How to Deploy CrowdStrike Agents (Falcon Sensor) for macOS using Jamf Pro

on

In this article, I will show you how to deploy CrowdStrike Agents, Called Falcon Sensor, for macOS using Jamf Pro.

Revision

  • Published on December 26, 2021

Disclaimer

  • This procedure targets the following versions of macOS.
    • macOS Big Sur 11 Intel CPUs
    • macOS Monterey 12 Intel CPUs
    • macOS Monterey 12 M1 CPUs
  • Please check the support site for system requirements.
  • This procedure is a rewritten version of the Falcon Sensor deployment procedure for macOS provided by CrowdStrike for use with Jamf Pro. I have confirmed that it works, but it differs from some of the official procedures provided by CrowdStrike.
  • Please note that the procedure may change due to future macOS updates that occur. Although I would like to follow and fix updates as much as possible. I hope you understand that it is difficult to stay up to date all the time.

Preparation

1. Create a Computer Group for all devices to be deployed

Create a computer group with reference to the following. 

1-a. Log in to the Jamf Pro management console. 

1-b. From the left screen, click the [Computer] > [Smart Computer Groups] and click the [New] button. 

1-c. In the Computer Groups tab, enter a name of your choice in the Display Name field. (e.g. CrowdStrike Distribution Group [All devices]) 

1-d. Specify the criteria in the [Criteria] tab and set the criteria to include all terminals that you want to distribute CrowdStrike. 

2. Create a computer group for Intel devices

For Intel devices, you will need to assign another configuration profile in addition to the one used for M1devices, so create a separate group. If you do not have an Intel devices, this is not necessary. 

2-a. Log in to the Jamf Pro management console. 

2-b. From the left screen, click the [Computer] > [Smart Computer Groups] and click the [New] button. 

2-c. In the Computer Groups tab, enter a name of your choice in the Display Name field. (e.g. CrowdStrike distribution group [Intel Devices]) 

2-d. On the [Criteria] tab, specify the criteria and enter the following parameters.

  • Criteria 1
    • AND/OR*Blunk
    • CRITERIA: Computer Group
    • OPERATOR: is
    • VALUE: *The computer group for distribution created in "1. Create computer group for distribution (all terminals to be distributed)"

  • Criteria 2
    • AND/ORAND
    • CRITERIA: Architecture Type
    • OPERATOR: is
    • VALUEx86_64


Creating a configuration profile

1. SystemExtensions

In this section, you will create a configuration profile named "SystemExtensions".

1-a. Create the following configuration profile from [Computer] > [Configuration Profiles] > [+New].

  • [General] tab
    • Name: *Any name (e.g. 01_SystemExtensions)
  • [System Extensions] tab
    • Allow users to approve system extensions: *Check
    • Allowed Team IDs and System Extensions
      • Display NameCrowdStrike Allowed Team Identifiers
        • System Extension TypesAllowedTeamIdentifiers
        • Team IdentifierX9E956P446
      • Display Name: CrowdStrike Allowed System Extensions
        • System Extension TypesAllowedSystemExtensions
        • Team Identifier: X9E956P446
        • ALLOWED SYSTEM EXTENSIONScom.crowdstrike.falcon.Agent
      • Display Name
        • System Extension TypesCrowdStrike Allowed System Extension Types
        • Team Identifier: X9E956P446
        • Allowed System Extension Types: *Check "Endpoint Security Extension" and "Network Extension"

1-b. In the Scope tab, assign CrowdStrike to all Smart Computer Groups that will be delivering it.

2. WebContentFilter

In this section, you will create a configuration profile named "WebContentFilter".

2-a. Create the following configuration profile from [Computer] > [Configuration Profiles] > [+New].

  • [General] tab
    • Name: *Any name (e.g. 02_WebContentFilter)
  • [Content Filter] tab
    • Filter NameCrowdStrike WebContentFilter
    • Identifercom.crowdstrike.falcon.App
    • Service Address*Blank
    • Organization:CrowdStrike Inc.
    • User Name:*Blank
    • Password:*Blank
    • Certificate:*Blank
    • Filter Order:inspector
    • Socket Filter Bundle Identifier:com.crowdstrike.falcon.Agent
    • Socket Filter Designated Requirement:identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"
    • Network Filter Bundle Identifier:*Blank
    • Network Filter Designated Requirement:*Blank


2-b. In the Scope tab, assign CrowdStrike to all Smart Computer Groups that will be delivering it.

