EDR Update: macOS rollout begins Monday
Hi, everyone! Happy March! We’re going to have a few short announcements regarding the EDR rollout over the course of the month as we get things put into place across the various operating systems we have. For background, see my previous EDR announcement.
This first one is for macOS. For all managed and co-managed machines, we’re going to push out the profile for CrowdStrike Falcon on Monday. (For completely self-managed machines, please see these instructions.) This will send the software to your computer but it will not automatically install it. The reason we’re taking this approach is that in the process of installing the software, the network component will cause a brief interruption in any active network connections, and we don’t want you to lose any work due to a network blip.
Instead, we’ve got it set to install on the next login. So after Monday (let’s say end of day to be safe), when you’re at a good spot for that sort of thing, logout of your Mac. You don’t need to restart for this, but if you’ve got pending updates this is a good opportunity to take care of them and restart all the same.
After the installation happens, depending on the version of macOS you’re running, you’ll see notifications of what’s been installed and what is happening. Ventura users will see notifications related to the background tasks that launch on login to run the Falcon sensor. You may also see the Falcon sensor asking permission to send you notifications. I recommend allowing that, as it will tell you when it finds something, but if you disallow that the findings are still reported back to the server regardless.
If you run third party network filtering software (for example, Little Snitch) you will also be asked for network permission to contact the Crowdstrike server. You really do need to allow that. If you disallow it, the software isn’t doing its job, and we’ll eventually reach out to you to ask why the sensor isn’t able to report home or get updates.
After that, you’re done. It’s installed. It will self-update, it will handle malicious software, and notify us or Cyber where necessary.
For more information, see the Crowdstrike FAQ.