├── img ├── script_1.png ├── script_2.png ├── script_3.png ├── script_4.png ├── script_5.png ├── cfg_profile_1.png ├── cfg_profile_2.png ├── cfg_profile_3.png ├── cfg_profile_4.png ├── cfg_profile_5.png └── cfg_profile_6.png ├── LICENSE ├── MobileConfigs ├── Falcon Profile - kexts.mobileconfig └── Falcon Profile.mobileconfig ├── CSFalconInstall.sh └── README.md /img/script_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/script_1.png -------------------------------------------------------------------------------- /img/script_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/script_2.png -------------------------------------------------------------------------------- /img/script_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/script_3.png -------------------------------------------------------------------------------- /img/script_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/script_4.png -------------------------------------------------------------------------------- /img/script_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/script_5.png -------------------------------------------------------------------------------- /img/cfg_profile_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/cfg_profile_1.png -------------------------------------------------------------------------------- /img/cfg_profile_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/cfg_profile_2.png -------------------------------------------------------------------------------- /img/cfg_profile_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/cfg_profile_3.png -------------------------------------------------------------------------------- /img/cfg_profile_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/cfg_profile_4.png -------------------------------------------------------------------------------- /img/cfg_profile_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/cfg_profile_5.png -------------------------------------------------------------------------------- /img/cfg_profile_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cliv/cs-falcon-protect-intune/HEAD/img/cfg_profile_6.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Charlie Livingston 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /MobileConfigs/Falcon Profile - kexts.mobileconfig: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PayloadContent 6 | 7 | 8 | AllowedTeamIdentifiers 9 | 10 | X9E956P446 11 | 12 | PayloadDescription 13 | Configures Kernel Extension Policy settings 14 | PayloadDisplayName 15 | Kernel Extensions 16 | PayloadIdentifier 17 | com.apple.syspolicy.kernel-extension-policy.5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE 18 | PayloadOrganization 19 | CrowdStrike Inc. 20 | PayloadType 21 | com.apple.syspolicy.kernel-extension-policy 22 | PayloadUUID 23 | 5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE 24 | 25 | 26 | PayloadDescription 27 | Kernel Extensions (Not Applicable to M1 Macs) 28 | PayloadDisplayName 29 | Falcon Profile - Kexts 30 | PayloadEnabled 31 | 32 | PayloadIdentifier 33 | 34036D4F-49FF-463E-8EF0-3940BABDD1D0 34 | PayloadOrganization 35 | CrowdStrike Inc. 36 | PayloadRemovalDisallowed 37 | 38 | PayloadScope 39 | System 40 | PayloadType 41 | Configuration 42 | PayloadUUID 43 | 9EF3106B-E2F1-42DC-9535-7F3C01CCCD3B 44 | PayloadVersion 45 | 1 46 | 47 | 48 | -------------------------------------------------------------------------------- /CSFalconInstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Configuration - Add this before uploading - It's a shame that Intune doesn't have secrets support... :( 4 | CLIENT_ID= 5 | CLIENT_SECRET= 6 | BASE_URL= # Ex. https://api.crowdstrike.com, https://api.us-2.crowdstrike.com 7 | CS_INSTALL_TOKEN= # Optional if defined, prevents unauthorized additions via CCID 8 | 9 | if [[ $EUID -ne 0 ]]; then 10 | echo "This script must be run as root" 11 | exit 1 12 | fi 13 | 14 | get_access_token() { 15 | json=$(curl -s -X POST -d "client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" ${BASE_URL}/oauth2/token) 16 | echo "function run() { let result = JSON.parse(\`$json\`); return result.access_token; }" | osascript -l JavaScript 17 | } 18 | 19 | get_sha256() { 20 | json=$(curl -s -H "Authorization: Bearer ${1}" ${BASE_URL}/sensors/combined/installers/v1\?filter=platform%3A%22mac%22) 21 | echo "function run() { let result = JSON.parse(\`$json\`); return result.resources[0].sha256; }" | osascript -l JavaScript 22 | } 23 | 24 | get_ccid() { 25 | json=$(curl -s -H "Authorization: