Starting with AppGate ZTNA client 6.2.1, the device claim for the CrowdStrike Agent ID is built in for both Windows and macOS. No additional configuration is necessary from this AppGate ZTNA client version onward.
NOTE
On macOS devices, you must retrieve the Agent ID from a file controlled by CrowdStrike. This file is not produced by default. Raise a support ticket with CrowdStrike to enable the following feature flag:
zta_distribute_payload. Enable this feature flag regardless of which macOS AppGate ZTNA client version you use.
Windows
AppGate ZTNA client earlier than version 6.1.0
Create the following batch file on your machine and name it
crowdstrike_agent_id_win.bat:
@echo off
for /F "tokens=3" %%A in ('reg query HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default /v "AG"') do (echo %%A)In the AppGate ZTNA admin UI, go to Identity and then Device Claim Scripts.
Click + Add New and fill in the following fields:
Name:
crowdtsrike_agent_id_winFile: Upload the file
crowdstrike_agent_id_win.bat
Click Save.
Go to Identity and then Identity Providers.
Select the identity providers you use to authenticate your users. Scroll down to Configure On-demand Device Claims and click + Add.
Fill in the following fields:
Field | Value |
|---|---|
Command | Run Device Claim Script |
Device Claim Scripts |
|
Arguments | Leave blank |
Claim Name |
|
Platform | Windows only |
Click Done, then click Save.
AppGate ZTNA client versions 6.1.0 through 6.2.0 (inclusive)
In the AppGate ZTNA admin UI, go to Identity and then Identity Providers.
Select the identity providers you use to authenticate your users. Scroll down to Configure On-demand Device Claims and click + Add.
Fill in the following fields:
Field | Value |
|---|---|
Command | Registry Query |
FIle Path |
|
Claim Name |
|
Platform | Windows only |
Click Done, then click Save.
macOS
NOTE
On macOS devices, you must retrieve the Agent ID from a file controlled by CrowdStrike. This file is not produced by default. Raise a support ticket with CrowdStrike to enable the following feature flag:
zta_distribute_payload. Enable this feature flag regardless of which macOS AppGate ZTNA client version you use.
AppGate ZTNA client earlier than version 6.2.1
NOTE
You can enable the feature flag before or after completing the following configuration. Once you enable the feature flag and complete the configuration, the built-in algorithm starts working automatically.
Create the following shell file on your machine and name it
crowdstrike_agent_id_mac.sh:
#!/bin/sh
payload=`awk -F'.' '{print $2;}' "/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta"`
#echo payload: $payload
len=${#payload}
if [ $((len%2)) -gt 0 ]; then
pad=1
elif [ $((len%4)) -gt 0 ]; then
pad=2
else
pad=0
fi
for (( ii=1; ii<=$pad; ii++ )) ; do payload+="="; done
echo $payload | base64 -d | grep -Eo '"sub":"\w+' | awk -F'":"' '{print $2;}' 2>/dev/nullIn the AppGate ZTNA admin UI, go to Identity and then Device Claim Scripts.
Click + Add and fill in the following fields:
Name:
crowdstrike_agent_idFile: Upload the file
crowdstrike_agent_id_mac.sh
Click Save.
Go to Identity and then Identity Providers.
Select the identity providers you use to authenticate your users. Scroll down to Configure On-demand Device Claims and click + Add.
Fill in the following fields:
Field | Value |
|---|---|
Command | Run Device Claim Script |
Device Claim Scripts |
|
Arguments | Leave blank |
Claim Name |
|
Platform | All macOS devices |
Click Done, then click Save.