Prerequisites
Prior to deploying the CrowdStrike Falcon sensor, please ensure you have accounted for the following:
Configure the necessary network connectivity
The CrowdStrike sensor communicates with the CrowdStrike cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.
You can find your CrowdStrike cloud’s IP addresses by clicking Support > Docs > Cloud IP Addresses in your Falcon console.
Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception.
Installing CrowdStrike Falcon using a deployment tool
Use this installation method if you want to automate silent installations on many devices, including installations via mobile device management (MDM) tools such as JAMF.
To automatically install the CrowdStrike Falcon sensor for macOS with JAMF:
- In the Jamf console, set up a Configuration Profile that contains the Approved Kernel Extensions configuration.
- Configure the profile with the Team ID of X9E956P446.
- Create a standard deployment package within JAMF to deploy the sensor.
-
Once that is completed, a script will need to be created that licenses the sensor. Example script:
#!/bin/bash
## $4 = CID with Checksum
sudo /Library/CS/falconctl license $4 -
For installing with a password, you can use a script like the example below:
#!/usr/bin/env python from __future__ import print_function password = 'MAGICWORDSGOHERE' try: while True: print(password) except IOError: pass
- Replace MAGICWORDSGOHERE with your desired password. This should include only standard characters and not include quotation marks (").
-
Then call both the password script and install in the same script:
#!/bin/bash /Library/CS/falconctl license LICENSEHERE /Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard sudo rm /Library/CS/Falcon-Protect.py
- Replace LICENSEHERE with your CCID, found in the Falcon UI under Hosts > Sensor Downloads.
-
It is also advisable to check if the sensor is already installed prior to deploying. This can be done with the following script example:
#!/bin/bash ############################################################################## # A script to collect the version of the CrowdStrike Falcon Sensor currently installed. # # If CrowdStrike Falcon is not installed "Not Installed" will return back # ############################################################################## RESULT="Not Installed" if [ -f "/Library/CS/falconctl" ] ; then RESULT=$( sysctl cs.version | awk '{print $2}' ) fi echo "$RESULT"
Installing CrowdStrike Falcon manually
Use this installation method if you want to install the sensor manually on a single endpoint.
To manually install the CrowdStrike Falcon sensor for macOS:
- Login to your CrowdStrike Falcon console.
- Download the sensor installer from Hosts > Sensor Downloads.
- Copy your customer ID checksum (CCID) from Hosts > Sensor Downloads.
-
Run the sensor installer on your device using one of these two methods:
- Double-click the .pkg file.
-
Run this command at a terminal, replacing <installer .pkg> with the path and file name of your installer package:
sudo installer -verboseR -package <installer .pkg> -target /
- When prompted, enter administrative credentials for the installer.
-
Run falconctl, installed with the Falcon sensor, to provide your customer ID checksum (CCID).
sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX- This command is slightly different if you're installing with uninstall protection.
- In this example, replace
For more information on advanced installation types, please visit Support > Docs.
Uninstalling CrowdStrike Falcon
To uninstall using the command line:
- Move the host to a sensor update policy with Uninstall and maintenance protection turned off, then uninstall the sensor. For more info, read our Groups and Policies Guide.
- Run this command at a command line:
-
With Uninstall and maintenance protection disabled:
sudo /Library/CS/falconctl uninstall
-
With Uninstall and maintenance protection enabled:
sudo /Library/CS/falconctl uninstall --maintenance-token
- If the sensor is offline and
- If the sensor is offline and Bulk Maintenance Mode is enabled, reveal the bulk maintenance token within the policy. Enter this token when prompted by falconctl.
-
With Uninstall and maintenance protection disabled:
To uninstall using JAMF:
-
For uninstallations with JAMF, you can use the following script example (this also accounts for the password requirement during the install):
#!/bin/bash expect -c " spawn /Library/CS/falconctl uninstall --password expect \"Falcon Password:\" send password send \r expect eof "