This document provides instructions for configuring MDM profiles to authorize the necessary extensions and permissions for the CrowdStrike Falcon sensor on Mac devices. It describes the required authorizations for different macOS versions and processors, and provides examples of profile payloads to configure system extensions, full disk access, and other permissions.
This document provides instructions for configuring MDM profiles to authorize the necessary extensions and permissions for the CrowdStrike Falcon sensor on Mac devices. It describes the required authorizations for different macOS versions and processors, and provides examples of profile payloads to configure system extensions, full disk access, and other permissions.
This document provides instructions for configuring MDM profiles to authorize the necessary extensions and permissions for the CrowdStrike Falcon sensor on Mac devices. It describes the required authorizations for different macOS versions and processors, and provides examples of profile payloads to configure system extensions, full disk access, and other permissions.
This document provides instructions for configuring MDM profiles to authorize the necessary extensions and permissions for the CrowdStrike Falcon sensor on Mac devices. It describes the required authorizations for different macOS versions and processors, and provides examples of profile payloads to configure system extensions, full disk access, and other permissions.
Prerequisite: Using MDM to sync profiles before installing or upgrading
Falcon sensor for Mac version 6.11 and later requires these host authorizations to be specified in a profile:
Authorization for the Falcon system extension, which is required for hosts running macOS Big Sur 11.0 and later. Apple requires system extensions to be approved before they can be loaded. Configuration for the Falcon network filter extension, which is required for hosts running macOS Big Sur 11.0 and later. Full Disk Access (FDA) to Falcon. This is a requirement, the Falcon sensor enters Reduced Functionality Mode (RFM) if this is not enabled. See Reduced functionality mode: Mac hosts.
For improved security and privacy, Apple doesn't allow profiles to be deployed outside of an MDM solution. We strongly recommend you use an MDM solution to distribute the profile to your endpoints prior to the deployment process. If you don't use an MDM solution to distribute the necessary profile to endpoints prior to installation or upgrade to sensor version 6.11 and later, multiple authentication confirmations from the OS occur on the host and must manually be approved. See Alternate installation method: Installing without using an MDM to sync profiles.
These authorizations are only required once. Subsequent upgrades using the built-in upgrade functionality of the sensor will not require additional confirmation approvals on the host.
Use one of these MDM profile options, depending on the endpoint's processor:
Use the CrowdStrike provided profile: We provide a profile with all necessary authorizations for endpoints on Intel processors or Apple silicon processors (M1, M1 Pro, and M1 Max). Create your own profile: Refer to the necessary profile parameters to create your own profile.
Using the provided MDM profile
For endpoints on Intel or M1 processors, we provide a profile with all necessary authorizations to properly run the sensor on all supported versions of macOS. We strongly recommend you use an MDM solution to distribute the profile to your endpoints prior to the deployment process. You can upload this profile to an MDM server and push it out to all endpoints. This profile is also backwards compatible with sensor versions earlier than 6.11 so you can deploy it any time prior to installing or upgrading to sensor version 6.1x.
Download the MDM profile from the attachment in the CrowdStrike Customer Center article.
Creating an MDM profile with necessary properties
When creating your own profile, you must specify MDM properties to approve the needed macOS extensions and to approve full disk access.
FilterDataProviderDesignatedRequirement identifier "com.crowdstrike.falcon.Agent" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"
FilterGrade inspector
FilterPackets false
FilterSockets true
FilterType Plugin
Organization CrowdStrike Inc.
PluginBundleID com.crowdstrike.falcon.App
Approving Full Disk Access using MDM
Approving Full Disk Access for the Falcon sensor is a requirement, the Falcon sensor enters Reduced Functionality Mode (RFM) if this is not enabled. See Reduced functionality mode: Mac hosts.
To approve Full Disk Access, use the Privacy Preferences Policy Control payload with a SystemPolicyAllFiles property and specify this information in XML format:
Instant Download (Ebook) Biomaterials Science: An Introduction to Materials in Medicine by William R Wagner (editor), Shelly E. Sakiyama-Elbert (editor), Guigen Zhang (editor), Michael J. Yaszemski (editor) ISBN 9780128161371, 012816137X PDF All Chapters
