cancel
Showing results for 
Search instead for 
Did you mean: 

Crowdstrike Mac Deployment

BenGarrison
JumpCloud Alumni
JumpCloud Alumni

I want to create a thread to share resources on deploying the Crowdstrike Falcon agent on Mac using JumpCloud. Whatever tips and tricks, resources etc to help with Crowdstrike deployment

We have a Commands gallery for Windows to deploy the agent. But Mac is still something that is a bit of a challenge!

Windows Resources

29 REPLIES 29

RBaconJC
Community Manager Community Manager
Community Manager

Here is what I use

DownloadUrl="<FILE LOCATION>"

#Create Temp Folder
DATE=$(date '+%Y-%m-%d-%H-%M-%S')

TempFolder="Download-$DATE"

mkdir /tmp/$TempFolder

# Navigate to Temp Folder
cd /tmp/$TempFolder

# Download File into Temp Folder
curl -s -L -O "$DownloadUrl"

installer -verboseR -package <FILE NAME> -target /

# Remove Temp Folder and download
rm -r /tmp/$TempFolder

echo "Deleted /tmp/$TempFolder"

/Applications/Falcon.app/Contents/Resources/falconctl license <CrowdStrike CID>

The script works great but the install is not silent, 2 pop up boxes come up which require user intervention. Do you know how to make the install silent?. 

Hey @mpace ! If you're talking about the request for Full Disk Access etc. that can't be set via the command line/script. Any System Preferences on the macOS side need to be set via MDM Custom Configuration Policies. There is a bit of a learning curve here if you've never played with them but pretty powerful once you wrap your head around it!

If your Mac fleet is mostly Intel, CrowdStrike has a prebuild policy you can deploy via JumpCloud. If you have both M1 and Intel in the fleet you'll need to create your own M1 policy.

Moreover with Monterey, there is really nothing that can be done without user intervention unless you have the machine DEP enrolled or user approved MDM enrolled. And with that, you need admin level user approval for most things. (pretty much everything)

Is this for Intel based Macs or M1? 

RBaconJC
Community Manager Community Manager
Community Manager

Both 😊

RyanBailey
Novitiate III

Thanks @RBaconJC! We're trialing CrowdStrike at the moment and your script got me most of the way there. Had to wrestle (read: learn) with how to author Custom MDM profiles to suppress all the system/kernel prompts the installer would generate. Glad I did as there is a lot of power there.

Don't be shy with those Custom profiles! ha

We're thinking about adopting CrowdStrike Falcon and I would be very interested in any Custom MDM profiles you've come up with.

🤔I wonder if there is some repository of Custom MDM profiles...

shaharr
Novitiate I

can anyone help here please , i have tried the script - i added the download link for the agent

i have changed the file-name in the script ..

nothing works. . it does not download and installing the script .. 😞

Are you getting any error messages? How are you running the script?

shaharr
Novitiate I

im running the scripts in the commands dashboard, i have tried to run it manually and its seems thats the agent URL is too long and that is why the script is not running.. is there's a way to shorten the URL ?, also it would be great if i could get info if the script ran or general output on scripts running

I don't think there is any practical limit for the URI length with cURL so you might be bumping into another issue. Can you share the URL and output you're getting when you run this manually? We've been using the script above for a few weeks now with minor modifications without issue.

tkyerik
Novitiate II

Here are a few scripts that I use for managing CS Falcon through JC on Mac endpoints.
Reference: Falcon Sensor for Mac Deployment (located in the CS Falcon console under Support>Documentation)

Installer

#!/bin/bash
sudo curl -o /tmp/FalconSensorMacOS.MaverickGyr.pkg "<URL to Your File Location of FalconSensorMacOS.MaverickGyr.pkg>"
sudo installer -pkg /tmp/FalconSensorMacOS.MaverickGyr.pkg -target /
/Applications/Falcon.app/Contents/Resources/falconctl license <Your Falcon License>

Check if the Crowdstrike extension is already installed

#!/bin/bash
systemextensionctl list

Sensor Health Check (important for Macs, in some cases the sensor may fail to load after a sensor version auto-update)

#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Sensor Reload command (if the health check fails)

#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl load

 

BScott
Community Manager Community Manager
Community Manager

@tkyerik thanks for sharing these.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

r00t
Novitiate I

No need to use commands.

Create a separate group for macOS 11+ and 10+. This is needed because in new macOS Apple removed kernel extensions.

To sort macs you can use this command: Get-JCSystem | Where-Object {$.os -like "Mac OS X" -and $.arch -eq "arm64"} | Add-JCSystemGroupMember -GroupName "Mac - Apple silicon"

 

Create Custom MDM policy based on this template: https://github.com/ageev/MacOS/blob/main/JumpCloud/Falcon%20Profile%20-%20Apple%20Silicone%20with%20... (don't forget to put your own licence number!)

Apply the policy and wait. It's important to make sure that the policy was applied before the CS installation. Otherwise CS will not be activated (activation check is done during installation only). It's also best to reboot mac 1-2 times. Sometimes permission are only applied after reboot. 

Use software deployment policy to install CS. You will need to upload the CS installation file to public AWS bucket first.  