3. SystemPolicyAllFiles

In this section, you will create a configuration profile named "SystemPolicyAllFiles".

3-a. Create the following configuration profile from [Computer] > [Configuration Profiles] > [+New].

  • [General] tab
    • Name: *Any name (e.g. 03_SystemPolicyAllFiles)
  • [Privacy Preferences Policy Control] tab
    • App Access 1
      • Identifercom.crowdstrike.falcon.Agent
      • Identifer TypeBundle ID
      • Code Requirementidentifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = X9E956P446
      • Validate the Static Code Requirement*Unchecked
      • APP OR SERVICE
        • SystemPolicyAllFiles
        • Allow
    • App Access 2
      • Identifercom.crowdstrike.falcon.App
      • Identifer TypeBundle ID
      • Code Requirementidentifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = X9E956P446
      • Validate the Static Code Requirement*Unchecked
      • APP OR SERVICE
        • SystemPolicyAllFiles
        • Allow


3-b. In the Scope tab, assign CrowdStrike to all Smart Computer Groups that will be delivering it.

4. Auto Approval of Kernel Extension

In this section, you will create a configuration profile named "Auto Approval of Kernel Extension".

4-a. Create the following configuration profile from [Computer] > [Configuration Profiles] > [+New].

4-b. In the Options tab > General, enter the display name of the profile (e.g. 04_Auto Approval of Kernel Extension) in the Name field.

4-c. From the [Authorized Kernel Extensions], click the [Configure] button and make the following settings.

  • User-authorized kernel extension: *Check
  • Display name: CrowdStrike Inc.
  • Team ID: X9E956P446

4-d. In the [Scope] tab, specify and assign Intel's chip devices among the devices that deliver CrowdStrike.

Creating a policy

1. Downloading the Falcon Sensor package

Download the Falcon Sensor package from CrowdStrike administration page, called Falcon Console. Download the latest macOS package from the [Hosts] > [Sensor Downloads].

2. Geting CID

This section will get you the CID for your company. Falcon Sensor installation requires your company's unique Customer ID ("CID"), which can be found at the top of the Support > Sensor Downloads page in the Falcon Console.

3. Updoad Package

In this section, you will upload the CrowdStrike package to the Jamf console.

4. Policy Setting

Finally, you will configure Jamf's policy settings.

4-a. Replace the "0123456789ABCDEFGHIJKLMNOPQRSTUV-WX" part of the following command with your company's CID and create a delivery command for your company.

sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX

4-b. Create a new policy by clicking [Policy] > [+New] and make the following settings.

4-c. In the [Package] tab, select the package that you uploaded in "3. Updoad Package". 

4-d. In the [File & Process] tab, paste the command created in "4-a" in the [Execute command] field. 

4-e. In the Scope tab, assign CrowdStrike to all Smart Computer Groups that will be delivering it.

Deploy check

1. Enter a command in a terminal

To verify that the Falcon sensor for Mac is running on the host, run the following command in a terminal. If the output is different, please refer to Troubleshooting Installation.

 sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Output

  • Agent ID (AID)
  • Version
  • CID, etc.

2. Confirmed by Falcon console

From the management console, you can also check whether the installation was successful or not. There was a time lag of a few minutes to 10 minutes, instead of immediately being reflected in the management console. There was a time lag of several minutes to ten minutes, and I think there was also a lag for each unit of information (e.g. OS version, owner, etc.).

Reference

Conclusion

In the future, I'd like to do more in-depth testing of CrowdStrike's features, so I'll post more information on this blog when it's ready. If you have any requests, please let me know.

Location: Japan

Comments

  1. Laura BushMarch 28, 2022 at 10:21 PM

    Thanks for publishing such great information. You are doing such a great job. This information is very helpful for everyone. Keep sharing about Crowdstrike Competitors and Alternatives. Thanks.

    ReplyDelete

Post a Comment