This article servers as a guide on how to deploy CrowdStrike Falcon using Addigy.
Table of Contents
- What do I need to get started?
- I created the Custom Software Item, now what?
- System Extensions:
- Full Disk Access:
- Web Content Filter:
Note: The MDM profiles discussed in this article should be deployed prior to deploying the CrowdStrike Application.
What do I need to get started?
For starters, you will need a macOS PKG installer from CrowdStrike to upload into Addigy.
Once you have the PKG, upload that into Addigy and an installation script will be provided for you by pressing the "Add" button as seen below:
The installation script should look similar to the below:
falcon="INSERT LICENSE HERE" falconpath="/Applications/Falcon.app/Contents/Resources/falconctl" /usr/sbin/installer -pkg "/Library/Addigy/ansible/packages/Falcon (1.0)/FalconSensorMacOS.pkg" -target / sudo $falconpath license $falcon
I created the Custom Software item, now what?
We're glad you asked!
Most Antivirus/Antimalware tools require the same three items to be deployed before the application is on the device:
- System/Kernel Extensions
- Full Disk access (FDA)
- Web Content Filters (Sometimes optional or not required by the application)
Below you will find the information needed for each of these fields.
System/Kernel Extensions
For the System extensions, it is recommended to whitelist CrowdStrike via Team ID. CrowdStrike's Team ID is
X9E956P446.
The MDM profile should look identical to the below image:
Full Disk Access
In order to grant Full Disk Access, you need to configure an MDM profile for Privacy Preferences Policy Control (PPPC).
The Bundle IDs
com.crowdstrike.falcon.Agent com.crowdstrike.falcon.App
The Code Requirements
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
Note: The only fields needed are Access to All Protected and System Administration Files as seen below:
Web Content Filter
The Web Content Filter should be configured per the below, however, please note that the user will still get a pop-up that they will have to accept, per the software vendor:
Once you have these items set up, go ahead and add the profiles to your policy and deploy them.
After that, deploy your CrowdStrike Custom Software item!