Bearer ${1}" ${BASE_URL}/sensors/queries/installers/ccid/v1) 26 | echo "function run() { let result = JSON.parse(\`$json\`); return result.resources; }" | osascript -l JavaScript 27 | } 28 | 29 | if [ ! -x "/Applications/Falcon.app/Contents/Resources/falconctl" ] || [ -z "$(/Applications/Falcon.app/Contents/Resources/falconctl stats | grep 'Sensor operational: true')" ]; then 30 | APITOKEN=$(get_access_token) 31 | FALCON_LATEST_SHA256=$(get_sha256 "${APITOKEN}") 32 | CCID=$(get_ccid "${APITOKEN}") 33 | curl -o /tmp/FalconSensorMacOS.pkg -s -H "Authorization: Bearer ${APITOKEN}" ${BASE_URL}/sensors/entities/download-installer/v1?id=${FALCON_LATEST_SHA256} 34 | installer -verboseR -package /tmp/FalconSensorMacOS.pkg -target / 35 | rm /tmp/FalconSensorMacOS.pkg 36 | /Applications/Falcon.app/Contents/Resources/falconctl license ${CCID} ${CS_INSTALL_TOKEN} || true # Don't fail if the app is already licensed, but still needs a reinstall 37 | else 38 | echo "Crowdstrike Falcon is installed and operational" 39 | fi 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Installing Crowdstrike Falcon Protect via Microsoft Intune 2 | 3 | Intune doesn't support installing .pkg files directly - instead requiring wrapping them using custom scripts. 4 | 5 | It's much easier and more reliable to use a shell script to deploy Crowdstrike Falcon Protect to end-users. 6 | 7 | Here's the steps I went through to get it working. 8 | 9 | ## Step 1 - Deploy configuration profiles 10 | 11 | Crowdstrike provides a Configuration profile to enable KExts, System Extensions, Full Disk Access and Web Content Filtering that can be deployed by Intune. Unfortunately this profile does not work on Apple Silicon (M1) devices due to lack of support for KExts. 12 | 13 | This would be an easy fix if there was a way to identify arm64 devices in intune for use in Dynamic Groups or the new Filters feature - but so far I haven't figured out a decent way to do this (If you find something, please submit an issue or PR on this repo!). 14 | 15 | The closest thing to do to get this to work is to deploy two .mobileconfigs - one with the standalone kexts and one with the rest of the permissions - the kexts will still fail on Apple Silicon, but it doesn't cause any issues with the installation, since Crowdstrike doesn't try to use them on M1. 16 | 17 | Deploy the .mobileconfig files in `/MobileConfigs` by doing the following: 18 | 19 | 1. Open open the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home) 20 | 2. Select `Devices` -> `Configuration Profiles` 21 | 3. Click `Create Profile` \ 22 | ![Step 1 - Create Profile](img/cfg_profile_1.png?raw=true) 23 | 4. In the blade that opens on the right, select `macOS` for platform, `Templates` for Profile type, and `Custom` for template name. Click `Create`\ 24 | ![Step 2 - Profile Options](img/cfg_profile_2.png?raw=true) 25 | 5. Enter the basic details for the profile. Click `Next`\ 26 | ![Step 3 - Profile Basics](img/cfg_profile_3.png?raw=true) 27 | 6. Upload [MobileConfigs/Falcon Profile.mobileconfig](MobileConfigs/Falcon%20Profile.mobileconfig)\ 28 | ![Step 4 - Profile Configuration Settings](img/cfg_profile_4.png?raw=true) 29 | 7. Choose the users and/or devices to deploy to\ 30 | ![Step 5 - Profile Assignments](img/cfg_profile_5.png?raw=true) 31 | 8. Review the settings for your profile, and click `Create`\ 32 | ![Step 6 - Profile Review](img/cfg_profile_6.png?raw=true) 33 | 34 | 9. Repeat steps 3-8 for [MobileConfigs/Falcon Profile - kexts.mobileconfig](MobileConfigs/Falcon%20Profile%20-%20kexts.mobileconfig) 35 | 36 | ## Part 2 - Deployment Script 37 | 38 | Now the actual deployment of Crowdstrike - This should work on M1 and Intel with no additional dependencies. 39 | 40 | This script uses JXA & Open Scripting Architecture to parse JSON (We used to use Python, but runtimes are being deprecated in MacOS). 41 | (Thanks to both https://www.macblog.org/posts/how-to-parse-json-macos-command-line/ and RhubarbBread on the MacAdmins slack for guidance on this) 42 | 43 | How to push the script via Intune: 44 | 45 | 1. Open open the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home) 46 | 2. Select `Devices` -> `Scripts` 47 | 3. Click `+ Add`\ 48 | ![Step 1 - Create Script](img/script_1.png?raw=true) 49 | 4. Enter the basic details for the script\ 50 | ![Step 2 - Basic Script Options](img/script_2.png?raw=true) 51 | 5. Upload [CSFalconInstall.sh](CSFalconInstall.sh) 52 | 53 | - Select "No" For `Run script as signed-in user` so it runs as the superuser instead of the local user 54 | - Choose your preference for `Hide script notifications on devices` 55 | - Setting `Not Configured` for the Script Frequency will ensure it runs only once (Unless the script is updated or the user's cache is deleted) 56 | - `1 time` for script retries should be plenty, but this setting is at your discretion.