Skip to main content
Red Canary help

Install and uninstall the Crowdstrike Falcon sensor on MacOS

  • Updated .

Prerequisites

Prior to deploying the CrowdStrike Falcon sensor, please ensure you have accounted for the following:

Configure the necessary network connectivity

The CrowdStrike sensor communicates with the CrowdStrike cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your CrowdStrike cloud’s IP addresses by clicking Support, Docs, and then Cloud IP Addresses in your Falcon console.

Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Estimated procedure time: 10 minutes

Installing CrowdStrike Falcon using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via mobile device management (MDM) tools such as JAMF.

NOTE: detailed MDM deployment instructions can also be found by logging into your CrowdStrike Falcon console, clicking on the Falcon Menu (the Falcon logo on the top left of the page), and selecting Documentation, and then clicking Falcon Sensor for Mac. 

Automatically install the CrowdStrike Falcon sensor for macOS with JAMF

  1. In the Jamf console, set up a Configuration Profile that contains the Approved Kernel Extensions configuration.
  2. Configure the profile with the X9E956P446 as the Team ID.
  3. Create a standard deployment package within JAMF to deploy the sensor.
  4. Once that is completed, a script will need to be created that licenses the sensor. Example script:
    #!/bin/bash
    ## $4 = CID with Checksum
    sudo /Library/CS/falconctl license $4
  5. For installing with a password, you can use a script like the example below:
    #!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
  while True:
  print(password)
except IOError:
  pass
  6. Replace MAGICWORDSGOHERE with your desired password. This should include only standard characters and not include quotation marks (").
  7. Call both the password script and install in the same script: 
    #!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py
  8. Replace LICENSEHERE with your CCID, found in the Falcon UI under Hosts, then click Sensor Downloads.
  9. It is also advisable to check if the sensor is already installed prior to deploying. This can be done with the following script example: 
    #!/bin/bash
##############################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed. #
# If CrowdStrike Falcon is not installed "Not Installed" will return back               #
##############################################################################
RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
	RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "$RESULT"

Installing CrowdStrike Falcon manually

Use this installation method if you want to install the sensor manually on a single endpoint.

Manually install the CrowdStrike Falcon sensor for macOS

  1. Login to your CrowdStrike Falcon console.
  2. Download the sensor installer under Hosts, then click Sensor Downloads.
  3. Copy your customer ID checksum (CCID) from Hosts, then click Sensor Downloads.
  4. Run the sensor installer on your device using one of these two methods:
    1. Double-click the .pkg file.
    2. Run this command at a terminal, replacing <installer .pkg> with the path and file name of your installer package:
      sudo installer -verboseR -package <installer .pkg> -target /
  5. When prompted, enter the administrative credentials for the installer.
  6. Run falconctl, installed with the Falcon sensor, and provide your customer ID checksum (CCID).
    sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX
    1. This command is slightly different if you're installing with uninstall protection.
    2. In this example, replace
    0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID.
  7. Approve the kernel extension with the steps listed in the Manual KEXT Approval. Use these steps if your MDM doesn’t support kext whitelisting or you use DevOps/scripts to deploy the product.
  8. Grant Full Disk Access (Catalina/Mojave Only) with the steps listed at Manual Full Disk Access.

For more information on advanced installation types, please visit Support, and then click Docs.

Uninstalling CrowdStrike Falcon

Uninstall using the command line

  1. Move the host to a sensor update policy with Uninstall and maintenance protection turned off, then uninstall the sensor. For more info, read our Groups and Policies Guide.
  2. Run this command at a command line:
    • With Uninstall and maintenance protection disabled: 
      sudo  /Library/CS/falconctl uninstall
    • With Uninstall and maintenance protection enabled: 
      sudo /Library/CS/falconctl uninstall --maintenance-token
      • If the sensor is offline and Uninstall and maintenance protection is enabled, click Reveal Maintenance Token on the Host Management page to get the single-use token required to uninstall the sensor. Enter this token when prompted by falconctl.
    • If the sensor is offline and Bulk Maintenance Mode is enabled, reveal the bulk maintenance token within the policy. Enter this token when prompted by falconctl.

Uninstall using JAMF

  1. If you need to uninstall using JAMF, you can use the following script example (this also  accounts for the password requirement during the install): 
    #!/bin/bash
expect -c "
	spawn /Library/CS/falconctl uninstall --password
	expect \"Falcon Password:\"
	send password
	send \r
	expect eof
	"

Comments

0 comments

Please sign in to leave a comment.