Crowdstrike Mac Deployment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2022 08:00 PM
I want to create a thread to share resources on deploying the Crowdstrike Falcon agent on Mac using JumpCloud. Whatever tips and tricks, resources etc to help with Crowdstrike deployment
We have a Commands gallery for Windows to deploy the agent. But Mac is still something that is a bit of a challenge!
- Labels:
-
Deployment and Patching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2022 12:47 PM
Here is what I use
DownloadUrl="<FILE LOCATION>"
#Create Temp Folder
DATE=$(date '+%Y-%m-%d-%H-%M-%S')
TempFolder="Download-$DATE"
mkdir /tmp/$TempFolder
# Navigate to Temp Folder
cd /tmp/$TempFolder
# Download File into Temp Folder
curl -s -L -O "$DownloadUrl"
installer -verboseR -package <FILE NAME> -target /
# Remove Temp Folder and download
rm -r /tmp/$TempFolder
echo "Deleted /tmp/$TempFolder"
/Applications/Falcon.app/Contents/Resources/falconctl license <CrowdStrike CID>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2022 05:15 PM
The script works great but the install is not silent, 2 pop up boxes come up which require user intervention. Do you know how to make the install silent?.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2022 08:48 AM
Hey @mpace ! If you're talking about the request for Full Disk Access etc. that can't be set via the command line/script. Any System Preferences on the macOS side need to be set via MDM Custom Configuration Policies. There is a bit of a learning curve here if you've never played with them but pretty powerful once you wrap your head around it!
If your Mac fleet is mostly Intel, CrowdStrike has a prebuild policy you can deploy via JumpCloud. If you have both M1 and Intel in the fleet you'll need to create your own M1 policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2022 07:16 AM
Moreover with Monterey, there is really nothing that can be done without user intervention unless you have the machine DEP enrolled or user approved MDM enrolled. And with that, you need admin level user approval for most things. (pretty much everything)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2022 03:16 PM
Is this for Intel based Macs or M1?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2022 09:08 AM
Both 😊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2022 12:05 PM
Thanks @RBaconJC! We're trialing CrowdStrike at the moment and your script got me most of the way there. Had to wrestle (read: learn) with how to author Custom MDM profiles to suppress all the system/kernel prompts the installer would generate. Glad I did as there is a lot of power there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2022 01:33 PM
Don't be shy with those Custom profiles! ha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2022 08:18 PM
We're thinking about adopting CrowdStrike Falcon and I would be very interested in any Custom MDM profiles you've come up with.
🤔I wonder if there is some repository of Custom MDM profiles...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2022 06:27 AM
can anyone help here please , i have tried the script - i added the download link for the agent
i have changed the file-name in the script ..
nothing works. . it does not download and installing the script .. 😞
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2022 09:54 AM
Are you getting any error messages? How are you running the script?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2022 04:45 PM
im running the scripts in the commands dashboard, i have tried to run it manually and its seems thats the agent URL is too long and that is why the script is not running.. is there's a way to shorten the URL ?, also it would be great if i could get info if the script ran or general output on scripts running
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2022 03:48 PM
I don't think there is any practical limit for the URI length with cURL so you might be bumping into another issue. Can you share the URL and output you're getting when you run this manually? We've been using the script above for a few weeks now with minor modifications without issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2022 02:05 AM - edited 05-09-2022 08:00 PM
Here are a few scripts that I use for managing CS Falcon through JC on Mac endpoints.
Reference: Falcon Sensor for Mac Deployment (located in the CS Falcon console under Support>Documentation)
Installer
#!/bin/bash
sudo curl -o /tmp/FalconSensorMacOS.MaverickGyr.pkg "<URL to Your File Location of FalconSensorMacOS.MaverickGyr.pkg>"
sudo installer -pkg /tmp/FalconSensorMacOS.MaverickGyr.pkg -target /
/Applications/Falcon.app/Contents/Resources/falconctl license <Your Falcon License>
Check if the Crowdstrike extension is already installed
#!/bin/bash
systemextensionctl list
Sensor Health Check (important for Macs, in some cases the sensor may fail to load after a sensor version auto-update)
#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
Sensor Reload command (if the health check fails)
#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl load
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2022 05:25 PM
@tkyerik thanks for sharing these.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2022 08:42 AM
No need to use commands.
Create a separate group for macOS 11+ and 10+. This is needed because in new macOS Apple removed kernel extensions.
To sort macs you can use this command: Get-JCSystem | Where-Object {$.os -like "Mac OS X" -and $.arch -eq "arm64"} | Add-JCSystemGroupMember -GroupName "Mac - Apple silicon"
Create Custom MDM policy based on this template: https://github.com/ageev/MacOS/blob/main/JumpCloud/Falcon%20Profile%20-%20Apple%20Silicone%20with%20... (don't forget to put your own licence number!)
Apply the policy and wait. It's important to make sure that the policy was applied before the CS installation. Otherwise CS will not be activated (activation check is done during installation only). It's also best to reboot mac 1-2 times. Sometimes permission are only applied after reboot.