\ 57 | ![Step 3 - Script Settings](img/script_3.png?raw=true) 58 | 59 | 6. Select the users and devices you want to deploy Crowdstrike Falcon Protect to\ 60 | ![Step 4 - Script Assignments](img/script_4.png?raw=true) 61 | 7. Review your settings and click `Add` if everything looks correct to you\ 62 | ![Step 5 - Script Review](img/script_5.png?raw=true) 63 | -------------------------------------------------------------------------------- /MobileConfigs/Falcon Profile.mobileconfig: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PayloadContent 6 | 7 | 8 | FilterBrowsers 9 | 10 | FilterDataProviderBundleIdentifier 11 | com.crowdstrike.falcon.Agent 12 | FilterDataProviderDesignatedRequirement 13 | identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446" 14 | FilterGrade 15 | inspector 16 | FilterPacketProviderBundleIdentifier 17 | com.crowdstrike.falcon.Agent 18 | FilterPacketProviderDesignatedRequirement 19 | identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446" 20 | FilterPackets 21 | 22 | FilterSockets 23 | 24 | FilterType 25 | Plugin 26 | Organization 27 | CrowdStrike Inc. 28 | PayloadDisplayName 29 | Web Content Filter 30 | PayloadIdentifier 31 | com.apple.webcontent-filter.2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8 32 | PayloadType 33 | com.apple.webcontent-filter 34 | PayloadUUID 35 | 2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8 36 | PayloadVersion 37 | 1 38 | PluginBundleID 39 | com.crowdstrike.falcon.App 40 | UserDefinedName 41 | Falcon 42 | 43 | 44 | AllowedTeamIdentifiers 45 | 46 | X9E956P446 47 | 48 | PayloadDescription 49 | Controls the system extension loading/unloading 50 | PayloadDisplayName 51 | App System Extension Control 52 | PayloadIdentifier 53 | com.apple.system-extensions.admin.E45B5986-74A6-4B6A-A4CA-E179516A7F52 54 | PayloadOrganization 55 | CrowdStrike Inc. 56 | PayloadType 57 | com.apple.system-extensions.admin 58 | PayloadUUID 59 | E45B5986-74A6-4B6A-A4CA-E179516A7F52 60 | 61 | 62 | PayloadDescription 63 | Configures Privacy Preferences Policy Control settings 64 | PayloadDisplayName 65 | Privacy Preferences 66 | PayloadIdentifier 67 | com.apple.TCC.configuration-profile-policy.9A10BE5D-5E46-4C22-89C9-20597A04B616 68 | PayloadOrganization 69 | CrowdStrike Inc. 70 | PayloadType 71 | com.apple.TCC.configuration-profile-policy 72 | PayloadUUID 73 | 9A10BE5D-5E46-4C22-89C9-20597A04B616 74 | Services 75 | 76 | SystemPolicyAllFiles 77 | 78 | 79 | Allowed 80 | 81 | CodeRequirement 82 | identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 83 | Comment 84 | 85 | Identifier 86 | com.crowdstrike.falcon.Agent 87 | IdentifierType 88 | bundleID 89 | StaticCode 90 | 91 | 92 | 93 | Allowed 94 | 95 | CodeRequirement 96 | identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 97 | Comment 98 | 99 | Identifier 100 | com.crowdstrike.falcon.App 101 | IdentifierType 102 | bundleID 103 | StaticCode 104 | 105 | 106 | 107 | 108 | 109 | 110 | AllowUserOverrides 111 | 112 | AllowedSystemExtensionTypes 113 | 114 | X9E956P446 115 | 116 | EndpointSecurityExtension 117 | NetworkExtension 118 | 119 | 120 | AllowedSystemExtensions 121 | 122 | X9E956P446 123 | 124 | com.crowdstrike.falcon.Agent 125 | 126 | 127 | PayloadDescription 128 | Configures System Extensions Policy settings 129 | PayloadDisplayName 130 | System Extensions 131 | PayloadIdentifier 132 | com.apple.system-extension-policy.20258B06-5866-4424-8893-A3AF1AFAAEDC 133 | PayloadOrganization 134 | CrowdStrike Inc. 135 | PayloadType 136 | com.apple.system-extension-policy 137 | PayloadUUID 138 | 20258B06-5866-4424-8893-A3AF1AFAAEDC 139 | 140 | 141 | PayloadDescription 142 | System Extensions, and Privacy Preferences 143 | PayloadDisplayName 144 | Falcon Profile 145 | PayloadEnabled 146 | 147 | PayloadIdentifier 148 | C1A6E28A-21EF-49C6-B85F-84E845731E22 149 | PayloadOrganization 150 | CrowdStrike Inc. 151 | PayloadRemovalDisallowed 152 | 153 | PayloadScope 154 | System 155 | PayloadType 156 | Configuration 157 | PayloadUUID 158 | 183F63FC-A94F-44F6-AF62-D3D68FDAE755 159 | PayloadVersion 160 | 1 161 | 162 | 163 | --------------------------------------------------------------------------------