Endpoint Security, CrowdStrike, Installation via Munki & MECM
Endpoint Services-specific information about installing CrowdStrike via Munki and MECM.
Microsoft Endpoint Configuration Manager (MECM, formerly SCCM)
Munki Mac Endpoint Management
University of Illinois IT Pros leveraging Technology Services CrowdStrike
University of Illinois IT Pros leveraging Technology Services Endpoint Services Microsoft Endpoint Configuration Manager (MECM, formerly SCCM) and/or Munki Mac Endpoint Management systems.
Manual installations and additional install parameters are covered in the knowledgebase article, Endpoint Services, CrowdStrike, Manual Installation and Uninstallation.
For information on migrating existing CrowdStrike installations to a different CrowdStrike instance via MECM or Munki, please refer to the Endpoint Security, CrowdStrike, Migrating Endpoints to a Different CrowdStrike Instance via Munki & MECM article.
For MECM stakeholders utilizing the Community management model:
Deploy CrowdStrike using a package found at “\Software Library\Overview\Application Management\Applications\MANAGED APPLICATIONS\CrowdStrike\*”.
For MECM stakeholders utilizing the Named or Self-Managed management model:
Due to the requirement of providing a unique customer ID checksum ("CCID" or "CID") for your unit's specific CrowdStrike instance at the time of installation, EPS cannot package a global installer that will work out-of-the-box for Named/Self-Managed instances. Instead, IT Pros should submit an MECM support request to have a copy of the application placed in their unit folder. Be sure to include your unit's CrowdStrike instance CID in the request.
Disabling MECM Endpoint Protection Management
For both Community and Named/Self-Managed models, IT Pros will want to disable the management of Endpoint Protection via the MECM client for machines with CrowdStrike installed. Failure to do so may result in the MECM client becoming unresponsive, becoming non-compliant in the MECM Client Check and generating errors in log files. This can be accomplished by configuring the client setting "Manage Endpoint Protection client on computers" to "No" and removing any Endpoint Protection policies (Antimalware Policies, Windows Defender Exploit Guard, etc.) that may be deployed to a machine. Please note that this will disable management and reporting pertaining to Endpoint Protection/Windows Defender.
To assist with this, a Configuration Item (CI) called ‘Audit MECM SCEP Policy’ has been created under ‘\Assets and Compliance\Overview\Compliance Settings\Configuration Items’. When deployed via a Configuration Baseline (CB), this CI will flag any endpoints that currently have a MECM Endpoint Protection policy enabled as non-compliant. Collections based on CB compliance can be created by right-clicking the deployment of a CB, selecting ‘Create New Collection’, then selecting the desired compliance status. One approach for the above CI would be to create a collection of endpoints that are compliant and deploy CrowdStrike to it, ensuring that there is no conflict among the recipients.
macOS CrowdStrike deployments include a) the CrowdStrike base installer and b) a unit-specific license package. EPS provides the base installer at the UIUC repository level, but due to the fact that each unit has a unique customer ID checksum ("CCID" or "CID") for their specific CrowdStrike instance, units will be required to create their own license package. This should generally be a one-time task with which EPS can assist during initial provisioning into CrowdStrike. The unit license should be made an update for the base installer.
Steps to deploy CrowdStrike via Munki:
- Ensure your unit-specific license package is in your Munki repository. For stakeholders utilizing the Community instance, please contact EPS to request that a copy of the Community license package be placed into your unit's Munki repository.
- Add crowdstrike_falcon to the Managed Installs (or Optional Installs) section of your unit's Munki manifest(s), and run Managed Software Center. The installation will require a restart.
- On macOS 10.13.4 and above: after the restart, log in and follow the prompts to approve and load the CrowdStrike kernel extension. This step won't be necessary if the Mac is enrolled in Workspace ONE and has already received the kext.crowdstrike profile.
- On macOS 10.15, in addition to the above step, you will also need to grant full disk access in order for CrowdStrike to function properly. This step won't be necessary if the Mac is enrolled in Workspace ONE and has already received the fda.crowdstrike profile.See our KB article for instructions.
- Run Managed Software Center a second time to install the unit license; no restart is required this time.