Leverage MDM-delivered Configuration Profiles and a custom Bash script for dynamic, yet consistent Sensor Grouping Tags in CrowdStrike Falcon
CrowdStrike customers should login to the Support portal and view this article before attempting to implement this approach.
You’re also invited to up-vote Idea No. 8109: Allow Changing of Sensor Tags
As we’ve considered deploying CrowdStrike Falcon on macOS, we’ve wanted to leverage Sensor Grouping Tags in a way which was dynamic, yet consistent across our fleet.
However, learning about any new software product also includes learning about its limitations.
Yet another job for system engineers.
We wanted to distribute oneserver-wide “CrowdStrike Falcon” Configuration Profile which included all the critical payloads:
Privacy Preferences Policy Control
Then, a second, Site-specific Configuration Profile would immutably set the Customer ID (ccid) and the Sensor Grouping Tags (groupingTags):
Application & Custom Settings
Customer ID (i.e., ccid)
Sensor Grouping Tags (i.e., groupingTags)
On the Mac, while these two independent Configuration Profiles are both displayed in System Settings > Privacy & Security > Profiles …
… In the /Library/Managed Preferences/ directory, there is a single com.crowdstrike.falcon.plist with the Application & Custom Settings from the Site-specific Configuration Profile:
Normally, at this point, you’re done.
When you re-assign a Computer Record to a different Site in Jamf Pro, the old Site-specific Configuration Profile is automatically swapped out for the new Site-specific Configuration Profile. The software vendor detects this change and honors the new setting, which is then reflected in the vendor’s console.
A special thanks to CrowdStrike representatives for confirming with CrowdStrike engineering that — as of this writing — the com.crowdstrike.falcon.plist is consulted only once: during initial installation.
Any changes to Falcon Sensor Grouping Tags after initial installation require leveraging falconctl.
Idea No. 9326
Current CrowdStrike customers are invited to up-vote Idea No. 9326 (US-1 | US-2):
macOS falconctl should read com.crowdstrike.falcon.plist every time it loads
To assign tags to a host, you’ll use the falconctl command-line interface with the grouping-tags command, which offers the following three options:
Tag changes take effect the next time the Falcon sensor — or the Mac — restarts. To restart the Falcon sensor immediately, you can again leverage the falconctl binary with the following options, in the order listed:
While any user account with local administrative privileges can leverage the falconctl binary to set — or even clear — grouping-tags, a Maintenance Token (about which I’m currently unqualified to discuss in greater detail) is required to unload the Falcon sensor.
Don’t know your Mac’s unique Maintenance Token? No problem, just make whatever grouping-tags change you like and restart.
So much for immutable Configuration Profile settings.
After better understanding the current state of grouping-tags, I was blessed with some heavenly inspiration to develop a fourthgrouping-tags option: reset
Distribute both Configuration Profiles according to the original design
Use defaults read to determine the MDM-specified grouping-tags settings
Leverage falconctl grouping-tags set to update the Falcon Sensor Grouping Tags
Wait for the Mac to restart
Note: The current — at least self-perceived — restrictions / limitations for using Maintenance Tokens has lead me to comment-out the restartCrowdStrikeFalcon function (i.e., unload / load); perhaps you’ll be able to leverage it in your environment.
After having followed CrowdStrike’s latest deployment documentation for Configuration Profiles (and using the above examples), complete the following steps to reset Falcon Sensor grouping-tags to your MDM-defined settings.
A. Add the CrowdStrike Falcon Tags script to your Jamf Pro server
Add the CrowdStrike Falcon Tags script to your Jamf Pro server
Specify the following for Options > Parameter Labels
Parameter 4:Script Log Location
Parameter 5:Maintenance Token
Parameter 6:Mode [ get | set | clear | reset (default) ]
Since CrowdStrike Falcon currently does not write its preferences file to the standard /Library/Preferences/ directory, the script also creates a hard link of /Library/Managed Preferences/com.crowdstrike.falcon.plist as /Library/Preferences/com.crowdstrike.falcon.plist so Palo Alto Networks GlobalProtect can read the value of ccid for HIP-compatibility.