Silently install Crowdstrike Falcon? Is it possible?

boatymcboatface
New Contributor II

Has anyone successfully deployed Crowdstrike Falcon on Big Sur silently? Perhaps this is not possible?

I'm using the Falcon Profile.mobileconfig provided by Crowdstrike and pushing that out first, but it doesn't seem to suppress any of the pop ups or notifications. Also, the MDM profile doesn't seem to allow full disk access, which is necessary for Falcon to auto update itself.

 

Screen Shot 2021-10-28 at 3.01.21 PM.png

 

Screen Shot 2021-10-28 at 3.00.43 PM.png

22 REPLIES 22

rkeleghan
New Contributor III

Hi @boatymcboatface .. 

I currently have deployed CS in my environment .. so far you can only suppress both System Ext + Network filter but not the Notification ..

Hop the below images help!Screenshot 2021-10-29 at 09.46.19.pngScreenshot 2021-10-29 at 09.46.25.pngScreenshot 2021-10-29 at 09.46.33.pngScreenshot 2021-10-29 at 09.46.41.pngScreenshot 2021-10-29 at 09.46.48.png

 

 

Hi @rkeleghan ,

Thanks for sharing the settings, i am following this for my deployment.

Did this work even if you don't have a distribution point configuration?

Late to this post, but I'm doing this now and thought I'd share about the notifications:

  • It looks like "Falcon Notifications" is a separate app from "Falcon" and is located here: "/Applications/Falcon.app/Contents/Library/LaunchServices/Falcon Notifications.app"
  • The bundle ID from that app's Info.plist file is "com.crowdstrike.falcon.UserAgent"
  • Using that bundle ID in a config profile notifications payload took care of things for me.

 

Falcon Notifications.png

mm2270
Legendary Contributor III

I honestly don't even know why the latest releases of CS pop up a notification approval. The "Falcon.app" doesn't do anything on it's own per se. No-one would ever run it like a normal application, so why does it pop up a Notification Center message like that? Seems silly, and like something Crowdstrike should suppress on their own.

Jason-
New Contributor II

@rkeleghan Thanks so much for this, it is great to have it all laid out and easy to follow.

I built my config just as you have shown, applied it, installed Falcon, and activated it.  Falcon is running and CS sees the new host, however in SysPref > Privacy, the Agent is still unchecked for Full Disk Access.  I had thought that the PPPC settings were specifically supposed to allow that?

kvmart
New Contributor II

From what I've seen, when JAMF deploys a Configuration Profile that grants the permissions rather than having the users manually approve the access it won't show up as checked. As long as the application itself is reporting properly and not prompting to grant access you've done everything just fine.

N7centurion
New Contributor II

For everyone who has successfully deployed Crowdstrike, are you doing so on Intel based Macs? Have you had any success with M1 based Macs?

kvmart
New Contributor II

I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)

Thank for the help in advance!

Do you have a reference step by step guide in deploying Crowdstrike from Jamf?

I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.

My second question is, Where did you put the Crowdstrike installer/Package in Jamf?

kvmart
New Contributor II

Sure, before making a policy you will need upload your package into your JAMF portal, to do so, log in to your JAMF page and click on the gear/settings icon at the top-right. Scroll down to the "Computer Management" section and click on "Packages"

kvmart_0-1643297544317.png

 

Select your .PKG file and upload. Once uploaded, it may take a minute or two to fully sync. You can then go back into your Policies, create a new Policy, configure the "Packages" payload and select "Configure" to choose the PKG file you just uploaded

kvmart_1-1643297801676.png

Once you save and scope your policy to your test machines, you should be able to see the installation go through. Per Crowdstrike's documentation I also added a short script to license and activate Falcon after installation similar to below:

/Applications/Falcon.app/Contents/Resources/falconctl license ENTERFALCONLICENSECODEHERE

Let me know if that helps!

Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.

Package installation profile

jamf_echo1_0-1643948478212.png

Package installation failed with errors below

jamf_echo1_1-1643948683660.png

It looks like its failing to download. Any idea? Thanks for helping

just to share - the package is now deployed successfully however then latest error i'm getting is shown in the screenshot.

jamf_echo1_0-1644054816489.png

This error appears whenever i tried to activate the falcon using the script from Jamf. It looks like Jamf is looking for a directory that doesn't exist. 

 

Fiktif
New Contributor II

In the policy used to deploy CS, you can add this line of code in the "Files and Processes" for the licensing:

sudo /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXX-YY

where XXXXX-YY represent your license (see my screenshot)Screen Shot 2022-02-12 at 1.35.29 AM.png

I believe you're adding a script on its own when one line of code was enough.

It also looks like your script is grabbing or deploying the license to the wrong location.

Let me know if this help.

Thank you! 

I had a separate script for license activation.

I tried yours and it worked perfectly. 

Fiktif
New Contributor II

It looks like you were having some connectivity issues that interrupted your deployment.

One good suggestion to keep in mind when it comes to these type of "heavy" deployments, is to maybe use one policy to "cache" the pkg and then another policy to deploy it.

That way, even if the user looses connection, the deployment will be able to complete.

N7centurion
New Contributor II

Thanks for the reply. Do you happen to know what version of MacOS your M1 devices are running?

I recently tried to deploy Crowdstrike but we ended up with many M1 Macs running Big Sur rebooting into "Boot Recovery Assistant" and asking for an admin password to "verify startup disk". Very similar to what was going on in this other thread.

https://community.jamf.com/t5/jamf-pro/big-sur-m1-mac-filevailt-2-admin-user-big-problems/m-p/224622

Are you pushing the kernel extensions and system extensions in the same config profile to both M1 and Intel? I am setting up for deploying and was told to break out system and kernel extensions from each other

I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?

According to their docs is warns of not using a profile that includes kernel extensions on M1 machinesScreen Shot 2022-02-11 at 3.34.17 PM.png

Fiktif
New Contributor II

Hey,

The configuration profile for Crowdstrike for M1 and Intel based macs should be separate due to the fact that M1 don't support Kernel extensions.

So basically the Config Pro for M1 is the Intel Config Pro minus the kernel extension.

Hope that helps.

Hi,

 

You mentioned that the M1 and Intel configuration profiles should be different. Is there an example for this? I used the profile configuration file that Crowdstrike distributed. but I could not provide full disk access on neither m1 nor Intel devices. Where could we be going wrong?