Issue
How do we setup our Jamf Profile in order to deploy our CrowdStrike Sensors?
Environment
Red Canary + CrowdStrike
Resolution
- Create a Jamf Pro configuration profile for all macOS versions, in order to,
- Deploy the Falcon sensor for Mac to hosts which are managed by Jamf Pro
Applies To
- All supported versions of the Falcon sensor for Mac
- All supported versions of macOS
- Jamf Pro
- Assumptions:
- Target hosts are fully enrolled with Jamf Pro; refer to Jamf documentation and support if assistance is required
- This process was tested on Jamf Pro version 10.35.0-t1640197529, so this version is the recommended minimum
- (Configuration → Prevention Policies →) Firmware Analysis → BIOS Visibility and Deep Visibility prevention policies are turned off; see Additional Information in this article for details
Procedure
First, we will create a brand new Configuration Profile for Falcon. We will not be using profiles which may have been previously provided by CrowdStrike.
- In Jamf Pro: Navigate to Jamf PRO → Computers → Configuration Profiles and select + New
-
In the new Profile, fill out General information as is appropriate for your organization
-
Name = Name the profile as desired e.g. “Falcon Profile for Big Sur+”
-
Description = Optional
-
Category = Optional
-
Level = Computer Level
-
Distribution Method = Install Automatically
-
-
-
Configure PPPC: Scroll down in the profile Privacy Preferences Policy Control under Options
-
Part 1 - Falcon Agent
-
Select Configure
-
Identifier = com.crowdstrike.falcon.Agent
-
Identifier Type = Bundle ID (Default)
-
Code Requirement =
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "X9E956P446"
-
Validate the Static Code Requirement = unchecked
-
Select + Add to add an App or Service, then select SystemPolicyAllFiles from the drop-down; Access = Allow
-
-
Part 2 - Falcon App
-
Select + in the upper right corner to add a second App Access
-
Identifier = com.crowdstrike.falcon.App
-
Identifier Type = Bundle ID (Default)
-
Code Requirement =
identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "X9E956P446"
-
Validate the Static Code Requirement = unchecked
-
Select + Add to add an App or Service, then select SystemPolicyAllFiles from the drop-down; Access = Allow
-
-
-
-
-
Configure System Extension: Scroll down to System Extensions under Options
-
Select Configure
-
Allow users to approve system extensions = checked (Default)
-
Display Name = com.crowdstrike.falcon.Agent
-
System Extension Types = Allowed System Extensions
-
Team Identifier = X9E956P446
-
Select + Add under Allowed System Extensions
-
Allowed System Extensions = com.crowdstrike.falcon.Agent
-
-
Configure Content Filter: Scroll down to Content Filter
-
- Filter Name = Falcon
-
-
Identifier = com.crowdstrike.falcon.App
-
Organization = CrowdStrike, Inc.
-
Filter Order = Inspector
-
Socket Filter Bundle Identifier = com.crowdstrike.falcon.Agent
-
Socket Filter Designated Requirement =
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"
-
All other fields are blank & the toggle on the right side is off
-
-
-
-
Select Save
-
In your new Profile, go to Scope and assign Targets as desired
-
Proceed to next steps:
-
For macOS Big Sur and newer, you're ready to package the Falcon sensor installer; choose either of the following methods:
-
How to package Falcon sensor for Mac for Jamf Pro deployment using a script
-
How to package Falcon sensor for Mac for Jamf Pro deployment using a .plist file
-
-
For macOS Catalina, take these additional steps:
How to create the additional Jamf Pro configuration profile required for macOS Catalina (10.15) kernel extension (kext)
-
-
- Select Save
-
-
-
In your new Profile, go to Scope and assign Targets as desired
-
Proceed to next steps:
-
For macOS Big Sur and newer, you're ready to package the Falcon sensor installer; choose either of the following methods:
-
How to package Falcon sensor for Mac for Jamf Pro deployment using a script
-
How to package Falcon sensor for Mac for Jamf Pro deployment using a .plist file
-
-
For macOS Catalina, take these additional steps:
How to create the additional Jamf Pro configuration profile required for macOS Catalina (10.15) kernel extension (kext)
-
-
-