cancel
Showing results for 
Search instead for 
Did you mean: 

Crowdstrike Mac Deployment

BenGarrison
JumpCloud Alumni
JumpCloud Alumni

I want to create a thread to share resources on deploying the Crowdstrike Falcon agent on Mac using JumpCloud. Whatever tips and tricks, resources etc to help with Crowdstrike deployment

We have a Commands gallery for Windows to deploy the agent. But Mac is still something that is a bit of a challenge!

Windows Resources

20 REPLIES 20

RBaconJC
Community Manager Community Manager
Community Manager

Here is what I use

DownloadUrl="<FILE LOCATION>"

#Create Temp Folder
DATE=$(date '+%Y-%m-%d-%H-%M-%S')

TempFolder="Download-$DATE"

mkdir /tmp/$TempFolder

# Navigate to Temp Folder
cd /tmp/$TempFolder

# Download File into Temp Folder
curl -s -L -O "$DownloadUrl"

installer -verboseR -package <FILE NAME> -target /

# Remove Temp Folder and download
rm -r /tmp/$TempFolder

echo "Deleted /tmp/$TempFolder"

/Applications/Falcon.app/Contents/Resources/falconctl license <CrowdStrike CID>

The script works great but the install is not silent, 2 pop up boxes come up which require user intervention. Do you know how to make the install silent?. 

Hey @mpace ! If you're talking about the request for Full Disk Access etc. that can't be set via the command line/script. Any System Preferences on the macOS side need to be set via MDM Custom Configuration Policies. There is a bit of a learning curve here if you've never played with them but pretty powerful once you wrap your head around it!

If your Mac fleet is mostly Intel, CrowdStrike has a prebuild policy you can deploy via JumpCloud. If you have both M1 and Intel in the fleet you'll need to create your own M1 policy.

Moreover with Monterey, there is really nothing that can be done without user intervention unless you have the machine DEP enrolled or user approved MDM enrolled. And with that, you need admin level user approval for most things. (pretty much everything)

Is this for Intel based Macs or M1? 

RBaconJC
Community Manager Community Manager
Community Manager

Both 😊

RyanBailey
Novitiate III

Thanks @RBaconJC! We're trialing CrowdStrike at the moment and your script got me most of the way there. Had to wrestle (read: learn) with how to author Custom MDM profiles to suppress all the system/kernel prompts the installer would generate. Glad I did as there is a lot of power there.

Don't be shy with those Custom profiles! ha

We're thinking about adopting CrowdStrike Falcon and I would be very interested in any Custom MDM profiles you've come up with.

🤔I wonder if there is some repository of Custom MDM profiles...

shaharr
Novitiate I

can anyone help here please , i have tried the script - i added the download link for the agent

i have changed the file-name in the script ..

nothing works. . it does not download and installing the script .. 😞

Are you getting any error messages? How are you running the script?

shaharr
Novitiate I

im running the scripts in the commands dashboard, i have tried to run it manually and its seems thats the agent URL is too long and that is why the script is not running.. is there's a way to shorten the URL ?, also it would be great if i could get info if the script ran or general output on scripts running

I don't think there is any practical limit for the URI length with cURL so you might be bumping into another issue. Can you share the URL and output you're getting when you run this manually? We've been using the script above for a few weeks now with minor modifications without issue.

tkyerik
Novitiate I

Here are a few scripts that I use for managing CS Falcon through JC on Mac endpoints.
Reference: Falcon Sensor for Mac Deployment (located in the CS Falcon console under Support>Documentation)

Installer

#!/bin/bash
sudo curl -o /tmp/FalconSensorMacOS.MaverickGyr.pkg "<URL to Your File Location of FalconSensorMacOS.MaverickGyr.pkg>"
sudo installer -pkg /tmp/FalconSensorMacOS.MaverickGyr.pkg -target /
/Applications/Falcon.app/Contents/Resources/falconctl license <Your Falcon License>

Check if the Crowdstrike extension is already installed

#!/bin/bash
systemextensionctl list

Sensor Health Check (important for Macs, in some cases the sensor may fail to load after a sensor version auto-update)

#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Sensor Reload command (if the health check fails)

#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl load

 

BScott
Community Manager Community Manager
Community Manager

@tkyerik thanks for sharing these.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

r00t
Novitiate I

No need to use commands.

Create a separate group for macOS 11+ and 10+. This is needed because in new macOS Apple removed kernel extensions.

To sort macs you can use this command: Get-JCSystem | Where-Object {$.os -like "Mac OS X" -and $.arch -eq "arm64"} | Add-JCSystemGroupMember -GroupName "Mac - Apple silicon"

 

Create Custom MDM policy based on this template: https://github.com/ageev/MacOS/blob/main/JumpCloud/Falcon%20Profile%20-%20Apple%20Silicone%20with%20... (don't forget to put your own licence number!)

Apply the policy and wait. It's important to make sure that the policy was applied before the CS installation. Otherwise CS will not be activated (activation check is done during installation only). It's also best to reboot mac 1-2 times. Sometimes permission are only applied after reboot. 

Use software deployment policy to install CS. You will need to upload the CS installation file to public AWS bucket first.  

RBaconJC
Community Manager Community Manager
Community Manager

This is a very good suggestion. There are two reason why I did not go with this option:

  • When I set everything up, it was before the Silicone processor was being correctly identified in the system info.
  • I am not great at creating profiles 😅

I will have to give this a try. My biggest concern is the timing of the policy being applied and the software installation. That being said, I am also going to see if there is a way to leverage that profile template to perform sensor tagging.

Thanks for the post!

BenGarrison
JumpCloud Alumni
JumpCloud Alumni

Is there a way to have the policy automatically install the CS? Somehow have the payload within the policy? If we could make that work then I think we have the bestest solution EVER

I'm working on deploying this way but the Software Management policy keeps failing to install the application with a status code of 1.  The pre-built profile that JumpCloud seems to be working just fine but the actual software install is failing. I may have to try using the commands instead. 

I don't know if it would help, but it looks like the JumpCloud has a built-in Policy Management Config that automatically installs Falcon permissions.  It also has the ability to grant kernel extensions automatic approval if the CrowdStrike one doesn't work.  I haven't used either of them yet, but it looks promising. 

RNHurt_0-1660585923987.png