Figured I start a separate discussion as the primary one is focused on the System Extension Blocked issue.
Ive spun my wheels trying to figure out I cannot sign the mobile config file, hope you all can see where I am going wrong.
Followed the steps here: https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority
After downloading the pem file, double clicked it to install. Set to always trust on the certificate
Verified that I can see the certificate as well as the public and private keys in the keychain
In terminal ran this to get the SKID
/usr/bin/security find-certificate -a ...... keychain: "/Library/Keychains/System.keychain" version: 256 class: 0x80001000 attributes: "alis"<blob>= "cenc"<uint32>=0x00000003 "ctyp"<uint32>=0x00000001 "hpky"<blob>=0x2B467E8A1226173324E05CA03A85AAC07C674554 "+F~21222&273$340134240:205252300|gET" "issu"<blob>=0x30323130302E060355040313274E524343204A5353204255494C542D494E20434552544946494341544520415554484F52495459 "02100.0603U040323'NRCC JSS BUILT-IN CERTIFICATE AUTHORITY" "labl"<blob>="CSMobile" "skid"<blob>=0x2B467E8A1226173324E05CA03A85AAC07C674554 "+F~21222&273$340134240:205252300|gET" "snbr"<blob>=0x00FDEB4A0E "00375353J16" "subj"<blob>=0x3042310B30090603550406130255533111300F0603550403130843534D4F42494C453120301E06092A864886F70D010901161168656C706465736B406E7263632E6F7267 "0B1130110603U04062302US1210170603U04032310CSMOBILE1
Got my Subject Key ID 2B467E8A1226173324E05CA03A85AAC07C674554
Verifying I have a valid identity
/usr/bin/security find-identity -v 1) FFAE2352459867142C583660822EE80FEF830F7C "CSMobile" 2) FFAE2352459867142C583660822EE80FEF830F7C "CSMobile" 3) A69E85A3387D13A3D432D0812F3204E86C42E028 "062285CD-6664-4D34-BB0E-D5B71CBC744C" 3 valid identities found
Great, sees it as a valid identity. Then...
Sudo /usr/bin/security cms -S -Z 2B467E8A1226173324E05CA03A85AAC07C674554 -i "Falcon Profile.mobileconfig" -o FalconSigned.mobileconfig Password: security: failed to find identity with subject key ID: " 2B467E8A1226173324E05CA03A85AAC07C674554": The specified item could not be found in the keychain. security: could not find signing identity for subject key ID: " 2B467E8A1226173324E05CA03A85AAC07C674554" security: problem signing
Doesnt seem to like it ... also tried it this way ..
Sudo /usr/bin/security cms -S -N CSMobile -i "Falcon Profile.mobileconfig" -o FalconSigned.mobileconfig Password: security: could not find signing identity for name: " CSMobile" security: problem signing
My suspicion is it sees a duplicate of the CSMobile cert and doesnt know which one to pick. Ive tried deleting everything and importing again but it always creates 2 entries when I check for a valid identity.
Just my opinion, but I would be hesitant to sign certificates using the built-in CA certificates, as they expire after a year if generated by Jamf using a CSR. They should still be respected by the OS if pushed via MDM, but with Big Sur and beyond, who knows. You definitely don't want Crowdstrike to randomly stop working in a year.
Far better to get access to an Apple Developer account so you can generate Developer ID Installer certificates which can also be used to sign packages (e.g. QuickAdd, if you're still using it).
In terms of actually signing, take a look at Hancock: https://github.com/JeremyAgost/Hancock/releases