Deploy CrowdStrike With Jamf

Jamf is the industry gold standard for managing mobile Mac and iOS devices. The platform provides full lifecycle management of every Apple device your company operates. Thanks to Jamf Pro, you can track when people log onto their devices and verify their identities.

CrowdStrike Falcon is a platform that uses cloud-delivered technologies to prevent attacks and stop breaches. It’s up-to-date and targets the modern tactics attackers use, such as zero-days, exploits and credential theft, to keep your devices and data secure. As a software as a service (SaaS) platform, CrowdStrike Falcon is lightweight yet powerful. Its capabilities are packaged into a compact sensor that is delivered over the cloud.

If your organization uses Jamf to manage its Apple devices, CrowdStrike deployment is one of the best solutions for data security. Learn more about how to deploy CrowdStrike With Jamf.

Create a Configuration Profile

The first step when deploying CrowdStrike with Jamf is to create a configuration profile. Building the profile allows you to later install the sensor. You can create a configuration profile using Jamf Pro for all supported macOS versions and all supported versions of Falcon sensor.

The configuration process assumes that you’ve used Jamf Pro to enroll all the target hosts and that you are working with at least Jamf Pro 10.35.0-t1640197529.

Create a New Profile

To create a new profile, open Jamf Pro, then navigate to “Computers,” then “Configuration Profiles.” Choose “New.”

When the new profile opens, input the appropriate information:

Name: Choose a suitable name for the profile.
Description: Describe the profile, if you wish. This step is optional.
Category: Add a category, if you wish. This is also optional.
Level: Choose “computer level.”
Distribution method: Choose “install automatically.”

If your organization uses Jamf to manage its Apple devices, CrowdStrike deployment is one of the best solutions for data security.

Set Up Privacy Preferences Policy Control

Under “options,” choose the Privacy Preferences Policy Control option to configure. This is a two-part process. In the first part, you’ll configure the Falcon Agent. First, select “configure,” then input the appropriate information:

Identifier: Type in “com.crowdstrike.falcon.Agent”
Identifier type: Choose “Bundle ID.” This is the default.
Code requirement: Type in: identifier “com.crowdstrike.falcon.Agent” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = “X9E956P446”
Validate the Static Code Requirement: Leave this box unchecked.
Add an app or service: Click on this, then choose “SystemPolicyAllFiles.” Set the Access permissions to “Allow.”

In the second part, you’ll set up the Falcon App. Press the “+” in the corner to add an additional App Access. Then, input the following:

Identifier: Type in “com.crowdstrike.falcon.App”
Identifier type: Choose “Bundle ID.”
Code requirement: Type in: identifier “com.crowdstrike.falcon.App” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = “X9E956P446”
Validate the Static Code Requirement: Leave this box unchecked.
Add an app or service: Select “SystemPolicyAllFiles,” then set permissions to “Allow.”

Configure System Extension

Next, you’ll want to configure the system extension. To do that, scroll to “System Extensions”, found under “Options.” From there, select “Configure.” Then, input the following:

Check “Allow users to approve system extensions”: This will be checked by default.
Display name: Input “com.crowdstrike.falcon.Agent”
System Extension Types: Choose “Allowed System Extensions.”
Team Identifier: Type in X9E956P446.
Allowed System Extensions: Type in “com.crowdstrike.falcon.Agent”

Configure Content Filter

The next phase is to configure the Content Filter. To get started, scroll to “Content Filter.”

Then, input the following:

Filter Name: Type in “Falcon”
Identifier: Type in “com.crowdstrike.falcon.App”
Organization: Input “CrowdStrike, Inc.”
Filter Order: Choose “Inspector”
Socket Filter Bundle Identifier: Input “com.crowdstrike.falcon.Agent”
Socket Filter Designated Requirement: Type in the following code: identifier “com.crowdstrike.falcon.Agent” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = “X9E956P446”

Leave the other fields blank and make sure the right-side toggle is off. Then choose “Save.”

Put It all Together

Now that you’ve created the profile, it’s time to assign Targets. Open the profile, navigate to “Scope,” then assign the desired Targets.

Next, you’ll need to package the sensor installer. The method you’ll use depends on the version of macOS you’re using. If you’re using Big Sur or above, you can either use a scrip or a .plist.

Install the CrowdStrike Sensor

After creating and configuring your profile, you can install the CrowdStrike Falcon Sensor. Before you begin installation, make sure your network is properly configured. The sensor communicates with the cloud using Transport Layer Security (TLS) that’s bidirectionally authenticated via port 443. The communications are outbound, sensor to server.

If you’re not sure of your IP addresses for CrowdSTrike, you can find them in the Falcon console under Support, Docs, Cloud IP Addresses. The addresses need to be authorized at network egress points. Additionally, traffic shouldn’t be subjected to TLS interception or manipulation.

Now you’re ready to install the sensor using Jamf. With Jamf Pro, you can automatically install the sensor.

First, set up your configuration profile, then create a standard deployment package using Jamf. The deployment package will put the sensor into action. Afterward, you’ll need a script to license the sensor.

A sample script is below:

#!/bin/bash
## $4 = CID with Checksum
sudo /Library/CS/falconctl license $4

You can use a script like the below if you want to use a password:

#!/usr/bin/env python
from __future__ import print_function
password = ‘PASSWORD123’
try:
while True:
print(password)
except IOError:
pass

Choose a password to type in instead of PASSWORD123.

Install both the password-protected and non-password-protected script in the same script. To do that, run the following:

#!/bin/bash
/Library/CS/falconctl license LICENSENAME
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py

Input the name of your CCID in place of “LICENSENAME.” You can find the CCID in the Hosts section, under the Falcon UI. Choose “Sensor Downloads”

Test to See if Falcon Sensor Is Installed

You may want to check to see if the sensor is already installed, before you begin the deployment. Run the script below to do so:

#!/bin/bash
##############################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed. #
# If CrowdStrike Falcon is not installed “Not Installed” will return back #
##############################################################################
RESULT=”Not Installed”

if [ -f “/Library/CS/falconctl” ] ; then
RESULT=$( sysctl cs.version | awk ‘{print $2}’ )
fi
echo “$RESULT”

Orchard Can Help You Keep Your Apple Devices Secure

Orchard offers customized cybersecurity services to keep your organization’s Apple devices secure. We work exclusively with Apple products, including iPhones, iPads, Macbooks and AppleTV.

We provide a secure framework that protects your network and devices from ransomware attacks, hacking and data breaches. Our team will shape a security program to fit your organization’s specific needs. Some of the services that might include are:

Automatic management: We’ll automatically update your devices when new patches and updates are available.
Custom configuration: We manage deployment and configure your devices to your specifications.
Device support: Our team of cybersecurity consultants works around the clock to prevent attacks and crises.

When you outsource the management of your Apple devices, you can rest assured that your organization’s security and best interests are protected. Contact us today to request a quote.