Episode 294: Crowdstrike Falcon, Security Deployment Techniques, & Threat Awareness

Once upon a time we claimed the Mac couldn’t get a virus. Now we know the folly of our ways. There is a red ocean of endpoint protection solutions for the platform today, but we’re curious to better understand the requirements and the benefits. Crowdstrike Falcon is one of those tools and we’ve asked Bilal Habib to join us for this episode to discuss what it is, how it does it, and what are some things an admin needs to know. But we want to tell that story as a journey for how someone in the trenches actually got to know the things!

Hosts:

  • Tom Bridge, Principal Product Manager, JumpCloud – @tbridge777
  • Marcus Ransom, Senior Sales Engineer, Jamf – @marcusransom
  • Charles Edge, CTO, Bootstrappers.mn – @cedge318

Guests:

Transcription of this episode brought to you by Meter.com

Click here to read the transcript

Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.

  • Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
  • Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
  • Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. Automation in IT is a hot topic, and for good reason. Automating repetitive tasks frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the Apple device management and security platform, features over 150 pre-built automations to multiply your effectiveness and impact daily. To see how to take the repetition out of your to-do list, visit kandji.io. That’s K-A-N-D-J-I.io.

Tom Bridge:
Hello and welcome to the Mac Admins Podcast. I’m your host, Tom Bridge, and, Charles, how are you today?

Charles Edge:
I’m good. It was a bit of an expensive day. I ordered some new appliances and they’re smart so, hopefully, they’ll just do the laundry for me now. I don’t know.

Tom Bridge:
I mean, that sounds like a huge investment. Having just folded an entire three days’ worth of massive laundry purge here, I would really love to have a laundry machine that did that for me. That would be totally cool and so-

Charles Edge:
I think I just gave up on folding laundry. You can probably tell if you see me out in public looking as disheveled as can be, so…

Tom Bridge:
It just makes it easier to store the stuff, in my opinions. I’m less worried about the wrinkles because, I mean, I will… Yeah. Anyway, that’s kind of how it is. Marcus, how are you?

Marcus Ransom:
I’m good. I haven’t been buying anything smart. I’ve just received a new dining table. It is a incredibly dumb lump of wood, but we can now have large numbers of people around for dinner, so it’s lovely.

Charles Edge:
Be right over.

Tom Bridge:
I was going to say, as soon as I can get down that way again, I’m excited for that, because one of the things that we do here in the States is obviously Thanksgiving and so that was this past week and we had a bunch of people for Thanksgiving dinner on Thursday and that meant putting the extra leaves in the table. And it is my grandmother’s dining room table. And so I still kind of love that, bringing out the old silverware, bringing out the dining room table and making it big and long for this, for the sake-

Marcus Ransom:
Just feels like she’s at every meal, when you have people over?

Tom Bridge:
Well, it’s more I really enjoy beautifully built old furniture. So I think that that’s really where we’re going to go with that one. But it’s been a great holiday week here in the States. I have eaten entirely too much turkey. I don’t know if that’s such a good-

Marcus Ransom:
That’s the right amount, I think.

Tom Bridge:
Yeah. I was going to say, we did turkey the weekend before for Friendsgiving and then turkey on the big day and then yesterday I made turkey wild rice soup and then tomorrow I’m making turkey pot pie and then, hopefully, that will be the last of the leftovers, but we’ll see. I mean, there’s only so much turkey a man can eat and I think I’m pushing the bounds of good taste on that, but either way, that’s kind of where we are. But we’ve got an incredible guest here this week. Bilal Habib, welcome to the Mac Admins Podcast. We’re so glad you could join us this week.

Bilal Habib:
Hi, everyone. Yeah, thanks for giving me the opportunity to come on board. Happy to talk about CrowdStrike this session and get to know you, yeah.

Tom Bridge:
Yeah. So, once upon a time, we always heard the claim that Macs couldn’t get viruses, and now we kind of know the follies of our ways. There was definitely a way to do that back in the OS 9 days and obviously as, further, we got into Mac OS 10, and then now Mac OS just generally speaking, there’s a red ocean of endpoint protection solutions for the platform there. But we’re curious to better understand the requirements and the benefits.
CrowdStrike Falcon is one of those tools and we’ve asked you here to kind of talk about what it is, how it does the work that it does and what are some of the things an admin needs to know about it as a platform. But we want to tell that story as a journey for how someone in the trenches got to actually know these things. So one of the things we love to do when somebody’s brand new to the podcast is kind of get to hear a little bit about them, a little bit of how they got to where they are. So we want to get into your journey with the intersection between device management and information security. So do you mind telling us how you got into being a Mac admin, and in information security?

