Has anyone successfully deployed Crowdstrike Falcon on Big Sur silently? Perhaps this is not possible?
I'm using the Falcon Profile.mobileconfig provided by Crowdstrike and pushing that out first, but it doesn't seem to suppress any of the pop ups or notifications. Also, the MDM profile doesn't seem to allow full disk access, which is necessary for Falcon to auto update itself.
Late to this post, but I'm doing this now and thought I'd share about the notifications:
This will suppress the Network Content Filter and the System Extension popups? Looks like it is displaying/enabling them. Sorry for my confusion. Are there any other options that need to be configured? Does this need to be put anywhere...
I honestly don't even know why the latest releases of CS pop up a notification approval. The "Falcon.app" doesn't do anything on it's own per se. No-one would ever run it like a normal application, so why does it pop up a Notification Center message like that? Seems silly, and like something Crowdstrike should suppress on their own.
@rkeleghan Thanks so much for this, it is great to have it all laid out and easy to follow.
I built my config just as you have shown, applied it, installed Falcon, and activated it. Falcon is running and CS sees the new host, however in SysPref > Privacy, the Agent is still unchecked for Full Disk Access. I had thought that the PPPC settings were specifically supposed to allow that?
From what I've seen, when JAMF deploys a Configuration Profile that grants the permissions rather than having the users manually approve the access it won't show up as checked. As long as the application itself is reporting properly and not prompting to grant access you've done everything just fine.
I'm deploying to a mixed environment between Intel and M1 devices, there doesn't seem to be a need for different Config Profiles or Policies as the PKG will know install the appropriate version based off the device configuration. I can confirm installations on either type of machine reports back and activates successfully on both types of devices. (With a recently up-to-date version of CrowdStrike of course)
Thank for the help in advance!
Do you have a reference step by step guide in deploying Crowdstrike from Jamf?
I am lost on the package settings as it requires to be in a distribution point. All search I did only shows configuration profiles but not the Crowdstrike Package.
My second question is, Where did you put the Crowdstrike installer/Package in Jamf?
Sure, before making a policy you will need upload your package into your JAMF portal, to do so, log in to your JAMF page and click on the gear/settings icon at the top-right. Scroll down to the "Computer Management" section and click on "Packages"
Select your .PKG file and upload. Once uploaded, it may take a minute or two to fully sync. You can then go back into your Policies, create a new Policy, configure the "Packages" payload and select "Configure" to choose the PKG file you just uploaded
Once you save and scope your policy to your test machines, you should be able to see the installation go through. Per Crowdstrike's documentation I also added a short script to license and activate Falcon after installation similar to below:
/Applications/Falcon.app/Contents/Resources/falconctl license ENTERFALCONLICENSECODEHERE
Let me know if that helps!
Thanks @kvmart I followed the configuration profiles from @rkeleghan and policy to install package as you stated. The configuration profiles were successfully pushed on the target machine however push of the package is failing.
Package installation profile
Package installation failed with errors below
It looks like its failing to download. Any idea? Thanks for helping
just to share - the package is now deployed successfully however then latest error i'm getting is shown in the screenshot.
This error appears whenever i tried to activate the falcon using the script from Jamf. It looks like Jamf is looking for a directory that doesn't exist.
In the policy used to deploy CS, you can add this line of code in the "Files and Processes" for the licensing:
sudo /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXX-YY
where XXXXX-YY represent your license (see my screenshot)
I believe you're adding a script on its own when one line of code was enough.
It also looks like your script is grabbing or deploying the license to the wrong location.
Let me know if this help.
It looks like you were having some connectivity issues that interrupted your deployment.
One good suggestion to keep in mind when it comes to these type of "heavy" deployments, is to maybe use one policy to "cache" the pkg and then another policy to deploy it.
That way, even if the user looses connection, the deployment will be able to complete.
Thanks for the reply. Do you happen to know what version of MacOS your M1 devices are running?
I recently tried to deploy Crowdstrike but we ended up with many M1 Macs running Big Sur rebooting into "Boot Recovery Assistant" and asking for an admin password to "verify startup disk". Very similar to what was going on in this other thread.
Are you pushing the kernel extensions and system extensions in the same config profile to both M1 and Intel? I am setting up for deploying and was told to break out system and kernel extensions from each other
I was deploying a single config profile with system and kernel extensions to all devices running MacOS 11 and above (M1 and Intel). Good to know that I should separate those. Thanks. Could you send a screen shot of the difference between those two config profiles you're using?
You mentioned that the M1 and Intel configuration profiles should be different. Is there an example for this? I used the profile configuration file that Crowdstrike distributed. but I could not provide full disk access on neither m1 nor Intel devices. Where could we be going wrong?