CrowdStrike Falcon® Supports New macOS Big Sur

abstract image of Big Sur background

This year, Apple announced a major overhaul of macOS calling it “the biggest update to design in more than a decade.” The version number jumped from macOS 10.x to 11.0, and it touches every element of the operating system (OS) including how system software will be developed for Big Sur and beyond. Most importantly for security vendors, Apple announced the deprecation of kernel extensions (kexts) for Catalina and re-enforced it in Big Sur. 

As soon as kext deprecation was announced, CrowdStrike began the work of re-architecting the CrowdStrike Falcon® agent and migrating many of our kext-dependent capabilities to the new user-space security framework provided by Apple, paving the way for us to support the Big Sur release with Falcon. Regardless of which versions of macOS your enterprise has deployed, the CrowdStrike Falcon® platform delivers full-feature parity and the comprehensive protection our customers depend on — and with no additional impact on performance.

Seamless Upgrade and Single Agent for All macOS

You can upgrade to the latest Falcon agent directly from the existing production builds in the same frictionless way you already do from the CrowdStrike® console. If you use MDM management tools such as JAMF for installing software on macOS, those are also supported. 

Even with the architectural changes in the newest version of macOS, we give you a single Falcon agent for all of our supported macOS versions, including backward compatibility with Mojave and Catalina, where Falcon will continue to use the older kext approach as necessary. Similarly, when you upgrade macOS, the Falcon sensor will automatically reconfigure itself to use the Apple system extension method. 

CrowdStrike’s Commitment to Customers

The move from kexts represents a strong shift to a more secure OS model and will be a major change for enterprise security vendors who use those extensions to deliver their application features and capabilities. Although some kext support will remain in Big Sur, it is anticipated that Apple will continue to phase that out over time. To replace kexts, Apple has introduced System Extensions, which provide a new mechanism to access kernel events from user space, allowing vendors to continue to deliver software that uses low-level kernel events while the application remains in user space. Reducing the need for privileged access is always a more secure approach and we are proud to embrace this new architecture. 

We know macOS users love to be on the cutting edge, using new capabilities in the OS as soon as they are stable. CrowdStrike strives to support organizations that allow their users the ability to stay ahead of the curve and remain fully protected from adversaries and breaches.

 Additional Resources

Related Content