CrowdStrike Falcon for Units

UM-Ann Arbor, UM-Dearborn, and UM-Flint use CrowdStrike Falcon for enhanced endpoint protection. All U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers) should have CrowdStrike Falcon installed.

CrowdStrike Falcon helps meet the obligations listed in Information Security (SPG 601.27). See in particular 1B. Protection of Data and Information Assets, which states, "The university will optimize its ability to protect institutional data, systems, resources, and services from unauthorized access and other threats or attacks that could potentially result in harm to the university or to members of the university community."

Falcon helps IT staff respond quickly to advanced attacks, both those that use “malware” (malicious programs specifically designed to steal information) and those that do not use malware but instead use stolen credentials to move around a network and steal data. It protects research, administrative data and other sensitive data across the university.

If you have questions about use of CrowdStrike Falcon on a unit-managed computer or server, contact your unit's Security Unit Liaison (SUL).

Falcon Administration in Your Unit

Falcon at U-M uses a multi-tenant structure. ITS Information Assurance (IA) acts as the top-level administrator of Falcon, with sub-tenants that allow unit IT to help administer Falcon on their own unit's systems as needed. The MiWorkspace team administers the MiWorkspace sub-tenant. The MiServer sub-tenant is also administered by ITS.

Units are responsible for deploying Falcon on unit systems and having plans and processes in place to support deployment in an ongoing manner.

Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Administrators of separate sub-tenants see only their own tenant(s).

Becoming a Falcon Administrator

CrowdStrike Falcon console accounts are available to unit staff who have an IT security role and who will be monitoring and responding to threat detections. The SUL for a unit can request console access for these staff members by submitting an Enhanced Endpoint Protection ticket to the ITS Service Center.

Support for U-M Falcon Administrators

Falcon administrators have access to a library of resources provided by CrowdStrike through its support portal. ITS IA stands ready to work with unit IT staff to ensure as many systems as possible are protected and to answer questions about Falcon administration.

For details about accessing the CrowdStrike Support Portal and more, see Support for CrowdStrike Falcon Administrators (access limited to Falcon administrators and Security Unit Liaisons).

See CrowdStrike Falcon Installation and Sensor Tagging for information specific to installing and tagging systems at U-M as well as how sensors are updated (access limited to Falcon administrators and Security Unit Liaisons). It is important that all systems are properly tagged within the Crowdstrike Falcon console.  It is recommended that this is done during installation of the agent, however it can be done manually afterwards.

Falcon Exception Process

It may not be possible to install and run CrowdStrike Falcon on all U-M owned systems, due to technical and/or operational limitations. Examples of devices where it may not be possible to install and run CrowdStrike Falcon include:

  • Network appliances (e.g. NAS)
  • IOT devices
  • Devices running Incompatible operating systems (e.g. VMWare ESX, FeeBSD, etc.).

Exception requests can be submitted using this form.

Not for Use on Personal Devices

CrowdStrike Falcon is licensed only for use on UM-owned systems and will not be installed on personal computers.