Posted on 10-28-2021 01:42 PM
Has anyone successfully deployed Crowdstrike Falcon on Big Sur silently? Perhaps this is not possible?
I'm using the Falcon Profile.mobileconfig provided by Crowdstrike and pushing that out first, but it doesn't seem to suppress any of the pop ups or notifications. Also, the MDM profile doesn't seem to allow full disk access, which is necessary for Falcon to auto update itself.
Posted on 10-29-2021 01:48 AM
Hi @boatymcboatface ..
I currently have deployed CS in my environment .. so far you can only suppress both System Ext + Network filter but not the Notification ..
Hop the below images help!
Posted on 01-26-2022 01:51 AM
Hi @rkeleghan ,
Thanks for sharing the settings, i am following this for my deployment.
Did this work even if you don't have a distribution point configuration?
Posted on 06-30-2022 01:55 PM
Late to this post, but I'm doing this now and thought I'd share about the notifications:
a week ago
This worked perfectly thank you!
Posted on 11-01-2021 01:32 PM
I honestly don't even know why the latest releases of CS pop up a notification approval. The "Falcon.app" doesn't do anything on it's own per se. No-one would ever run it like a normal application, so why does it pop up a Notification Center message like that? Seems silly, and like something Crowdstrike should suppress on their own.
a week ago
I totally agree!
Posted on 11-08-2021 01:00 PM
@rkeleghan Thanks so much for this, it is great to have it all laid out and easy to follow.
I built my config just as you have shown, applied it, installed Falcon, and activated it. Falcon is running and CS sees the new host, however in SysPref > Privacy, the Agent is still unchecked for Full Disk Access. I had thought that the PPPC settings were specifically supposed to allow that?
Posted on 12-08-2021 10:27 PM
From what I've seen, when JAMF deploys a Configuration Profile that grants the permissions rather than having the users manually approve the access it won't show up as checked. As long as the application itself is reporting properly and not prompting to grant access you've done everything just fine.
Posted on 01-26-2022 11:15 AM
For everyone who has successfully deployed Crowdstrike, are you doing so on Intel based Macs? Have you had any success with M1 based Macs?
Posted on 01-26-2022 02:55 PM
I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)
Posted on 01-26-2022 11:26 PM
Thank for the help in advance!
Do you have a reference step by step guide in deploying Crowdstrike from Jamf?
I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.
My second question is, Where did you put the Crowdstrike installer/Package in Jamf?
Posted on 01-27-2022 07:40 AM
Sure, before making a policy you will need upload your package into your JAMF portal, to do so, log in to your JAMF page and click on the gear/settings icon at the top-right. Scroll down to the "Computer Management" section and click on "Packages"
Select your .PKG file and upload. Once uploaded, it may take a minute or two to fully sync. You can then go back into your Policies, create a new Policy, configure the "Packages" payload and select "Configure" to choose the PKG file you just uploaded
Once you save and scope your policy to your test machines, you should be able to see the installation go through. Per Crowdstrike's documentation I also added a short script to license and activate Falcon after installation similar to below:
/Applications/Falcon.app/Contents/Resources/falconctl license ENTERFALCONLICENSECODEHERE
Let me know if that helps!
Posted on 02-03-2022 08:25 PM
Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.
Package installation profile
Package installation failed with errors below
It looks like its failing to download. Any idea? Thanks for helping
Posted on 02-05-2022 01:54 AM
just to share - the package is now deployed successfully however then latest error i'm getting is shown in the screenshot.
This error appears whenever i tried to activate the falcon using the script from Jamf. It looks like Jamf is looking for a directory that doesn't exist.
Posted on 02-11-2022 10:39 PM
In the policy used to deploy CS, you can add this line of code in the "Files and Processes" for the licensing:
sudo /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXX-YY
where XXXXX-YY represent your license (see my screenshot)
I believe you're adding a script on its own when one line of code was enough.
It also looks like your script is grabbing or deploying the license to the wrong location.
Let me know if this help.
Posted on 02-19-2022 04:04 AM
I had a separate script for license activation.
I tried yours and it worked perfectly.
Posted on 02-11-2022 10:41 PM
It looks like you were having some connectivity issues that interrupted your deployment.
One good suggestion to keep in mind when it comes to these type of "heavy" deployments, is to maybe use one policy to "cache" the pkg and then another policy to deploy it.
That way, even if the user looses connection, the deployment will be able to complete.
Posted on 02-11-2022 10:42 PM
Posted on 02-01-2022 01:20 PM
Thanks for the reply. Do you happen to know what version of MacOS your M1 devices are running?
I recently tried to deploy Crowdstrike but we ended up with many M1 Macs running Big Sur rebooting into "Boot Recovery Assistant" and asking for an admin password to "verify startup disk". Very similar to what was going on in this other thread.
Posted on 02-11-2022 01:53 PM
Are you pushing the kernel extensions and system extensions in the same config profile to both M1 and Intel? I am setting up for deploying and was told to break out system and kernel extensions from each other
Posted on 02-11-2022 02:26 PM
I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?
Posted on 02-11-2022 03:35 PM
According to their docs is warns of not using a profile that includes kernel extensions on M1 machines
02-11-2022 10:34 PM - edited 02-11-2022 10:48 PM
The configuration profile for Crowdstrike for M1 and Intel based macs should be separate due to the fact that M1 don't support Kernel extensions.
So basically the Config Pro for M1 is the Intel Config Pro minus the kernel extension.
Hope that helps.
Posted on 06-27-2022 10:38 AM
You mentioned that the M1 and Intel configuration profiles should be different. Is there an example for this? I used the profile configuration file that Crowdstrike distributed. but I could not provide full disk access on neither m1 nor Intel devices. Where could we be going wrong?
Posted on 01-13-2023 09:19 AM
Thanks to for This article it really helped me out ! I'm still looking to suppress login items and login items notifications in macOS ventura