RBaconJC
Community Manager Community Manager
Community Manager

This is a very good suggestion. There are two reason why I did not go with this option:

  • When I set everything up, it was before the Silicone processor was being correctly identified in the system info.
  • I am not great at creating profiles 😅

I will have to give this a try. My biggest concern is the timing of the policy being applied and the software installation. That being said, I am also going to see if there is a way to leverage that profile template to perform sensor tagging.

Thanks for the post!

BenGarrison
JumpCloud Alumni
JumpCloud Alumni

Is there a way to have the policy automatically install the CS? Somehow have the payload within the policy? If we could make that work then I think we have the bestest solution EVER

I'm working on deploying this way but the Software Management policy keeps failing to install the application with a status code of 1.  The pre-built profile that JumpCloud seems to be working just fine but the actual software install is failing. I may have to try using the commands instead. 

I don't know if it would help, but it looks like the JumpCloud has a built-in Policy Management Config that automatically installs Falcon permissions.  It also has the ability to grant kernel extensions automatic approval if the CrowdStrike one doesn't work.  I haven't used either of them yet, but it looks promising. 

RNHurt_0-1660585923987.png

 

It looks like Jumpcloud just recently added these pre-built policies. Since I have both Intel and ARM-based Macs in my inventory, I will give this a try and see how it performs on a few devices.

Update: Licensing through the JC provided profile is working and I'm no longer using the script below to license CrowdStrike. 

The policies seem to working relevantly well.  They take care of everything with the exception of the licensing reliably.  What I believe was causing the install issues was the installer not pulling the license from the config profile reliably.  What ended up working for me is making a script and then pushing that using commands to install CrowdStrike.  Then after the install completes I run the activation.  This has given me the most consistency.  

 

#Create variable with download url of the installer
DownloadUrl="https://YourDownloadURL"
#Create variable with app name
AppName='Falcon'
#Write content of variable to console output
echo "App Name: $AppName"

echo "Testing to ensure App is not already installed"
#Create variable with results of search in Application folder for $AppName
ExistingSearch=$(find "/Applications/" -name "$AppName")
#If variable is not null (If search found the app in the application folder)
if [[ -n "$ExistingSearch" ]]
then
    echo "$AppName already present in /Applications folder, exiting."
    exit 1
else
    # Runs if app name wasn't found in application folder
    echo "$AppName not present in /Applications folder, installing"
    
    # Check if the CrowdStrike profile is present
    echo "checking to see if the CrowdStrike profile is present"
    # variable containing the installed profiles on the device
    ProfileSearch=$(profiles -P)
    # variable containing string from the CrowdStrike profile
    ProfileCompare="crowdStrike_Falcon_MDM_Settings"
    # If statement that checks whether or not the CrowdStrike profile is installed
    if [[ $ProfileSearch = *"$ProfileCompare"* ]]
    then
        echo "The CrowdStrike profile is present, installing CrowdStrike Falcon"
        # Install CrowdStrike
        #download installer from S3 bucket and output it to /tmp folder
        curl "$DownloadUrl" --output /private/tmp/FalconSensorMacOS.pkg
        #Run the installer
        installer -verboseR -package /private/tmp/FalconSensorMacOS.pkg -target /
        # Activate Falcon with our license
        echo "Licensing app..."
        /Applications/Falcon.app/Contents/Resources/falconctl license 123YourLicense456789
        echo "Install finished, deleting install files..."
        #delete left over installation files no longer needed
        rm /private/tmp/FalconSensorMacOS.pkg
        echo "The following files were deleted: /private/tmp/FalconSensorMacOS.pkg" 
        echo "displaying agents stats: (if blank agent isn't running)"
        /Applications/Falcon.app/Contents/Resources/falconctl stats agent_info
    else
        echo "The CrowdStrike profile is NOT present, CrowdStrike Falcon will NOT be installed."
    fi
fi

 

@BScott is there any way to get JumpCloud to update the pre-built policies to handle the situation that @JacobLawson dealt with?  Is there a GitHub repo for these scripts that we can issue a PR against?

BScott
Community Manager Community Manager
Community Manager

@RNHurt see just below...Tom is on it.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

Hey Jacob - Do you have any Falcon logs from a system with our policy for licensing applied where it's not installing correctly? If so, I want to get those raised with our CrowdStrike team members.

Hi Tom, I don't have any now but I can try and get some for you guys next week. 

Apologies for not following up here.  Everything is working smoothly and the licensing is working as expected. I'm no longer activating the license in my install script; I'm letting the profile handle it and everything is behaving as expected. 

@JacobLawson hopefully you've seen Tom's reply about getting logs if you have any. We'd like to see what we can do to update.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

Just wanted to call out one tiny correction in your Powershell command.
You have the pipeline variables as $.os and $.arch when it should be $_.os and $_.arch respectively. 
Just want to call this out for any users that are less experienced with PowerShell and are running into issues attempting to run this command as it is a very useful command. This means the command would look like:

Get-JCSystem | Where-Object {$_.os -like "Mac OS X" -and $_.arch -eq "arm64"} | Add-JCSystemGroupMember -GroupName "Mac - Apple silicon"