Use software deployment policy to install CS. You will need to upload the CS installation file to public AWS bucket first.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2022 09:13 AM
This is a very good suggestion. There are two reason why I did not go with this option:
- When I set everything up, it was before the Silicone processor was being correctly identified in the system info.
- I am not great at creating profiles 😅
I will have to give this a try. My biggest concern is the timing of the policy being applied and the software installation. That being said, I am also going to see if there is a way to leverage that profile template to perform sensor tagging.
Thanks for the post!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2022 10:49 AM
Is there a way to have the policy automatically install the CS? Somehow have the payload within the policy? If we could make that work then I think we have the bestest solution EVER
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2022 12:48 PM
I'm working on deploying this way but the Software Management policy keeps failing to install the application with a status code of 1. The pre-built profile that JumpCloud seems to be working just fine but the actual software install is failing. I may have to try using the commands instead.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2022 01:53 PM
I don't know if it would help, but it looks like the JumpCloud has a built-in Policy Management Config that automatically installs Falcon permissions. It also has the ability to grant kernel extensions automatic approval if the CrowdStrike one doesn't work. I haven't used either of them yet, but it looks promising.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2022 12:40 AM
It looks like Jumpcloud just recently added these pre-built policies. Since I have both Intel and ARM-based Macs in my inventory, I will give this a try and see how it performs on a few devices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2022 03:13 PM - edited 01-26-2023 05:33 PM
Update: Licensing through the JC provided profile is working and I'm no longer using the script below to license CrowdStrike.
The policies seem to working relevantly well. They take care of everything with the exception of the licensing reliably. What I believe was causing the install issues was the installer not pulling the license from the config profile reliably. What ended up working for me is making a script and then pushing that using commands to install CrowdStrike. Then after the install completes I run the activation. This has given me the most consistency.
#Create variable with download url of the installer
DownloadUrl="https://YourDownloadURL"
#Create variable with app name
AppName='Falcon'
#Write content of variable to console output
echo "App Name: $AppName"
echo "Testing to ensure App is not already installed"
#Create variable with results of search in Application folder for $AppName
ExistingSearch=$(find "/Applications/" -name "$AppName")
#If variable is not null (If search found the app in the application folder)
if [[ -n "$ExistingSearch" ]]
then
echo "$AppName already present in /Applications folder, exiting."
exit 1
else
# Runs if app name wasn't found in application folder
echo "$AppName not present in /Applications folder, installing"
# Check if the CrowdStrike profile is present
echo "checking to see if the CrowdStrike profile is present"
# variable containing the installed profiles on the device
ProfileSearch=$(profiles -P)
# variable containing string from the CrowdStrike profile
ProfileCompare="crowdStrike_Falcon_MDM_Settings"
# If statement that checks whether or not the CrowdStrike profile is installed
if [[ $ProfileSearch = *"$ProfileCompare"* ]]
then
echo "The CrowdStrike profile is present, installing CrowdStrike Falcon"
# Install CrowdStrike
#download installer from S3 bucket and output it to /tmp folder
curl "$DownloadUrl" --output /private/tmp/FalconSensorMacOS.pkg
#Run the installer
installer -verboseR -package /private/tmp/FalconSensorMacOS.pkg -target /
# Activate Falcon with our license
echo "Licensing app..."
/Applications/Falcon.app/Contents/Resources/falconctl license 123YourLicense456789
echo "Install finished, deleting install files..."
#delete left over installation files no longer needed
rm /private/tmp/FalconSensorMacOS.pkg
echo "The following files were deleted: /private/tmp/FalconSensorMacOS.pkg"
echo "displaying agents stats: (if blank agent isn't running)"
/Applications/Falcon.app/Contents/Resources/falconctl stats agent_info
else
echo "The CrowdStrike profile is NOT present, CrowdStrike Falcon will NOT be installed."
fi
fi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2022 04:29 AM
@BScott is there any way to get JumpCloud to update the pre-built policies to handle the situation that @JacobLawson dealt with? Is there a GitHub repo for these scripts that we can issue a PR against?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2022 10:09 AM
@RNHurt see just below...Tom is on it.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2022 03:59 PM
Hey Jacob - Do you have any Falcon logs from a system with our policy for licensing applied where it's not installing correctly? If so, I want to get those raised with our CrowdStrike team members.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2022 11:18 AM
Hi Tom, I don't have any now but I can try and get some for you guys next week.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2023 05:32 PM
Apologies for not following up here. Everything is working smoothly and the licensing is working as expected. I'm no longer activating the license in my install script; I'm letting the profile handle it and everything is behaving as expected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2022 10:11 AM
@JacobLawson hopefully you've seen Tom's reply about getting logs if you have any. We'd like to see what we can do to update.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2022 05:55 PM
Just wanted to call out one tiny correction in your Powershell command.
You have the pipeline variables as $.os and $.arch when it should be $_.os and $_.arch respectively.
Just want to call this out for any users that are less experienced with PowerShell and are running into issues attempting to run this command as it is a very useful command. This means the command would look like:
Get-JCSystem | Where-Object {$_.os -like "Mac OS X" -and $_.arch -eq "arm64"} | Add-JCSystemGroupMember -GroupName "Mac - Apple silicon"