Topic
This article provides a sample configuration for deploying common security software and streamlining the end-user experience for SentinelOne.
Note that these configurations are provided as examples, and we recommend that you first consult the security tool's software documentation to ensure it is configured correctly.
Environment
- NinjaOne Mobile Device Management (MDM)
- Apple macOS
- NinjaOne Integrations
- CrowdStrike
Description
Security tools and apps generally require you to apply various configurations during installation in order to function properly within a configured environment. When devices are managed by NinjaOne MDM, you can use NinjaOne to deploy these standard configurations.
CrowdStrike Falcon Sensor for macOS
This section outlines how to streamline the deployment and configuration of the CrowdStrike Falcon sensor for macOS. Deploy the following mobile configuration as a custom payload in your NinjaOne macOS policy to any devices that have the CrowdStrike Falcon Sensor installed. For more information on MDM-enrolled macOS custom payloads, refer to NinjaOne Apple MDM Policy Settings: Custom Payloads.
This payload will configure the following:
- Permissions to access All Files are automatically granted
- The system extension is automatically approved
- The web content filter is automatically configured
- Background processing is automatically approved and cannot be disabled
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.App</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
</array>
</dict>
<key>PayloadDisplayName</key>
<string>Falcon Agent Privacy Preferences</string>
<key>PayloadIdentifier</key>
<string>FalconSensorPreferences.030D905D-2609-455F-93B2-484BFF7930E2</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>030D905D-2609-455F-93B2-484BFF7930E2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>NonRemovableFromUISystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>PayloadDisplayName</key>
<string>Falcon Agent System Extensions</string>
<key>PayloadIdentifier</key>
<string>FalconSensorSystemExtension.B685133B-6BF8-41A0-AE81-C0D24959CA69</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>B685133B-6BF8-41A0-AE81-C0D24959CA69</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>Rules</key>
<array>
<dict>
<key>RuleType</key>
<string>BundleIdentifier</string>
<key>RuleValue</key>
<string>com.crowdstrike.falcon.UserAgent</string>
<key>Comment</key>
<string>Falcon Sensor User Agent</string>
</dict>
<dict>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>X9E956P446</string>
<key>Comment</key>
<string>Crowdstrike Team ID</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Falcon Sensor Service Management</string>
<key>PayloadIdentifier</key>
<string>FalconSensorServiceManagement.0E7503BC-1F54-433D-9AC3-4A64DDEAB75D</string>
<key>PayloadUUID</key>
<string>0E7503BC-1F54-433D-9AC3-4A64DDEAB75D</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
</dict>
<dict>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
<key>FilterGrade</key>
<string>inspector</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>Organization</key>
<string>CrowdStrike Inc.</string>
<key>PluginBundleID</key>
<string>com.crowdstrike.falcon.App</string>
<key>PayloadDisplayName</key>
<string>Falcon Sensor Content Filter</string>
<key>PayloadIdentifier</key>
<string>FalconSensorContentFilter.B93181BB-7598-4FDB-BF99-3AAACDA7697C</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>B93181BB-7598-4FDB-BF99-3AAACDA7697C</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Crowdstrike Falcon Sensor</string>
<key>PayloadIdentifier</key>
<string>FalconSensor.A197D861-F347-492A-9E29-795E3AB3324C</string>
<key>PayloadOrganization</key>
<string>NinjaOne</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A197D861-F347-492A-9E29-795E3AB3324C</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Additional Resources
Refer to the following resources to learn more about NinjaOne MDM: