This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Crowdstrike Mac Deployment

BenGarrison
JumpCloud Alumni
JumpCloud Alumni

‎03-08-2022 08:00 PM

I want to create a thread to share resources on deploying the Crowdstrike Falcon agent on Mac using JumpCloud. Whatever tips and tricks, resources etc to help with Crowdstrike deployment

We have a Commands gallery for Windows to deploy the agent. But Mac is still something that is a bit of a challenge!

Windows Resources

Labels:
18 REPLIES 18

RBaconJC
Community Manager Community Manager
Community Manager

‎03-23-2022 12:47 PM

Here is what I use

DownloadUrl="<FILE LOCATION>"

#Create Temp Folder
DATE=$(date '+%Y-%m-%d-%H-%M-%S')

TempFolder="Download-$DATE"

mkdir /tmp/$TempFolder

# Navigate to Temp Folder
cd /tmp/$TempFolder

# Download File into Temp Folder
curl -s -L -O "$DownloadUrl"

installer -verboseR -package <FILE NAME> -target /

# Remove Temp Folder and download
rm -r /tmp/$TempFolder

echo "Deleted /tmp/$TempFolder"

/Applications/Falcon.app/Contents/Resources/falconctl license <CrowdStrike CID>

mpace
Novitiate I
In response to RBaconJC

‎04-25-2022 05:15 PM

The script works great but the install is not silent, 2 pop up boxes come up which require user intervention. Do you know how to make the install silent?. 

0 Kudos

RyanBailey
Novitiate III
In response to mpace

‎04-26-2022 08:48 AM

Hey @mpace ! If you're talking about the request for Full Disk Access etc. that can't be set via the command line/script. Any System Preferences on the macOS side need to be set via MDM Custom Configuration Policies. There is a bit of a learning curve here if you've never played with them but pretty powerful once you wrap your head around it!

If your Mac fleet is mostly Intel, CrowdStrike has a prebuild policy you can deploy via JumpCloud. If you have both M1 and Intel in the fleet you'll need to create your own M1 policy.

0 Kudos

BenGarrison
JumpCloud Alumni
JumpCloud Alumni
In response to RyanBailey

‎05-10-2022 07:16 AM

Moreover with Monterey, there is really nothing that can be done without user intervention unless you have the machine DEP enrolled or user approved MDM enrolled. And with that, you need admin level user approval for most things. (pretty much everything)

0 Kudos

cwhite
Novitiate I
In response to RBaconJC

‎05-18-2022 03:16 PM

Is this for Intel based Macs or M1? 

0 Kudos

RBaconJC
Community Manager Community Manager
Community Manager
In response to cwhite

‎05-23-2022 09:08 AM

Both 😊

0 Kudos

RyanBailey
Novitiate III

‎03-30-2022 12:05 PM

Thanks @RBaconJC! We're trialing CrowdStrike at the moment and your script got me most of the way there. Had to wrestle (read: learn) with how to author Custom MDM profiles to suppress all the system/kernel prompts the installer would generate. Glad I did as there is a lot of power there.

BenGarrison
JumpCloud Alumni
JumpCloud Alumni
In response to RyanBailey

‎03-30-2022 01:33 PM

Don't be shy with those Custom profiles! ha

RNHurt
Novitiate II
In response to RyanBailey

‎05-20-2022 08:18 PM

We're thinking about adopting CrowdStrike Falcon and I would be very interested in any Custom MDM profiles you've come up with.

🤔I wonder if there is some repository of Custom MDM profiles...

0 Kudos

shaharr
Novitiate I

‎04-18-2022 06:27 AM

can anyone help here please , i have tried the script - i added the download link for the agent

i have changed the file-name in the script ..

nothing works. . it does not download and installing the script .. 😞

0 Kudos

BenGarrison
JumpCloud Alumni
JumpCloud Alumni
In response to shaharr

‎04-18-2022 09:54 AM

Are you getting any error messages? How are you running the script?

0 Kudos

shaharr
Novitiate I

‎04-18-2022 04:45 PM

im running the scripts in the commands dashboard, i have tried to run it manually and its seems thats the agent URL is too long and that is why the script is not running.. is there's a way to shorten the URL ?, also it would be great if i could get info if the script ran or general output on scripts running

0 Kudos

RyanBailey
Novitiate III
In response to shaharr

‎04-20-2022 03:48 PM

I don't think there is any practical limit for the URI length with cURL so you might be bumping into another issue. Can you share the URL and output you're getting when you run this manually? We've been using the script above for a few weeks now with minor modifications without issue.

0 Kudos

tkyerik
Novitiate I

‎05-09-2022 02:05 AM - edited ‎05-09-2022 08:00 PM

Here are a few scripts that I use for managing CS Falcon through JC on Mac endpoints.
Reference: Falcon Sensor for Mac Deployment (located in the CS Falcon console under Support>Documentation)

Installer

#!/bin/bash
sudo curl -o /tmp/FalconSensorMacOS.MaverickGyr.pkg "<URL to Your File Location of FalconSensorMacOS.MaverickGyr.pkg>"
sudo installer -pkg /tmp/FalconSensorMacOS.MaverickGyr.pkg -target /
/Applications/Falcon.app/Contents/Resources/falconctl license <Your Falcon License>

Check if the Crowdstrike extension is already installed

#!/bin/bash
systemextensionctl list

Sensor Health Check (important for Macs, in some cases the sensor may fail to load after a sensor version auto-update)

#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Sensor Reload command (if the health check fails)

#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl load

 

BScott
Community Manager Community Manager
Community Manager
In response to tkyerik

‎05-09-2022 05:25 PM

@tkyerik thanks for sharing these.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

0 Kudos

r00t
Novitiate I

‎06-15-2022 08:42 AM

No need to use commands.

Create a separate group for macOS 11+ and 10+. This is needed because in new macOS Apple removed kernel extensions.

To sort macs you can use this command: Get-JCSystem | Where-Object {$.os -like "Mac OS X" -and $.arch -eq "arm64"} | Add-JCSystemGroupMember -GroupName "Mac - Apple silicon"

 

Create Custom MDM policy based on this template: https://github.com/ageev/MacOS/blob/main/JumpCloud/Falcon%20Profile%20-%20Apple%20Silicone%20with%20... (don't forget to put your own licence number!)

Apply the policy and wait. It's important to make sure that the policy was applied before the CS installation. Otherwise CS will not be activated (activation check is done during installation only). It's also best to reboot mac 1-2 times. Sometimes permission are only applied after reboot. 

Use software deployment policy to install CS. You will need to upload the CS installation file to public AWS bucket first.  

RBaconJC
Community Manager Community Manager
Community Manager
In response to r00t

‎06-15-2022 09:13 AM

This is a very good suggestion. There are two reason why I did not go with this option:

  • When I set everything up, it was before the Silicone processor was being correctly identified in the system info.
  • I am not great at creating profiles 😅

I will have to give this a try. My biggest concern is the timing of the policy being applied and the software installation. That being said, I am also going to see if there is a way to leverage that profile template to perform sensor tagging.

Thanks for the post!

0 Kudos

BenGarrison
JumpCloud Alumni
JumpCloud Alumni
In response to r00t

‎06-15-2022 10:49 AM

Is there a way to have the policy automatically install the CS? Somehow have the payload within the policy? If we could make that work then I think we have the bestest solution EVER

0 Kudos