Skip to main content
Red Canary help

Installing and uninstalling the Crowdstrike Falcon sensor on MacOS

  • Updated .

Prerequisites

Prior to deploying the CrowdStrike Falcon sensor, please ensure you have accounted for the following:

Configure the necessary network connectivity

The CrowdStrike sensor communicates with the CrowdStrike cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your CrowdStrike cloud’s IP addresses by clicking Support > Docs > Cloud IP Addresses in your Falcon console.

Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing CrowdStrike Falcon using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via mobile device management (MDM) tools such as JAMF.

To automatically install the CrowdStrike Falcon sensor for macOS with JAMF:

  1. In the Jamf console, set up a Configuration Profile that contains the Approved Kernel Extensions configuration.
  2. Configure the profile with the Team ID of X9E956P446.
  3. Create a standard deployment package within JAMF to deploy the sensor.
  4. Once that is completed, a script will need to be created that licenses the sensor. Example script:
    #!/bin/bash
    ## $4 = CID with Checksum
    sudo /Library/CS/falconctl license $4
  5. For installing with a password, you can use a script like the example below:
    #!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
  while True:
  print(password)
except IOError:
  pass
  6. Replace MAGICWORDSGOHERE with your desired password. This should include only standard characters and not include quotation marks (").
  7. Then call both the password script and install in the same script: 
    #!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py
  8. Replace LICENSEHERE with your CCID, found in the Falcon UI under Hosts > Sensor Downloads.
  9. It is also advisable to check if the sensor is already installed prior to deploying. This can be done with the following script example: 
    #!/bin/bash
##############################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed. #
# If CrowdStrike Falcon is not installed "Not Installed" will return back               #
##############################################################################
RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
	RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "$RESULT"

Installing CrowdStrike Falcon manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the CrowdStrike Falcon sensor for macOS:

  1. Login to your CrowdStrike Falcon console.
  2. Download the sensor installer from Hosts > Sensor Downloads.
  3. Copy your customer ID checksum (CCID) from Hosts > Sensor Downloads.
  4. Run the sensor installer on your device using one of these two methods:
    1. Double-click the .pkg file.
    2. Run this command at a terminal, replacing <installer .pkg> with the path and file name of your installer package:
      sudo installer -verboseR -package <installer .pkg> -target /
  5. When prompted, enter administrative credentials for the installer.
  6. Run falconctl, installed with the Falcon sensor, to provide your customer ID checksum (CCID).
    sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX
    1. This command is slightly different if you're installing with uninstall protection.
    2. In this example, replace
     0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID.
  • Approve the kernel extension with the steps listed at Manual KEXT Approval. Also use these steps if your MDM doesn’t support kext whitelisting or you use DevOps/scripts to deploy the product.
  • Grant Full Disk Access (Catalina/Mojave Only) with the steps listed at Manual Full Disk Access.

    • For more information on advanced installation types, please visit Support > Docs.

    Uninstalling CrowdStrike Falcon

    To uninstall using the command line:

    1. Move the host to a sensor update policy with Uninstall and maintenance protection turned off, then uninstall the sensor. For more info, read our Groups and Policies Guide.
    2. Run this command at a command line:
      • With Uninstall and maintenance protection disabled: 
        sudo  /Library/CS/falconctl uninstall
      • With Uninstall and maintenance protection enabled: 
        sudo /Library/CS/falconctl uninstall --maintenance-token
        • If the sensor is offline and
        Uninstall and maintenance protection is enabled, use the Reveal Maintenance Token button on the Host Management page to get the single-use token required to uninstall the sensor. Enter this token when prompted by falconctl.
      • If the sensor is offline and Bulk Maintenance Mode is enabled, reveal the bulk maintenance token within the policy. Enter this token when prompted by falconctl.

    To uninstall using JAMF:

    1. For uninstallations with JAMF, you can use the following script example (this also  accounts for the password requirement during the install): 
      #!/bin/bash
expect -c "
	spawn /Library/CS/falconctl uninstall --password
	expect \"Falcon Password:\"
	send password
	send \r
	expect eof
	"