Endpoint Security, CrowdStrike, Installation via Jamf Pro, MECM, and Microsoft Intune
Systems
CrowdStrike
Jamf Pro
Microsoft Endpoint Configuration Manager (MECM, formerly SCCM)
Microsoft Intune
Affected Customers
University of Illinois IT Pros leveraging Technology Services CrowdStrike
University of Illinois IT Pros leveraging Technology Services Endpoint Services Microsoft Endpoint Configuration Manager (MECM, formerly SCCM), Microsoft Intune, or Jamf Pro.
Note: Best practice is to only use Endpoint Services systems for initial onboarding of endpoints into CrowdStrike.
Sensor updates should be managed from within the CrowdStrike console.
Actions
- General Information
- Using MECM to Deploy CrowdStrike
- Using Microsoft Intune to Deploy CrowdStrike
- Using Jamf Pro to Deploy CrowdStrike
General Information
Technology Services offers the CrowdStrike Falcon endpoint protection system to the Urbana-Champaign campus. The Endpoint Services (EPS) MECM, Microsoft Intune, and Jamf Pro services all offer installers.
Manual installations and additional install parameters are covered in the knowledgebase article, Endpoint Services, CrowdStrike, Manual Installation and Uninstallation.
For information on migrating existing CrowdStrike installations to a different CrowdStrike instance, please refer to the Endpoint Security, CrowdStrike, Migrating host to a different CrowdStrike Instance article.
Using MECM to Deploy CrowdStrike
Be sure to disable MECM's management of Windows' endpoint protection prior to deploying CrowdStrike to your endpoints.
See the 'Disabling MECM Endpoint Protection Management' section below for additional information.
For MECM stakeholders utilizing the Community management model:
Deploy CrowdStrike using a package found at “\Software Library\Overview\Application Management\Applications\MANAGED APPLICATIONS\CrowdStrike\*”.
For MECM stakeholders utilizing the Named or Self-Managed management model:
Due to the requirement of providing a unique customer 22 checksum ("CCID" or "CID") for your unit's specific CrowdStrike instance at the time of installation, EPS cannot package a global installer that will work out-of-the-box for Named/Self-Managed instances. Instead, IT Pros should submit an MECM support request to have a copy of the application placed in their unit folder. Be sure to include your unit's CrowdStrike instance CID in the request.
Disabling MECM Endpoint Protection Management
For both Community and Named/Self-Managed models, IT Pros will want to disable the management of Endpoint Protection via the MECM client for machines with CrowdStrike installed. Failure to do so may result in the MECM client becoming unresponsive, becoming non-compliant in the MECM Client Check, and generating errors in log files. This can be accomplished by configuring the client setting "Manage Endpoint Protection client on computers" to "No" and removing any Endpoint Protection policies (Antimalware Policies, Windows Defender Exploit Guard, etc.) that may be deployed to a machine. Please note that this will disable management and reporting pertaining to Endpoint Protection/Windows Defender.
To assist with this, a Configuration Item (CI) called ‘Audit MECM SCEP Policy’ has been created under ‘\Assets and Compliance\Overview\Compliance Settings\Configuration Items’. When deployed via a Configuration Baseline (CB), this CI will flag any endpoints that currently have a MECM Endpoint Protection policy enabled as non-compliant. Collections based on CB compliance can be created by right-clicking the deployment of a CB, selecting ‘Create New Collection’, then selecting the desired compliance status. One approach for the above CI would be to create a collection of endpoints that are compliant and deploy CrowdStrike to it, ensuring that there is no conflict among the recipients.
Please note that CrowdStrike may also encounter conflicts with Windows Defender that is managed by Group Policy. While this it outside the scope of MECM, we recommend also checking your GPOs before deploying CrowdStrike.
Additional information on configuring client settings can be found here.
Additional information on configuring configuration baselines can be found here.
Using Microsoft Intune to Deploy CrowdStrike
For Intune stakeholders utilizing the Community management model:
Endpoint Services provides a "Falcon - Community" Windows application that can be assigned to devices in the Community CrowdStrike instance.
For Intune stakeholders utilizing the Named or Self-Managed management model:
Due to the requirement of providing a unique customer 22 checksum ("CCID" or "CID") for your unit's specific CrowdStrike instance at the time of installation, EPS cannot package a global installer that will work out-of-the-box for Named/Self-Managed instances. Instead, IT Pros should submit an Intune support request to have a copy of the application placed in their unit scope. Be sure to include your unit's CrowdStrike instance CID in the request.
Using Jamf Pro to Deploy CrowdStrike
All Macs enrolled into Jamf Pro automatically have CrowdStrike enrolled and include a) the CrowdStrike base installer and b) a unit-specific CrowdStrike license profile. EPS provides the base installer at the global ("Full Jamf Pro") level, but due to the fact that each unit has a unique customer ID checksum ("CCID" or "CID") for their specific CrowdStrike instance, a separate unit-specific license profile must be created by EPS for each unit. This can be handled during initial provisioning into CrowdStrike and/or Jamf Pro.