Endpoint Security, CrowdStrike, Installation via Munki & SCCM

Endpoint Services-specific information about installing CrowdStrike via Munki and SCCM.

Systems

CrowdStrike
System Center Configuration Manager (SCCM) Current Branch
Munki Mac Endpoint Management

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

University of Illinois IT Pros leveraging Technology Services Endpoint Service SCCM Current Branch and/or Munki Mac Endpoint Management systems.

Note: Best practice is to only use Endpoint Services systems for onboarding/offboarding endpoints into CrowdStrike.
Sensor updates should be managed from within the CrowdStrike console.

Actions

General Information

Technology Services offers the CrowdStrike Falcon endpoint protection system to the Urbana-Champaign campus. The EPS SCCM and Munki services both offer installers.

Manual installations and additional install parameters are covered in the knowledgebase article, Endpoint Services, CrowdStrike, Manual Installation and Uninstallation.

Using SCCM to Deploy CrowdStrike

For SCCM stakeholders utilizing the Community management model:
Deploy CrowdStrike using a package found at “\Software Library\Overview\Application Management\Applications\MANAGED APPLICATIONS\CrowdStrike\*”.

For SCCM stakeholders utilizing the Organizational management model:
Due to the requirement of providing a unique customer ID checksum ("CCID" or "CID") for your unit's specific CrowdStrike instance at the time of installation, EPS cannot package a global installer that will work out-of-the-box for organizational instances. Instead, IT Pros can copy the Community installer to their unit's folder within SCCM and modify the deployment type to include their unique CCID.

SCCM CrowdStrike Deployment Type Window

For both Community and Organizational models, IT Pros will want to disable the management of Endpoint Protection via the SCCM client for machines with CrowdStrike installed. Failure to do so will result in the SCCM Client Check failing. This can be accomplished by configuring the client setting "Manage Endpoint Protection client on computers" to "No". Please note that this will disable management and reporting pertaining to Endpoint Protection/Windows Defender.

Additional information on configuring client settings can be found here.
Additional information on CrowdStrike management models can be found here.

Using Munki to Deploy CrowdStrike

Due to increased privacy and security features in recent macOS releases, CrowdStrike installation requires the following additional steps to be taken, either manually or via Workspace ONE profiles. These steps can't be fulfilled by Munki.

  • On macOS 10.13.4 and above, you will need to enable a kernel extension in order for CrowdStrike to function.
    Read more about user-approved kernel extension loading.

  • On macOS 10.15, you will need to grant full disk access in order for CrowdStrike to function properly.
    See our KB article for instructions.

  • macOS CrowdStrike deployments include a) the CrowdStrike base installer and b) a unit-specific license package. EPS provides the base installer at the UIUC repository level, but due to the fact that each unit has a unique customer ID checksum ("CCID" or "CID") for their specific CrowdStrike instance, units will be required to create their own license package. This should generally be a one-time task with which EPS can assist during initial provisioning into CrowdStrike. The unit license should be made an update for the base installer.

    Steps to deploy CrowdStrike via Munki:

    1. Ensure your unit-specific license package is in your Munki repository. For stakeholders utilizing the Community instance, please contact EPS to request that a copy of the Community license package be placed into your unit's Munki repository.
    2. Add crowdstrike_falcon to the Managed Installs (or Optional Installs) section of your unit's Munki manifest(s), and run Managed Software Center. The installation will require a restart.
    3. On macOS 10.13.4 and above: after the restart, log in and follow the prompts to approve and load the CrowdStrike kernel extension. This step won't be necessary if the Mac is enrolled in Workspace ONE and has already received the kext.crowdstrike profile.
    4. On macOS 10.15, in addition to the above step, you will also need to grant full disk access in order for CrowdStrike to function properly. This step won't be necessary if the Mac is enrolled in Workspace ONE and has already received the fda.crowdstrike profile.See our KB article for instructions.
    5. Run Managed Software Center a second time to install the unit license; no restart is required this time.




    Keywords:eps crowdstrike mtm munki sccm endpoint techs-eps-mtm techs-eps-sccm falcon TechS-EPS-CS MECM   Doc ID:93940
    Owner:EPS Distribution List .Group:University of Illinois Technology Services
    Created:2019-08-19 11:58 CDTUpdated:2020-02-26 11:44 CDT
    Sites:University of Illinois Technology Services
    Feedback:  0   0