a policy you will need upload your package into your JAMF portal, to do so, log in to your JAMF page and click on the gear/settings icon at the top-right. Scroll down to the "Computer Management" section and click on "Packages"

Select your .PKG file and upload. Once uploaded, it may take a minute or two to fully sync. You can then go back into your Policies, create a new Policy, configure the "Packages" payload and select "Configure" to choose the PKG file you just uploaded

Once you save and scope your policy to your test machines, you should be able to see the installation go through. Per Crowdstrike's documentation I also added a short script to license and activate Falcon after installation similar to below:

/Applications/Falcon.app/Contents/Resources/falconctl license ENTERFALCONLICENSECODEHERE

Let me know if that helps!

Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.

Package installation profile

Package installation failed with errors below

It looks like its failing to download. Any idea? Thanks for helping

just to share - the package is now deployed successfully however then latest error i'm getting is shown in the screenshot.

This error appears whenever i tried to activate the falcon using the script from Jamf. It looks like Jamf is looking for a directory that doesn't exist. 

In the policy used to deploy CS, you can add this line of code in the "Files and Processes" for the licensing:

sudo /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXX-YY

---

where XXXXX-YY represent your license (see my screenshot)

I believe you're adding a script on its own when one line of code was enough.

It also looks like your script is grabbing or deploying the license to the wrong location.

Let me know if this help.

Thank you! 

I had a separate script for license activation.

I tried yours and it worked perfectly. 

It looks like you were having some connectivity issues that interrupted your deployment.

One good suggestion to keep in mind when it comes to these type of "heavy" deployments, is to maybe use one policy to "cache" the pkg and then another policy to deploy it.

That way, even if the user looses connection, the deployment will be able to complete.

http://www-personal.umich.edu/~dekemar/Falcon_Sensor_for_Mac_Deployment_Guide(version_6.11_and_later...

This should help.

Thanks for the reply. Do you happen to know what version of MacOS your M1 devices are running?

I recently tried to deploy Crowdstrike but we ended up with many M1 Macs running Big Sur rebooting into "Boot Recovery Assistant" and asking for an admin password to "verify startup disk". Very similar to what was going on in this other thread.

https://community.jamf.com/t5/jamf-pro/big-sur-m1-mac-filevailt-2-admin-user-big-problems/m-p/224622

Are you pushing the kernel extensions and system extensions in the same config profile to both M1 and Intel? I am setting up for deploying and was told to break out system and kernel extensions from each other

I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?

According to their docs is warns of not using a profile that includes kernel extensions on M1 machines

Hey,

The configuration profile for Crowdstrike for M1 and Intel based macs should be separate due to the fact that M1 don't support Kernel extensions.

So basically the Config Pro for M1 is the Intel Config Pro minus the kernel extension.

Hope that helps.

Hi,

You mentioned that the M1 and Intel configuration profiles should be different. Is there an example for this? I used the profile configuration file that Crowdstrike distributed. but I could not provide full disk access on neither m1 nor Intel devices. Where could we be going wrong?