Bilal Habib:
Yeah. Of course, yeah. So this is my name, I’ll repeat again, my name is Bilal Habib. So I joined Made.com as an IT Support Apprentice after I left college in the UK. So at the time at Made we didn’t have an MDM to manage our Macs, we didn’t use an MDM, so things were very difficult. So in my IT Support Apprentice role I was mainly focusing on first line support and onboarding and offboarding, so I did a lot of the manual processes that we did to set up Macs and offboard them and then support them at the same time, as well. About-

Marcus Ransom:
So technically you were the MDM is what you were saying, rather than-

Bilal Habib:
Yeah. Yes, basically, yes, yeah. Yeah, at that time, yeah. Yeah. And then, about a year after that, I finished my apprenticeship and got a permanent position as an IT Support Engineer and around the same time we hired two new IT Support Apprentices as well, and it was a great time for me to show them around and mentor them into IT as well, because I had the same kind of support from when I joined. So as part of my new role, I did a lot of work on IT projects and a lot of work on service desk escalations, because at the time our team was, I’d say, not that mature in terms of our processes. There was a lot of work that we could do to automate and improve things amongst our infrastructure. So there was quite a lot of interesting security projects that we did throughout those years at Made.
And then, in October 2021, I got promoted to IT Infrastructure Engineer at Made.com. It was the same role, basically, as what I was doing before, but just a proper job title change. And then, unfortunately, Made.com went into administration earlier this month. But I have a new place to go to already, but it was just a sad moment, given that I started my career there and I learnt everything from there and my colleagues learnt a lot as well and I’ve felt quite a lot for them, so that’s how I kind of got started at Made.
A bit more diving into how I got started in the Macs. So we hired a Jamf admin I think at some point during Summer 2020, I believe it was, or Summer 2019, with the intention of enrolling all of our Macs into Jamf that we had just purchased, but we needed to do it as part of a security project. So at the time my kind of part into that kind of project was sorting out all the enrollment. So we had a defined process for doing a user-initiated enrollment for all of those devices. At the time, pre-COVID, we were doing everything in the office, so most of our users were based in our head office in Singer Street. So we had the process defined to go around to their laptops and enroll them into our MDM.
We did split that up across our team and it went well eventually, we got everything enrolled, and then about in November 2020 I think it was, we signed a deal with CrowdStrike Falcon for endpoint security, for their product, and that was my first, basically, proper Mac OS management project. Everything I had done before with Mac OS was very, very basic, so the things I knew how to do in Jamf were very basic things like flushing a policy log or renaming a computer or assigning a computer to someone. I had no clue how to automate the installation of software on a Mac. I had no idea what system extensions and… I knew what kind of extensions were, but I didn’t know how to configure them and all that lovely stuff, so it was a brand-new world for me at that time, but I’m glad that I went into that project and volunteered for it and got stuck into it because it’s definitely played a key part in my career and I loved learning about it as well.

Tom Bridge:
That’s awesome. Do you want to give us a quick 32-second, 62-second, bite on what exactly CrowdStrike Falcon is? Because I think that there are a lot of Mac admins out there who are just like, “The CrowdStrike what now?” I know that they’ve got a big brand awareness campaign and that everybody’s heard of maybe what they do, but maybe it’s not as clear about how they directly interact with a Mac OS device.

Bilal Habib:
Yeah, so CrowdStrike Falcon is a endpoint security solution built to stop security threats on the device. It’s not your just typical anti-malware, it’s also next-generation, so it doesn’t do the scan-my-computer-in-one-go sort of thing. It’s much more efficient and also it has EDR as well, so it continuously monitors those devices to prevent and respond to threats. And there’s much more to CrowdStrike’s products as well. That’s just the opening piece of them.

Charles Edge:
And I do feel like we make these assumptions based on things that amorphous information security people have told us that we need to do, but it helps to kind of understand why these tools exist, so that we can illustrate what they do based on, I guess, what they’ve done to protect actual devices. And this can be a Boolean response or, if you’re allowed, it could be a story, but have you seen where a potentially damaging situation was averted due to having these types of tools on endpoints?

Bilal Habib:
Yeah. Well, one of the questions I asked at early point at my career at Made was, what antivirus did we use? And I didn’t expect the answer that we got. So when we implemented CrowdStrike Falcon after that, we significantly decreased the problems we had with viruses and malware, because we actually had a centralized system, a centralized solution, that reports back to us about all the security threats, so that we know about them. We didn’t know about them before and we had the ability to, on a really, really granular level, define what controls you want in the anti-malware, specifically for Falcon. So it’s something that definitely helped us at Made and improved our security and it’s always worked properly and as expected.

Charles Edge:
And you mentioned that first project and that sounded like a lot of on-the-job learning, setting up things. One of our favorite things to do is talk about how people learn to use the tools we use, because that maybe helps inform other people who are going to go down that same path. Did you do training with CrowdStrike or mostly get help from people on Slack or was it do the thing and so learn everything the hard way?

