This page will detail the minimal software configuration you are required to run on your self-managed computers.
Any computer leaving Argonne’s campus requires the lab’s EDR software, including Crowdstrike (endpoint protection software), Nessus/Tenable agent (reports known software vulnerabilities on your computer), as well as having full disk encryption (protects data from unauthorized users).
Manual EDR Install – macOS
We strongly recommend using Self Service (aka Jamf) on self-managed machines.
If you are unable to use Self Service:
Crowdstrike
- Ensure your terminal program has full disk access.
- Open System Settings, then “Privacy & Security”, then “Full Disk Access”
- Make sure the terminal program you use (Terminal, iTerm2, etc.) is listed and has full disk access. If it doesn’t, click the + icon at the bottom of the window, navigate to the terminal program of choice, and add it. It will need to quit and reopen as part of this process.
- The installation will fail if the terminal is not authorized to write to the disk properly.
- Visit the following Box folder: https://anl.box.com/s/dybxzgvbqmovq5zinhaopok054e7xzxk
- From the macOS folder, download the pkg file and the install-crowdstrike.sh file
- The installation script assumes these files will be in ~/Downloads.
- In your terminal program, run the following command (change the path name as appropriate)
sudo sh ~/Downloads/install-crowdstrike.sh
- This installs Crowdstrike and adds the Argonne license key, activates the software, and tags the computer record for filtering on the management console. Do not share this license file with others outside Argonne.
- You will need to approve Network Filter and the System Extention.
- Give Falcon full disk access.
- Open System Settings, then “Privacy & Security”, then “Full Disk Access”
- Click the + icon at the bottom of the window, navigate to /Applications/Falcon.app, and add it.
- If you use an outbound firewall (such as Little Snitch), Falcon will need to be able to talk to the Crowdstrike servers, so grant permission if asked. It will want to talk to cloudsink.net.
- You can verify the install is successful with this command:
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
Tenable Agent
- Follow the steps in this Knowledge base article.
Eracent
- Installation folder can be found here, with instructions inside for the various OSes.
Full Disk Encryption
- Open System Settings, Privacy and Security, and turn on FileVault.
Manual EDR Install – Windows
Crowdstrike
- Visit the following Box folder: https://anl.box.com/s/dybxzgvbqmovq5zinhaopok054e7xzxk
- From the Windows directory, download the Windows_CrowdStrike_Falcon.zip file
- Right-click the downloaded file on your computer and choose “Expand All” (the installation will fail if you do not fully extract the archive)
- Open a command prompt as Administrator
- Click the Windows icon in your lower menu bar, type CMD and select “Run as Administrator”
- CD to the unzipped folder, and run Install.BAT
- During installation, you may see warnings from Microsoft Security Center. This is normal behavior as the installer has to disable to Microsoft defaults to install and make itself the default provider. After installation, Security Center should show all clear and show Crowdstrike Falcon as the provider.
Tenable Agent
- Follow the steps in this Knowledge base article.
Eracent
- Installation folder can be found here, with instructions inside for the various OSes.
Full Disk Encryption
- Follow these instructions to turn on BitLocker in Windows 10 or Windows 11.
Manual EDR Install – Linux
Crowdstrike
- Visit the following Box folder: https://anl.box.com/s/dybxzgvbqmovq5zinhaopok054e7xzxk
- From the Linux directory, follow the instructions in the README file in that folder for the activation commands and keys
Tenable Agent
- Follow the steps in this Knowledge base article.
For groups= use either CELS_Desktop_Linux or CELS_Server_Linux
Eracent
- Installation folder can be found here, with instructions inside for the various OSes.
Full Disk Encryption
- Depending on the distribution of linux you are using, the instructions vary. If you are choosing to run a Linux laptop, the onus is on you to enable full disk encryption and be able to demonstrate it. It is generally not feasible to do this on a built system and should be done during OS install time. If your linux laptop cannot be verified to be using full disk encryption, it will not be approved for travel.