This article serves as a guide on how to deploy CrowdStrike Falcon using Addigy.
Table of Contents
- What do I need to get started?
- I created the Custom Software Item, now what?
- System Extensions
- Full Disk Access
- Web Content Filter
- Service Management (Ventura)
Note: The MDM profiles discussed in this article should be deployed prior to deploying the CrowdStrike Application.
What do I need to get started?
For starters, you will need a macOS PKG installer from CrowdStrike to upload into Addigy.
Once you have the PKG, upload that into Addigy and an installation script will be provided for you by pressing the "Add" button as seen below:
The installation script should look similar to the below:
falcon="INSERT LICENSE HERE" falconpath="/Applications/Falcon.app/Contents/Resources/falconctl" /usr/sbin/installer -pkg "/Library/Addigy/ansible/packages/Falcon (1.0)/FalconSensorMacOS.pkg" -target / sudo $falconpath license $falcon
I created the Custom Software item, now what?
We're glad you asked!
Most Antivirus/Antimalware tools require the same three items to be deployed before the application is on the device:
- System/Kernel Extensions
- Full Disk access (FDA)
- Web Content Filters (Sometimes optional or not required by the application)
Below you will find the information needed for each of these fields.
System/Kernel Extensions
For the System extensions, it is recommended to whitelist CrowdStrike via Team ID. CrowdStrike's Team ID is
X9E956P446.
The MDM profile should look identical to the below image:
Full Disk Access
In order to grant Full Disk Access, you need to configure an MDM profile for Privacy Preferences Policy Control (PPPC).
The Bundle IDs
com.crowdstrike.falcon.Agent com.crowdstrike.falcon.App
The Code Requirements
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
Note: The only fields needed are Access to All Protected and System Administration Files as seen below:
Web Content Filter
The Web Content Filter should be configured per the below, however, please note that the user will still get a pop-up that they will have to accept, per the software vendor.
For the designated requirement, use the same as the Falcon Agent above: identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
Service Management (Ventura)
In accordance with CrowdStrike's documentation, Service Management is currently intended for Ventura only. The values and functionality may vary with higher OS versions such as macOS Sonoma (14.0).
Create a Service Management MDM Profile within Addigy with the following configurations:
Rule Type:
Label
Rule Value:
com.crowdstrike.falcon.UserAgent
Team Identifier:
X9E956P446
Once you have these items set up, click Add Rule. You can then verify the rule below, add a Payload Name, and click "Create Profile".
Once created, assign this profile to policies that you are planning on deploying CrowdStrike to, along with the Crowdstrike Custom Software item. You're all set!