Bilal Habib:
It involved do the thing, learn everything the hard way, and get help on Slack as well, as well as get help from CrowdStrike Support. One of the things I do have to mention though that the documentation for CrowdStrike was actually pretty good in terms of narrowing down what exactly everything is. That actually made me understand what I was doing. I wasn’t following instructions and not understanding what I was doing at the time. So I didn’t know what the whole point of, or the reason why, that you needed a configuration profile for CrowdStrike Falcon and why you needed that to manage the settings on Mac OS. My device experience at the time had been more heavily on the Windows side, so I used route policies to manage things on Windows and kind of copied a bit of that into how I understood managing the various payloads on Mac OS.
I jumped into CrowdStrike at a really interesting time, because it was just when they launched version six of the Falcon agent. So that was a big change from the documentation. That was the way I read it, at least. It was a massive change from them. They completely changed the way the sensor works and it’s installed and what directories it goes to. At the same time, it made it a bit more difficult for me, because it meant less people knew what V6 entails and all the problems of V6 and how to configure it and so on. So one of the requirements of CrowdStrike Falcon is that you need an MDM to deploy a configuration profile with the various payloads. One of those payloads is the Privacy Preferences Policy Control payload, and that gives the CrowdStrike Falcon agent full access on your Mac, so it can see everything possible.
But there was an additional missing bundle ID in that profile, which wasn’t there at the time, that was provided by CrowdStrike, and because of that, when I was testing the Falcon sensor, essentially the sensor wasn’t working, because it couldn’t see the files on the disk, because it needed two entries to be approved for full disk access. I only knew about the one of them, I didn’t know about the other one, and I didn’t know what bundle IDs were on Mac OS either, so it took me a while to figure that one out and get someone on the support side as well to identify that issue as well.
So I’ll just explain a bit more. At the time, CrowdStrike provided the configuration profile on their customer support portal to you, so you could download it, assign it and upload it to your MDM. So it was prepackaged, essentially, and you weren’t supposed to change it and it was supposed to work out of the box. Now, because it was a brand-new sensor and a brand-new version, no one else really knew about these problems and I was just going into it at the time and I was going through the hard side of it. But I got some support on the Slack from the sales engineers in the CrowdStrike channel, as well as support from the CrowdStrike Support team as well, but it was one of the interesting things I learnt, because, oh yeah, you’re right in the middle of a new product release and you’re going through all the difficult bits about it.

Charles Edge:
We love seeing or hearing about when actual support teams are sitting in Slack channels. Talk about knowing where the customer’s at and meeting them there.

Bilal Habib:
It’s brilliant.

Tom Bridge:
Yeah. And huge ups to at least a couple of the folks. I know that Chris Brumstead from CrowdStrike has been pretty active in there, along with a couple of his product managers, so it’s great to see the CrowdStrike team kind of making a home for themselves within the Mac admins community and vice versa and really becoming a part of that community, so it really does pay dividends.

Marcus Ransom:
And also seeing the evolution of their product as a result of that engagement, seeing the documentation change. We love it when vendors provide selectable text in their documentation where, if you’re wanting to build your own configuration profiles rather than downloading them, it’s awesome seeing vendors who understand what we need to be able to do that and how they can save a bunch of time and save a bunch of potential misconfiguration and going around in circles, because-

Tom Bridge:
And I’m fairly sure that the ability to license the Falcon agent via MDM profile, where you can throw in a CCID or the CrowdStrike unified ID, the unique ID that says, “This is part of my instance,” can be delivered via MDM. And I’m very sure that that is a result of direct customer feedback through the support layers that are present today. So those kind of things are-

Bilal Habib:
Yeah. Well, Richard Purves found that one out. Yeah. [inaudible 00:17:01]-

Tom Bridge:
I was going to say, well, and Richard’s scripts are out there as well for downloading your software. Whether you’re using Jamf or JumpCloud or anything else like that, using the CrowdStrike API is the best way to get the most recent version of the customer client out to the individual devices and having an API to do that kind of stuff is fascinating. So big shout to Richard Purves from… I believe he’s at… Oh, shoot. He’s at The RealReal, to providing those scripts publicly on his website. We’ll put the links in the show note.

Charles Edge:
And just out of curiosity, because it kind of tells me how many daemons there are, but how many bundle IDs did you have to whitelist?

Bilal Habib:
For the full disk access I had to add in two of them. Later on, I had to add in a third one for the Notifications payload. That later came on as part of a later MAC OS release.

Charles Edge:
Got it. Cool.

Tom Bridge:
Well, and there are several items that you’ve got to do out there. It needs full disk access, it needs a System Extension payload, it needs a web content filter and then also needs the notification objects there, so there’s all sorts of things that are in the default profiles there for CrowdStrike. All sorts of fun stuff.

Charles Edge:
That’s fun, so it’s just one app, but inside that app are a bunch of extensions that each need their own… Got it.

Marcus Ransom:
It’s also interesting to realize that it’s not just us as Mac admins that are learning how to deal with these fantastic new features that Apple provides us with. It’s also the vendors that are going on that same journey, and effectively going through that journey before we are, because we need their tools to exist using all of this functionality, so that we can then understand how to configure it. So learning how to drive this new functionality is one thing. Learning how to build a car in using the new functionality must be a pretty confronting experience for some of these developers when the goal posts get moved the way they are.

Charles Edge:
And speaking of moving those gold posts… Goal posts, not gold posts, although for American football they are often bright yellow, so gold-ish. But what are a few gotchas that, when you were installing this, that you wish you’d have known? And I guess some of them, maybe, since it was net new agents, you couldn’t have known because you were kind of on the forefront, but what are some of those gotchas?

Bilal Habib:
One of the key things is the bundle identifiers, knowing an application can have more than one bundle identifier, especially security applications. And it’s a bit messy with how they behave in terms of actually finding those out and where to locate those resources. One of the things that later on I discovered as well, following, basically, again, Richard Purves’ advice, is splitting up the CrowdStrike Falcon profile into different payloads for a single profile, essentially, so not using a single, monolithic profile, but having each payload in a separate profile. So at the time when CrowdStrike released that V6 agent, it was a single, monolithic profile, which you were supposed to upload to your MDM, and there wasn’t any M1 Macs at the time. The profile they had included a kernel extension, so when M1 Macs came about, if you tried to deploy that profile to any of the M1 Macs, it would fail to install at the time.
So one of the things I learned, and good practice I maintained on for the rest of my time at Made, was splitting up the different payloads, like the Privacy Preference payload, the web content filter system extension, and so on, into different profiles in my MDM, just so that it makes it easier to manage and more scalable and easier to deploy, something I very much appreciated at the time. So that was something I definitely wish I had known before.
Another thing I think I wish I’d known as well was… Actually I did know what to do, is what happens when the system extension misbehaves with CrowdStrike. So it was an early one I caught on, because I was configuring it incorrectly at the time. So, essentially, the system extension from CrowdStrike misbehaves, says it isn’t approved and so on. So I figured out easy way to fix it is you just deploy a new profile with a different UUID but with the same, or the working system extension payload to that device and then reinstall the Falcon sensor on top of the existing installation. And then it figures itself, it behaves and says, “Oh, system extension approved,” and it works perfectly fine. That was one that I caught on quickly, only because I was bad at configuring the agent at the time.

