Endpoint Security, CrowdStrike, Full Disk Access for macOS 10.14 and 10.15

Granting Full Disk Access to the Falcon Sensor on macOS 10.14 (Mojave) and 10.15 (Catalina).

Systems

Crowdstrike

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

General Information

Beginning with macOS 10.15, full disk access must be granted to the CrowdStrike Falcon Sensor to obtain visibility to all files on the device. This action only needs to be taken once per host when installing the Falcon Sensor on Catalina, or after upgrading to Catalina from earlier macOS releases. It does not need to be repeated after sensor updates.

For macOS 10.14, CrowdStrike recommends granting full disk access to the CrowdStrike Falcon Sensor, in order to prepare for upcoming sensor releases that will be able to access file paths protected by default on Mojave.

Actions

Granting Full Disk Access via Workspace ONE

If you are using EPS Workspace ONE to manage your macOS devices, please contact the EPS team and we will help you leverage the existing "fda.crowdstrike" global privacy preferences profile to grant full disk access to the Crowdstrike Falcon Sensor.

Granting Full Disk Access Manually

For Macs not enrolled in Workspace ONE, you can take the following steps to manually grant full disk access to the Crowdstrike Falcon Sensor. Administrator account permission is needed for these steps.

Step A: Manually change the permissions of the /Library/CS folder to make that folder visible in Security Preferences. (This step is not necessary on Falcon Sensor for Mac v5.20 and up.)

  • GUI method:
    • Navigate to /Library in Finder, or type Cmd-Shift-G and enter /Library
    • Ctrl-click "CS" directory and choose "Get Info"
    • Click the lock icon in the lower-left corner
    • Enter your device password
    • Under "Sharing & Permissions:" for "everyone" select "Read only"
  • Terminal method:
    • $ cd /Library
    • $ sudo chmod 0755 CS

Step B: Provide full disk access to falcond on the host.

  • Open System Preferences
  • Open Security & Privacy
  • Select the Privacy tab. If privacy settings are locked:
    • Click the lock icon in the lower-left corner
    • Enter your device password
  • In the left pane, select Full Disk Access
  • In the right pane, click the + icon
  • Navigate to /Library/CS/falcond, or type Cmd-Shift-G and enter /Library/CS/falcond
  • Click Open
  • Click Quit Now
  • If necessary, click the lock in the lower-left corner to re-lock privacy settings

Contact the EPS team




Keywords:eps crowdstrike mtm munki endpoint techs-eps-mtm falcon techs-eps-crowdstrike antivirus   Doc ID:95201
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2019-10-23 09:56 CSTUpdated:2019-12-04 15:56 CST
Sites:University of Illinois Technology Services
Feedback:  0   0