Endpoint Security, CrowdStrike, Migrating Endpoints to a Different CrowdStrike Instance via Munki & MECM

Endpoint Services-specific information about migrating endpoints to a different CrowdStrike instance via Munki & MECM

Systems

CrowdStrike
Microsoft Endpoint Configuration Manager (MECM, formerly SCCM)
Munki Mac Endpoint Management

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

University of Illinois IT Pros leveraging Technology Services Endpoint Services Microsoft Endpoint Configuration Manager (MECM, formerly SCCM) and/or Munki Mac Endpoint Management systems.

Actions

General Information

To migrate an endpoint from one CrowdStrike instance to another, the Falcon sensor must be completely uninstalled and then reinstalled. Endpoint Services (EPS) has created application templates that can be copied and modified to facilitate this process.

For information on new CrowdStrike installations via MECM or Munki, please refer to the Endpoint Security, CrowdStrike, Installation via Munki & MECM article.

Using MECM to Migrate Endpoints

  1. IT Pros should submit an MECM support request to have a copy of the 'Falcon - CID Transition Template' application placed in their unit folder. Be sure to include in the request your unit's CrowdStrike instance CID for the instance you're moving your endpoints to.
  2. Within the CrowdStrike console, disable sensor uninstall protection on your endpoints by applying an appropriate sensor update policy. For stakeholders utilizing the Community instance, this can be accomplished by applying the '!CID Transition Policy' sensor update policy to your unit's host group(s).
  3. Within the MECM Configuration Manager console, remove any existing deployments of CrowdStrike Falcon from your collections.
  4. Deploy the copied application as desired to your collections.
  5. Within the CrowdStrike console, ensure that sensor uninstall protection is enabled on your endpoints in the new instance by applying an appropriate sensor update policy.

Note: After endpoints are migrated, the hosts in the old CrowdStrike instance will still exist and new hosts will be created in the new instance. The old hosts can either be deleted manually within the CrowdStrike console or will be deleted automatically after 45 days.

Using Munki to Migrate Endpoints

  1. IT Pros should submit a Munki support request to have a copy of the CrowdStrike Falcon CID Transition package placed in their unit's Munki repository. Be sure to include in the request your unit's CrowdStrike instance CID for the the instance you're moving your endpoints to.
  2. Within the CrowdStrike console, disable sensor uninstall protection on your endpoints by applying an appropriate sensor update policy. For stakeholders utilizing the Community instance, this can be accomplished by applying the '!CID Transition Policy' sensor update policy to your unit's host group(s).
  3. On macOS 13.0 and above, you will need to grant Terminal.app App Management rights (System Settings - Privacy & Security - App Management) in order for the CID transition package to succeed. App Management is a subset of Full Disk Access, so granting Terminal.app Full Disk Access will also allow migrations, but is not a security best practice.
  4. Add the CrowdStrike CID transition package ('crowdstrike_falcon_cid_transition') to your unit's Munki manifests. This will migrate existing CrowdStrike installations to the new instance.
  5. Once all of your endpoints have been migrated to the new CrowdStrike instance, Endpoint Services recommends removing the CrowdStrike CID transition package ('crowdstrike_falcon_cid_transition') from your manifests but leaving the base installer ('crowdstrike_falcon').
  6. Within the CrowdStrike console, ensure that sensor uninstall protection is enabled on your endpoints in the new instance by applying an appropriate sensor update policy.

Note: After endpoints are migrated, the hosts in the old CrowdStrike instance will still exist and new hosts will be created in the new instance. The old hosts can either be deleted manually within the CrowdStrike console or will be deleted automatically after 45 days.

Getting Help

For MECM or Munki-related questions, contact the EPS team.



Keywordseps crowdstrike mtm munki sccm endpoint techs-eps-mtm techs-eps-sccm falcon TechS-EPS-CS MECM   Doc ID102080
OwnerEPS Distribution ListGroupUniversity of Illinois Technology Services
Created2020-05-14 12:43:50Updated2023-01-31 15:27:31
SitesUniversity of Illinois Technology Services
Feedback  2   0