Marcus Ransom:
Were you able to automate that remediation at all or was it sort of just having to identify machines where it was misconfigured?

Bilal Habib:
Yeah, so I found, it was on a Slack channel as well, a list of extension attributes to use with Jamf Pro, and one of those extension attributes checked the status of the system extension. So I used that as part of my automated solution for that and it worked pretty well. To be honest, I never really had a massive amount of devices saying it didn’t have the extension approved. Yeah, went pretty well with that, yeah.

Marcus Ransom:
But that’s potentially because they’re automated out of existence, so win-win either way.

Bilal Habib:
Yeah, so that… Yeah, yeah.

Charles Edge:
Deploying, managing and protecting Apple devices at work shouldn’t be difficult or require several solutions. Mosyle is the only Apple unified platform for business. By combining enhanced device management, endpoint security, internet privacy and security, single sign-on and enhanced apps management into a single Apple-only platform, businesses can now easily and automatically deploy, manage and protect their Apple devices with one solution and at an affordable price. With a solution for every business size and the best support in the market, request your free account today and see firsthand why Mosyle is more than an Apple MDM. Mosyle is everything you need to work with Apple. To learn more, visit business.mosyle.com. That’s business.M-O-S-Y-L-E.com.

Marcus Ransom:
So how did you get this onto the endpoints? What was the workflow for actually deploying this out to your fleet?

Bilal Habib:
Yeah. So with Jamf Pro, at the time what I did was I had a Jamf Pro policy with the Falcon sensor installer as a package in that policy, and then a separate script in that policy as well, which was used for licensing the agent and then deploying the provisioning token of the agent. The provisioning token is for just locking down the agent to your unique customer tenancy, essentially, and preventing other people from installing the agent, so malicious actors installing the agent and it falls into your tenancy. And one of the neat things that my colleague, my former colleague at the time, Daniel Lambeth, taught me was that you can have a smart group in Jamf Pro where you look for the non-existence of an application. So in my case I was looking for the non-existence of falcon.app in the applications folder and I used that as part of my smart group that I scoped that policy to.
And that was on a installation that was on a ongoing basis, so a recurring checking, because it would only install the agent on devices which did not have the agent installed, so there wasn’t really any risk of that. And at the time, as well, because it was a new thing, I had that single, monolithic profile deployed to the Macs that were going to have the agent installed. One of the things that I didn’t have to worry about at the time was whether the profile was installed before the agent was installed, because I had done the profile configuration before I had done the agent configuration, so all the profile configuration was sorted before the agent was.

Tom Bridge:
Yeah, that’s the best way to handle that, right? You don’t want to have to run the risk of none of your profiles making it down until the app is there, in which case, with the system extension, it may bother the user with a notification, the user may be prompted and may deny you. And I was going to say, getting the profiles there the first, then the application next, is a really great order of operations to kind of focus on. So looking at that, Falcon probably, I mean, I know that there’s a centralized platform for that, so is there any kind of customization that needs to happen to the package in order to make the Falcon agent talk back to the Falcon platform?

Bilal Habib:
Basically, no, and I’m very thankful for that, because I remember being taught about Jamf Composer at the time and I thought, it’s a good tool to use for a one-off sort of thing, but when you need to automate something it’s not really that great. But you don’t need to customize the packaged installer at all. You can license this Falcon sensor with a single command and then you can separately just have a installation token, as I mentioned before, for extra security. And then as well as you can also set routing attacks for the Falcon sensor, so you can identify one set of machines that’s high-risk, for example, sitting in Falcon, you can apply them different policies. That’s just done via a script or a command. There’s no customization you have to do to the package at all, which is one of the great things that I appreciate about CrowdStrike Falcon, because it makes it easier for me as well. I don’t have to go in and open up the package and add in stuff or write a customer script to fix something that is wrong in the package.

Marcus Ransom:
It still baffles me in this day and age that many security tools provide you with a binary and then a configuration file that needs to be in the same directory as the binary when it’s installed in order to run. And all of us Mac admins are having to repackage this binary in exactly the same way, and wouldn’t it just be easier to provide it to us already done and save us some work? If your product is annoying to even get onto a device, you’ve kind of set the scene for what it’s going to be like using it, and props to CrowdStrike for actually sorting that out and just go, “Here it is,” having it deployable via APIs, so you don’t even need to download and upload a package. You can just know that it’s going to have the latest version on there straight away and we can use modern things like configuration profiles.
When you were evaluating, were you looking at other solutions to try and decide what to use and did that sort of factor into the decisions as to what to use, as to how easy it was to deploy?

