This article servers as a guide on how to deploy CrowdStrike Falcon using Addigy.
TABLE OF CONTENTS
- What do I need to get started?
- I created the Custom Software Item, now what?
- System Extensions:
- Full Disk Access:
- Web Content Filter:
Please note: The MDM configurations discussed in this article should be deployed prior to deploying the CrowdStrike Application.
What do I need to get started?
For starters, you will need a macOS PKG installer from CrowdStrike to upload into Addigy.
Once you have the PKG, upload that into Addigy and an installation script will be provided for you by pressing the "Add" button as seen below:
The installation script should look similar to the below:
falcon="INSERT LICENSE HERE" falconpath="/Applications/Falcon.app/Contents/Resources//falconctl" /usr/sbin/installer -pkg "/Library/Addigy/ansible/packages/Falcon (1.0)/FalconSensorMacOS.pkg" -target / sudo $falconpath license $falcon
I created the Custom Software Item, now what?
We're glad you asked!
Most Antivirus/Antimalware tools require the same three items to be deployed before the application is on the device:
1. System/Kernel Extensions
2.Full Disk access (FDA)
3. Web Content Filters (Sometimes optional or not required by the application)
Below you will find the information needed for each of these fields.
For the System extensions, it is recommended to whitelist CrowdStrike via TeamID. CrowdStrikes TeamID is
Please note: On Big Sur devices, a reboot is now neccesarry to for the System Extension to properly load on the device.
The MDM configuration should look identical to the below image:
Full Disk Access:
In order to grant Full Disk Access, you need to configure an MDM configuration for Privacy Preferences Policy Control (PPPC).
The BundleIDs are:
The Code requirements are:
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113618.104.22.168.6] /* exists */ and certificate leaf[field.1.2.840.113622.214.171.124.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.1136126.96.36.199.6] /* exists */ and certificate leaf[field.1.2.840.1136188.8.131.52.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
The only fields needed are Access To Protected Files and Access to System Admin Files as seen below:
Web Content Filter:
The Web Content Filter should be configured per the below, however, please note that the user will still get a pop-up that they will have to accept, per the software vendor:
Once you have these items set up, go ahead and add the configurations to your policy, deploy them and reboot if necessary.
After that, deploy your CrowdStrike Custom Software item!