Approved Kext Extension payload not working for Crowdstrike

inflicted
New Contributor II

After reading numerous threads and @frantic's script to create the plist I tried to create a configuration profile to allow Crowdstrike's kexts, but I am still unable to see CS register correctly.

I use "sysctl cs" to verify if Crowdstrike is installed.

Has anyone gotten the Approved Kernel Extension payload to work with Crowdstrike?b8262bc7bc094308b7b3512227059a14
d1bad701058740da81fea15782c44954

5 REPLIES 5

donmontalvo
Esteemed Contributor III

Just curious, is there a reason why you decided to whitelist both Team ID and Bundle ID?

--
https://donmontalvo.com

tjhall
Contributor III

If I run "sqlite3 /var/db/SystemPolicyConfiguration/KextPolic"y and "SELECT * FROM kext_policy;"

Might be worth adding these in and see if it works better....

X9E956P446|com.crowdstrike.sensor|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.CSAA|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.FileInfo|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.IOServices|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Kauth|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.libreactos|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Network|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.NMR|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.platform|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.TDB|1|CrowdStrike Inc.|8

scottb
Honored Contributor

@huyinmobi I would remove the "Approved Kernel Extensions" entries, save and try again.
Basically, what @donmontalvo said. I use this profile and it works, but I don't populate the field as mentioned above.

KSchroeder
Contributor

Yes, looks like if you specify the specific extensions (but not all of them, as @tjhall noted) then any that AREN'T explicitly on the list will NOT be allowed. It does make it confusing because your KEXT policy in Preferences > Policies applet won't show anything for the vendor unless you DO list the specific extensions, from what I've seen.

scottb
Honored Contributor

I've had no cause as of yet not to just use TEAM ID. I guess I could see circumstances where one would want some, but not all.
TEAM ID has been pretty good so far. I just deploy those on enrollment and login and all the software installs without drama on the user's end.