Bilal Habib:
At the time, no, we weren’t testing any other security solutions. We had just signed for CrowdStrike, so they were the one that we wanted to go with.

Marcus Ransom:
Did you get to experience any other security tools and the, we’ll say fun, of installing some of them along the way?

Bilal Habib:
Later, down the line, I did, yeah. One very similar to what you said, where the configuration file needs to be present in the same directory as the pkg, but I did some custom script around that, so I didn’t have to customize the pkg itself.

Marcus Ransom:
Nice.

Charles Edge:
Yeah, I do feel like, in the early days of this whole malware being a huge problem, I remember deploying some tools that I had to create custom GPOs that would edit this dword value in the registry, and I feel like we’re so far beyond the reg edit scripting era, even though we’re obviously on a completely different platform, but the initial deployment was always one thing, and then from their console I always felt like you could push out some changes but not all. Other changes, we would then have to go back to that reg edit scripting type thing. So once the machines with Falcon are wired up to the server, do they get all the settings from the server or do you occasionally have to send out other packages or scripts to augment stuff?

Bilal Habib:
The brilliant thing is they get all their settings from the server and you could change it on the fly and they get them, so that any other packages or scripts, they just work completely fine, especially when you change them from one sensor update policy to another sensor update policy. So maybe you want them to be a bit less aggressive of not having the latest release of the sensor, for example. That’s just you press a button in the console and then, 24 hours later, the device has picked up the new settings and that’s it.
One of the things that I would mention it’s important to do is make sure the security solution on your endpoints is actually working. It’s maybe sometimes difficult to actually evaluate that properly, but some of the things I did was I used, for example, that system extension attribute in Jamf Pro to check the system extension was loaded on my endpoints. So if it wasn’t, I would know, okay, this device isn’t going to be protected from any malware, because the Falcon sensor can’t do anything without a system extension.
Another kind of thing I delved into as part of more of my daily role was more of automation and checking whether the Falcon sensor itself is reporting back into the cloud console, and if it is, comparing that to the dates of, or the last time it was checked into our MDM, Jamf Pro. So I used Okta Workflows to kind of automate identifying are there any devices, which are checking into Jamf Pro, maybe, but not checking into CrowdStrike Falcon? I never got to finish that, unfortunately, but it was definitely something that you could do with Okta Workflows or something similar. I had a lot of fun learning a bit about the CrowdStrike API and just having that general understanding of, or having that desire in you, to make sure the things that you’re doing, stuff that you’re deploying, is actually working on the endpoints, and not just assuming that it’s going to be 100% perfect, because I think you do need some monitoring in there. You do need to be aware and you learn from what you do.

Charles Edge:
Absolutely. It’s interesting that you would need to script that or want to script that. I do feel like there’s always something that the vendor didn’t think about or something that vendor couldn’t help you bridge the gap for, and partners are often a pretty substantial part of that. So, speaking of monitoring the state of Falcon itself, there’s also the results of Falcon. Do you watch the logs using a SIM or is that built into the platform or is that more of a third-party type of thing that you plug away at?

Bilal Habib:
So we didn’t really use CrowdStrike Falcon as a SIM, but we have a separate SIM that we shipped our CrowdStrike Falcon logs to. CrowdStrike are big partners with Splunk and they’ve got a SIM solution for them. We haven’t tried that, we didn’t try that at Made, but we had a separate solution, a separate SIM, and we shipped our CrowdStrike Falcon logs to there.

Marcus Ransom:
Were you also shipping any unified logs from the devices and using that to do any comparisons at all?

Bilal Habib:
Unfortunately, no.

Marcus Ransom:
So I loved what you were saying about comparing whether the agent is actually working. I know Papaya used to always tell us to trust but verify, and the idea of having a security tool on a device if it’s not working, it kind of defeats the purpose, and correlation of data to identify whether things are working the way they are, whether there’s any performance hits, whether the combination of two different agents is canceling each other out, it’s a very, very deep rabbit hole you can go down once you start getting knowledge and data about all of the systems that you’re using and see what you can find out about devices. Becomes a new, fun challenge to see just what you can bend things to be able to do.

Bilal Habib:
Yeah, one of the things I mentioned is that I think the reason CrowdStrike and other security vendors don’t have their own built-in offering to tell you in a cloud, in their cloud console, if their sensor’s functioning correctly or not is that you always need a third party to do that for you. You need someone else to do it. You need someone to supervise you and make sure that it’s working. Unfortunately, it’s that way. Hope that maybe in the future it can be different and it could be easier.

Marcus Ransom:
It sort of makes sense because, if it’s not working, then that would stand to reason that whatever tool or monitoring they’ve got to tell you whether it’s working or not, if it’s in their server in the cloud, the information’s unlikely to be getting there, so I think you’re right, the third party of using whatever other tools you have to be able to exploit those, to supervise, check up on, snitch on what other things you’ve got running, is a good way of doing things.

Charles Edge:
So Tom did mention earlier, I think it was Tom, the Proxy payload…

Tom Bridge:
The web filter!

Charles Edge:
Right! So, when they say, “endpoint and identity,” does that also mean that CrowdStrike acts as kind of a ZTNA? And by, “kind of,” I mean, “totally.”

Bilal Habib:
Yeah. Basically, yeah. Because when you have a endpoint, an identity, it kind of is Zero Trust, because the reason you have endpoint security is you want to control who has access to your identity platform and you want to make sure they are who they are. So I would say that, yeah.

