Menu Close

CrowdStrike Falcon BluetoothAlways (and forever)

| Dan K. Snelson

Learn now to enable Bluetooth device discovery in CrowdStrike Falcon for macOS

Background

Beginning with CrowdStrike’s Falcon sensor for Mac 7.21, Falcon Device Control policies can be configured to control which Bluetooth devices can connect to Mac hosts.

However, without the proper entitlement in-place beforehand, end-users can simply click Don’t Allow.

Goal

The goal is simple enough:

Leverage your Mobile Device Management solution of choice and force-enable Bluetooth for Falcon.

The Rub

However, even though Privacy Preferences Policy Control settings for Bluetooth can be configured, your MDM of choice might not currently include the option.

One Approach

In our early testing, leveraging the BluetoothAlways property appears to allow controlling Bluetooth devices as CrowdStrike advertised.

  1. Download your current Configuration Profile
  2. Remove the Configuration Profile’s signature
  3. Locate the Services key
  4. Copy-pasta the XML below (take care to not duplicate the Services key)
  5. Sign the Configuration Profile
  6. Upload to your MDM server
  7. Distribute to your opt-in Beta Testers
<key>Services</key>
<dict>
	<key>BluetoothAlways</key>
	<array>
		<dict>
			<key>Allowed</key>
			<integer>1</integer>
			<key>CodeRequirement</key>
			<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "X9E956P446"</string>
			<key>Identifier</key>
			<string>com.crowdstrike.falcon.Agent</string>
			<key>IdentifierType</key>
			<string>bundleID</string>
			<key>StaticCode</key>
			<integer>0</integer>
		</dict>
		<dict>
			<key>Allowed</key>
			<integer>1</integer>
			<key>CodeRequirement</key>
			<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "X9E956P446"</string>
			<key>Identifier</key>
			<string>com.crowdstrike.falcon.App</string>
			<key>IdentifierType</key>
			<string>bundleID</string>
			<key>StaticCode</key>
			<integer>0</integer>
		</dict>
	</array>
</dict>

As always, caveat emptor.

Posted in CrowdStrike Falcon, Device Management, Jamf Pro, macOS, SecOps, Tips & Tricks
Tagged

Related Posts