Category filter
How to deploy CrowdStrike Falcon to your Macs using Hexnode UEM?
What is CrowdStrike Falcon?
CrowdStrike Falcon is a cloud-based endpoint security system that provides an industry-leading anti-virus solution for your macOS and Windows devices. The Falcon is powered by the latest technologies in AI and ML to ensure that security breaches and malware are neutralized before they cause significant damage to your devices.
The capabilities of the CrowdStrike Falcon platform are:
- Industry-leading next-generation anti-virus (NGAV) solution
- Endpoint detection and response (EDR) system
- Cyber threat intelligence
- Managed threat hunting
- Security hygiene
Once the Falcon sensor gets installed on your device, you can monitor all your devices from the Falcon console.
Steps to deploy the CrowdStrike Falcon sensor
Upload the Falcon sensor PKG file to Hexnode’s app inventory
The Falcon sensor PKG file can be downloaded from the Crowdstrike console under Host setup and management > Sensor downloads. Follow the steps below to upload the PKG file to Hexnode’s app inventory:
- Navigate to the Apps tab, click on the +Add Apps dropdown, and select Enterprise App.
- Select macOS, enter the application’s required details, and upload the PKG file.
- Click on Add.
Create a policy to deploy CrowdStrike Falcon sensor along with the required configurations
You need to configure System Extensions, Kernel Extensions and PPPC settings for the CrowdStrike Falcon sensor to operate flawlessly on your devices. Kernel Extensions must be configured only if your Mac runs on macOS 10.14 and below. Follow the steps given below to create a policy with all the required configurations to deploy the CrowdStrike Falcon sensor:
- Navigate to Policies > New Policy > macOS.
- To deploy the CrowdStrike Falcon sensor,
- Select Mandatory Apps from the left menu and click on Configure.
- Click on +Add > Add App and select the CrowdStrike sensor PKG file.
- Click on Done.
- To configure System Extensions,
- Select System Extensions from the left menu and click on Configure.
- Under Team Identifier, enter X9E956P446 as the Team ID and click on Add.
- To configure Kernel Extensions,
- Select Kernel Extensions from the left menu and click on Configure.
- Under Team Identifier, enter X9E956P446 as the Team ID and click on Add.
- To configure PPPC,
- Select Privacy Preferences from the left menu and click on Configure.
- Select +Add new preferences.
- Set the Full Disk Access option to Allow.
- Click on Specify Bundle IDs/Path.
- To configure third-party Plugin web content filter and Notification Settings, select Deploy Custom Configuration and upload the following configuration profile we’ve created for you:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict><key>BundleIdentifier</key><string>com.crowdstrike.falcon.UserAgent</string><key>CriticalAlertEnabled</key><true/></dict></array><key>PayloadDescription</key><string>Configures notifications settings for apps</string><key>PayloadDisplayName</key><string>Notifications</string><key>PayloadIdentifier</key><string>com.apple.notificationsettings.AEE60FB5-F640-4733-B3E4-A90DAC73E8F6</string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>AEE60FB5-F640-4733-B3E4-A90DAC73E8F6</string><key>PayloadVersion</key><integer>1</integer></dict><dict><key>FilterBrowsers</key><false/><key>FilterSockets</key><true/><key>FilterType</key><string>Plugin</string><key>Organization</key><string>Crowdstrike Inc</string><key>PayloadDescription</key><string>Configures content filtering settings</string><key>PayloadDisplayName</key><string>Crowdstrike</string><key>PayloadIdentifier</key><string>com.apple.webcontent-filter.D79377DE-A13B-438A-958D-3DF925942708</string><key>PayloadType</key><string>com.apple.webcontent-filter</string><key>PayloadUUID</key><string>D79377DE-A13B-438A-958D-3DF925942708</string><key>PayloadVersion</key><integer>1</integer><key>PermittedURLs</key><array><string></string></array><key>PluginBundleID</key><string>com.crowdstrike.falcon.Agent</string><key>UserDefinedName</key><string>Crowdstrike</string><key>VendorConfig</key><dict/></dict></array><key>PayloadDisplayName</key><string>CrowdStrike</string><key>PayloadIdentifier</key><string>com.hexnode.crowdstrike</string><key>PayloadOrganization</key><string>Hexnode</string><key>PayloadRemovalDisallowed</key><false/><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>8D9DBD30-6B1F-4F6A-B4F6-335164FE20F8</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
You can use the above configuration profile or create your custom configuration profile.
- To associate the policy to your devices, navigate to Policy Targets, select all your required devices, and click on Save.
Full Disk Access needs to be given for the following components:
| Sl No | Identifier Type | Identifier | Code Requirement |
|---|---|---|---|
| 1. | Bundle ID | com.crowdstrike.falcon.Agent | identifier “com.crowdstrike.falcon.Agent” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 |
| 2. | Bundle ID | com.crowdstrike.falcon.App | identifier “com.crowdstrike.falcon.App” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 |