Tom Bridge:
Yeah. And there are several different continuous access policies that CrowdStrike provides as part of their platform to interface with those kind of things, and of course they’ve got a ZT score, so that they can essentially, based on the policy of your device, decide what state it’s in and decide what value control you can put on that, so that essentially you can say, “All right, system over here, you’re not ready, because you’re running an old version of the operating system, you’re running an old version of Chrome,” or, “You’re running an old version of all of the above, and therefore your system’s at substantial risk of maybe not being the healthiest.” You can essentially say, “Hey, bro, it is time for you to get some maintenance done. Until such time you cannot talk to all of the key systems within your organization.” So having that kind of web filter in place is exactly what it allows it to do.

Bilal Habib:
Yeah, one of the things about that is CrowdStrike do have a Zero Trust solution called CrowdStrike Zero Trust and they also integrate with Okta. Unfortunately, we never had a chance to test it out at Made, but I’ve heard good things about it, and it’s always good that… Okta’s one of the most… I think it’s the leading identity platform in the whole world, so having your security tools supported-

Tom Bridge:
I think both Google and Microsoft would love a word. Not to mention my employer-

Marcus Ransom:
Fight! Fight! Fight! Fight! Fight!

Tom Bridge:
… would like you to stick up for them here. But I was going to say though, I mean, identity is the big keystone for all of these kind of things, whether that’s Okta as your identity provider, Azure, Google Workspace and the Google Identity Platform, or JumpCloud. Those are the key areas.

Marcus Ransom:
Don’t forget Salesforce Identity, Tom.

Tom Bridge:
The less we say about that, the happier I will be. I am still on vacation for 12 more hours and…

Charles Edge:
It does what it says on the tin.

Tom Bridge:
Mostly. Yes, I agree with that statement. But I think that, in a lot of ways, making sure that endpoint security and identity are tied together is a really important part of figuring out what the future is for your organization’s security.
So one of the other things that comes up all the time with security tools like Falcon, like SentinelOne, like Sophos and all of the others, is performance. What does it cost your machine in terms of performance resources to run Falcon? So how impactful to a machine’s performance is Falcon once it’s been deployed?

Bilal Habib:
Yeah, so CrowdStrike claim the Falcon sensor uses one percent or less of CPU. I won’t say much about that, but I will say it comes down a lot to what your users are doing and how that’s going to affect them. So at Made.com we had a dedicated team to work on our iOS application for the App Store, for the Made.com app, and naturally, having endpoint security on the device is going to slow things down. In our case, it wasn’t enough to slow things down for people to complain about it.
And people assume that speed is natural, but I’ve never seen it personally crash, ground a device to a complete halt or anything like that. Obviously, there’s experiences other customers have had where they’ve had to add in exclusions for their development tools, but the main thing is that we had a dedicated team for developing our iOS application. They didn’t complain about it, maybe because they didn’t know that it was slowing them down, but maybe it didn’t slow them down that much, but I think it’s basically security and risk and I think, on the security side, the risk, sorry, outweighs the cost to the performance, because the performance cost isn’t significant, from what I’ve seen, at least.

Marcus Ransom:
Yeah, if something managed to find its way into their app that they were developing, that would be bad, wouldn’t it?

Charles Edge:
Yeah. Especially them. I’ve also seen video editing, audio editing, those Pro Tools, Avid, final cut machines where, when they go to render, if we haven’t excluded certain folders, then there will be drop frames, so little black screens popping up within the exported video.

Bilal Habib:
It was a horrible experience, isn’t it?

Charles Edge:
Yeah.

Marcus Ransom:
Did you have to do much work on exclusions or building out your configuration in the portal for the machines, or did things sort of pretty much work out of the box?

Bilal Habib:
Yeah, in terms of exclusions, on the Windows side what we used to actually install the sensor used to complain about installing the sensor, so I had to exclude that. But usually the exclusions were perfectly fine, to be honest. We never really had a need to exclude a system folder in Mac OS or any of the applications that we deployed in Mac OS. They all seemed to work fine. I did at one point have this problem with CrowdStrike Falcon, where there was an update to some Adobe software and the machine learning in CrowdStrike for several weeks kept detecting it as a low-level… I think it was malware or something else. It was really annoying at the time, but eventually it went away. It was just part of CrowdStrike’s machine learning and it’s nothing that you can silence or exclude, but it was nothing crazy. It just frustrated me a little bit for that few weeks.

Marcus Ransom:
Machine learning perhaps taking cues from Alistair and getting upset with Adobe’s updates, maybe.

Bilal Habib:
I can understand why you’d complain about Adobe being malware, so I can’t really say too much about CrowdStrike’s machine learning there.

Marcus Ransom:
Maybe it was having a look at some of their pre-install scripts and just saying, “No. No. Don’t do that.”

Tom Bridge:
“This isn’t a real package! This is just three application binaries in a trench coat!”
So one of the other interesting pieces is that CrowdStrike also has a mobility tool here that can be installed on iOS and Android devices and things along those lines. Have you used those tools before? Do you have any thought on using these kind of tools on personal devices as well as on company-wide ones?

