@tavaresj A few versions of CS back they changed their binary commands, so here is an updated EA script that will get the correct connection state:

#!/bin/sh



#  CS Connection State

#  



falconConnState=`sudo /Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}'`



echo "<result>$falconConnState</result>"

That either returns "Connected" or blank (I think). Once you have the EA you can make your smart group criteria, and so mine is just "Name of EA" "is" "Connected". That will show all the computers with a working install of CS.

Those commands are deprecated - has anyone modified them for the new binary location inside Falcon.app? The cs.xxxxx commands no longer work either.

@davidi4 This is the new location.

#!/bin/sh

## $4 = CID with Checksum

sudo /Applications/Falcon.app/Contents/Resources/falconctl license REPLACEWITHSERIAL#

exit 0

@keric Thanks! Next issue - Has anyone successfully done an upgrade in place using Jamf? I've got 6.14.12704.0 from InfoSec. It appears to install successfully, but everything CS stays at 6.12. I've been installing 5.32.11301.0 since we implemented CS, and the devices update the agent via CS cloud. I need to get everyone upgraded to a Big Sur-compatible version, with SEXTs enabled instead of KEXT before I release BS to production.

Thoughts?

@davidi4 Crowdstrike does not use SysExt's under Catalina. And there's a known issue with the 6.x agent not working when a machine is upgraded to Big Sur. Supposed to be fixed in the upcoming 6.15.

Suggested workflow for now is to keep Catalina on 5.41, and Big Sur on 6.14. The 5.41 works enough that it can self-update to 6.14 once it's on Big Sur.

You will need to deploy the updated profile that includes SysExt approvals and web content filter payloads. Sample profile is on CS's support portal. You can deploy that profile to Catalina, but not Mojave.

@davidi4 Crowd Strike (Falcon Sensor) cloud should be updating clients itself. Tell your CS admin to get on the ball. You should only require an install on new machines or machines that have it removed. The console can also protect the install with out you having to package the client with a cert/token or what ever. The new installs work without removal, test one, check Falcon console for the version the machine is now reporting. We just started deploying the AV protection and ditched Symantec.

A determined intruder can blend into the day-to- day noise of a typical In this review of Falcon OverWatch, CrowdStrike's managed threat hunting service.
CredibleBH

It looks like CrowdStrike has updated its kb with documentation on how to deploy Falcon with Jamf Pro. This covers config profiles, packaging, Jamf policy creation, license activation via script or config profile, and policy settings required on the CrowdStrike portal. The kb is in the CrowdStrike support portal, How to deploy Falcon sensor for Mac with Jamf Pro policy: https://supportportal.crowdstrike.com/s/article/ka16T000000wwxVQAQ

My 2 cents: enabling installguard is controversial. Echoing @donmontalvo, it doesn't make sense in a managed environment. However, it is the recommendation from CrowdStrike to have installguard enabled. Perhaps that guidance is out of context? I'll leave this here.

Hi,

@dennisnardiI used your script to get the status of falcon sensor but that is not working.

Also unable to uninstall the sensor and getting an error

Error: InstallGuard is not ready

Also, we have ~400 devices on JAMF and Falcon sensor is installed but somehow ~100 machines are not showing up on the Hostmanagement page of CrowdStrike.

Any idea, how can we do these solved please?