Bilal Habib:
Yeah, unfortunately we didn’t use any of CrowdStrike’s EDR offering for Falcon, we didn’t subscribe to them at the time, but I will say, between personal devices and company devices and so on, we didn’t like company-owned phones. I think the main reason why we didn’t like them is because of the data people put on them. We don’t want to be responsible for all the images and so on people put on there, and if we had endpoint security on those endpoints and more monitoring, people wouldn’t be comfortable with that and they’d have to reevaluate their decision to use their company device as a personal device, and I think maybe that’s okay with a laptop, but with a mobile phone I think it’s a complete disaster what people do, and you don’t want to end up in trouble with people. So one of the key things that we had was that users destroyed their own data on their mobile phones before they returned them to us.
And I do think one of the key things that an endpoint solution on mobile device should do is monitor as much as possible, because it is a work device and I think people would definitely need to understand. On a phone I think it’s much more important than it is on a laptop, because just the way that people use mobile phones is… People take pictures with their mobile phone. They don’t take them with their MacBooks. So it’s mainly there’s much more risk there to use it themselves, so having them monitored.

Marcus Ransom:
I think that’s where I found Apple’s user enrollment really fascinating, coming up with a way that you can actually have the corporate area of the device, where the corporation, the organization, can go nuts with control and monitoring and then actually have no access to the rest of the device. I know, back in the day, seeing some of the lesser well-known MDM solutions try these sort of sandbox areas and wrapped applications and those sorts of things and sort of get things working, but it was a really crap user experience.
And seeing Apple come up with a way where it’s almost seamless to the user, so they see all of the apps presented the way they normally are and can use it without needing too much instruction, but being able to give organizations that confidence of having no access or involvement with that personal data that’s on the device. It does bring up an interesting concept of, even if the organization has no insight into that information and they’re able to prevent crossing backwards and forwards, it’ll be interesting to see what courts of law deem responsibility, if there are pictures on devices and it’s a personal device. I would expect Apple’s lawyers have been all over that and have designed it around that way. But I love things like not even being able to see the serial number of a personal device, because I have no business knowing that.

Tom Bridge:
Yeah, well, I mean, not seeing the serial number, not seeing the Mac address, not seeing any of that, you get a stand-in unique ID that you can basically say, “Okay, I can know about this device and I can say I can put apps on this device, but this device, it’s just a made up number that doesn’t actually correspond to anything on the device.” I love that. That is one of my favorite features of user enrollment, bar none.

Bilal Habib:
All right. Yeah, I think I remember there was a presentation about user enrollment I watched, I think it was at Macs’s admin conference earlier this year. It was quite useful learning about that. I wasn’t aware of it at the time and it was pretty interesting to see what it could offer and how it would solve the problems that were raised by personal device usage and BYOT.

Charles Edge:
Lots of nested case statements train your program around the different rules though. That’s the low.

Tom Bridge:
Oh, totally.

Charles Edge:
That’s the one challenge.

Tom Bridge:
I mean, you have to treat them as totally separate enrollment types and just say, “Okay, if this is what a device-enrolled device or an ADE device is, or a supervised device is, over here with totally different rules are all of these user-enrolled devices.” You can say, “Yeah, I really want to have a password policy for user-enrolled devices.” Well, guess what? That rule is one rule and it’s predefined for you. So you can’t say “Eight digits, alphanumeric, can’t be your last five passwords.” You can just say, “Complex six-digit code.”

Charles Edge:
But now you can name your phone, I Hate My Boss.

Tom Bridge:
Well, I mean, you can name your phone that and we won’t know. That’s exactly right. That’s exactly right, we will have no idea.

Marcus Ransom:
Is it the fact that you want them to know that you hate them that you’re naming it that? I also love the fact that it’s tied to identity, that, rather than the serial number of the device or the UID being the unique identifier, it ultimately is the identity. Tom, do you have any statements about identity and Managed Apple IDs and integrations that you would perhaps like Apple to hear for the first time?

Tom Bridge:
Well, I really love the fact that we can now tie those in with Google IDs and that Google Workspace and Azure IDs can be used to skim the creation of a new Managed Apple ID and to handle a federated authentication. Really, there’s two whole languages that are available for Apple: SAML and OpenID Connect. Wouldn’t it be rad, I mean, and I know that I’m just talking out of my hat and I’ve never said anything like this on the podcast ever before this month, where you could have a third-party IdP, like an Okta or a JumpCloud-

Charles Edge:
Or a Salesforce.

Tom Bridge:
… who could be responsible for those? Or Salesforce. Salesforce: very large public company, as a matter of fact.

Charles Edge:
Or Yahoo. Yahoo? I mean, there are certainly choices, that certainly could be a choice that you make as a company, to hand over your identity to Yahoo, which is still a thing and not totally made up by us right here, right?

Marcus Ransom:
Twitter ID? Is that next? For your $8 do you now get-

Tom Bridge:
No. [inaudible 00:49:36]-

Charles Edge:
I mean, they did invent it.

Tom Bridge:
Okay, fair. We’ll let you federate your Managed Apple ID with your Twitter account. But the whole idea is that Managed Apple IDs ought to be available for more than just Google and Microsoft.

Bilal Habib:
I definitely agree.

Tom Bridge:
And-

Charles Edge:
If-

Tom Bridge:
… it would be really rad if OpenId Connect or if SAML could be at the heart of that.

Charles Edge:
Well, there are RFPs that define what all of the transactions look like. If they were all the same and all actually worked the same, then I think you’d have your wish. However, there would be dragons with every single one of them that I’ve tried to-

Tom Bridge:
Always.

Charles Edge:
… integrate with, so…

Tom Bridge:
Always. There’s dragons with all the things and-

Marcus Ransom:
This is why we can’t have nice things.

Tom Bridge:
… now that we support OpenID Connect and JumpCloud, and I’m really happy that we do, I mean, having those kind of options, as well as SAML, as well as, hey, let’s go invent some other new way of doing things, I am totally down with exploring the new frontiers of identity, but I’d like the ability to be able to do those kind of things with the Managed Apple IDs that are supposed to be key to our future, right? I mean, that’s Apple’s opinion. Apple firmly states that you should be able to use Managed Apple IDs to deploy applications to BYO devices, and using corporate accounts. Well, I mean, I’m building Apple’s-

Charles Edge:
Ken Hess plays.

Tom Bridge:
… yeah, and Ken Hess would develop engineering resources for, but I need the ability to do that, and right now I can’t.
Here at the Mac Admins Podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stu Barker, thank you. Adam Selby, thank you. Nate Walk, thank you. Michael Tsai, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Stites, thank you. Anoush d’Orville, thank you. Jeffrey Compton, M. Marsh, Stu McDonald, Hamlin Krewson, Adam Burg, thank you. A.J. Potrebka, thank you. James Stracey, Tim Perfitt of twocanoes, thank you. Nate Cinal, Will O’Neal, Seb Nash, the folks at Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel McLaughlin, Justin Holt, Bill Smith and Weldon Dodd, thank you all so much. And remember that you can back us if you want to just head on out to patreon.com/macADMpodcast. Thanks, everybody.

Charles Edge:
So, at the risk of beating a dead horse into absolute nothingness, we have a bonus question, right, Tom?

Tom Bridge:
We do have a bonus question! I love the bonus question this week. This is one of my favorites. All right, favorite name for a piece of malware. So, Bilal, you get to go first. You’re the guest. Well, what’s your favorite name for a piece of malware?

Bilal Habib:
Yeah, my one is CryptoLocker. It’s not what it says on the tin, so just be careful with it.

Tom Bridge:
How about you, Marcus?

Marcus Ransom:
Well, in the spirit of anti-malware, I’m going to go for a false positive. When you’ve got the last name Ransom, sometimes… I remember when the entire state school system of Victoria would refuse to accept emails from me to be able to interact with my kids’ teachers at school, because I was marked as malware, which from a certain point of view could probably be seen as being correct.

Charles Edge:
How about you, Tom?

Tom Bridge:
I have always loved Fruitfly. I think that that is such a fascinating piece of malware to begin with, but such a great little name, because they’re little, annoying and you can’t get rid of them, so I mean, I feel like it was very aptly assigned. So, Charles, how about you?

Charles Edge:
Elk Cloner, the program with a personality. It will get on all your disks. It will infiltrate all your chips. Yes, it’s a Cloner. It will stick to you like glue. It will modify RAM two. Send in the Cloner. That would be the first Apple virus for Apple DOS 3.3 in 1982, and it’s still a classic.

Tom Bridge:
Amazing. Well, Bilal, thank you so much for joining us, and I’m glad to hear that you’ve landed on your feet and have found your next spot after Made. If folks want to find you on the internet, where should they go looking?

Bilal Habib:
Yeah, thank you very much for that. I think they can look for me on my LinkedIn and, I guess, on MacAdmins Slack as well. I was much more active there last month, but I’m just spending a bit of time away from the work channels now, so I’ll be back there soon, but you can find me there.

Tom Bridge:
Fantastic. Thank you so much for joining us. It was a real pleasure talking with you today.

Bilal Habib:
Thank you very much. Yeah, thanks for having me.

Tom Bridge:
And, of course, thanks to our wonderful sponsors this week. That is our friends at Kandji and Mosyle. Thanks so much to our amazing Patreon backers and, of course, thanks, everybody. We’ll see you next time.

Bilal Habib:
Thank you very much.

Charles Edge:
See you next time.

Marcus Ransom:
See you later.

Tom Bridge:
The Mac Admins Podcast is a production of Mac Admins Podcast LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Codega the first time he opened Garage Band. Sponsorship for the Mac Admins Podcast is provided by the macadmins.org Slack, where you can join thousands of Mac admins in a free Slack instance, visit macadmins.org, and also by Technolutionary LLC: technically, we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.

Links

Listen

Sponsors:

Patreon Sponsors:

The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:

Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd

Mac Admins Podcast Community Calendar, Sponsored by Watchman Monitoring

Conferences
Event Name Location Dates Format Cost
XWorld Melbourne, AUS 30-31 March 2023 TBA TBA
Upcoming Meetups
Event Name Location Dates Cost
Houston Apple Admins Saint Arnold Brewing Company 5:30pm 4th March 2024 Free
Recurring Meetups
Event Name Location Dates Cost
London Apple Admins Pub Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person Free
#ANZMac Channel Happy Hour Online (see #anzmac in MacAdmins Slack for connection details) Thursdays 5 p.m. AEST Free
#cascadia Channel Happy Hour Online (see #cascadia channel in Mac Admins Slack) Thursdays 4 p.m. PT (US) Free

If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information.

Social Media:

Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back MAP on Patreon



Support the podcast by becoming a backer on Patreon. All backer levels get access to exclusive content!

Subscribe

Archives