Hi, Has anyone been able to deploy Crowdstrike Falcon via jamf?
We need to deploy this to 180+ machines and don't want to manually install every device.
Question
CrowdStrike Falcon Install via Jamf Pro
+5
+14Some info here: https://www.jamf.com/jamf-nation/third-party-products/636/crowdstrike-falcon?view=info
+4We use it in the company I work for. I have an ongoing policy scoped to computers that don't have crowdstrike installed. I deploy a pkg and insert the license with a very short script after install:
#!/bin/sh
/Library/CS/falconctl license $4
exit 0where $4= your license
we also added an approved kernel extension (more info here and here)
+15There's a thread about CrowdStrike at https://www.jamf.com/jamf-nation/discussions/26080/crowdstrike-falcon-does-it-blend that has some good info.
+31Yes, it is like a million times easier to install on macOS than it is on Windows. I deploy mine at boostrap/enrollment and then have healthchecks that will report on failed instances. Phase 2 is auto remediation of those tools, but I haven't tackled that yet
+5I am bumping this up since we are now trying to upgrade our base sensors.
I am getting. error; any ideas?
Executing Policy CrowdStrike Sensor Test
Downloading FalconSensorMacOS-3.pkg...
Verifying package integrity...
Installing FalconSensorMacOS-3.pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS-3.pkg”.)
Running script CrowdStrike Installer Script...
Script exit code: 1
Script result: Error: This machine is already licensed
Error running script: return code was 1.
+13@j_allenbrand That machine is already licensed, according to the result. You can reach out to the user to ask them to verify if Falcon is running, by doing ps aux | grep falcon, or there are a couple of EA's you can run to get the connected state, and version of the sensor installed.
+4even i am getting same issue as @j_allenbrand . Not sure what is failing. we see on some machine same package is working fine and on some it is not. In extension I see service is stoped.
Installing FalconSensorMacOS (2).pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS (2).pkg”.)
Running script CrowdStrike Reload...
Script exit code: 0
Script result: Error: A maintenance token is required to unload. Specify one with -t.
Error: This machine is already licensed
Falcon sensor is loaded
+7How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.
You guys are getting a prompt to approve or deny Notifications for Falcon?
+16I am seeing "Script result: Error: This machine is already licensed" and the AE show that it's not installed are you guys still seeing the same thing?
C
+7Anyone have a solution to this issue? For me, I had a group of test machines install CS and they did not show up in the CS portal... So there is not a token I can use to uninstall the app locally from the Macs.
+7I was able to solve my issue by going into safe mode with no network, running the uninstall script, booting the machine back out of safe mode and running the install script.
This made the machine that was not originally in the portal appear
+2How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.
You guys are getting a prompt to approve or deny Notifications for Falcon?
CrowdStrike calls it notifications from a second app hidden in the app bundle.
/Applications/Falcon.app/Contents/Library/LaunchServices/Falcon\\ Notifications.app
Use the Bundle ID of "com.crowdstrike.falcon.UserAgent" in a Notifications Configuration Profile.
+7I was able to solve my issue by going into safe mode with no network, running the uninstall script, booting the machine back out of safe mode and running the install script.
This made the machine that was not originally in the portal appear
This is the critical point here i think. Machines get the "already licensed" issue that dont show in the portal. Even with EAs we can check for install and loaded, but they still might not be in the portal. I think this is more of a falcon issue then anything with jamf. But it would be nice to have a reinstall script that can resolve this. I would assume running
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall with the maintenance token and then re install.
+2even i am getting same issue as @j_allenbrand . Not sure what is failing. we see on some machine same package is working fine and on some it is not. In extension I see service is stoped.
Installing FalconSensorMacOS (2).pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS (2).pkg”.)
Running script CrowdStrike Reload...
Script exit code: 0
Script result: Error: A maintenance token is required to unload. Specify one with -t.
Error: This machine is already licensed
Falcon sensor is loaded
Same issue for me any solution for this please
+2How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.
You guys are getting a prompt to approve or deny Notifications for Falcon?
And this isn't really the thread for it either....we are trying to figure out installation issues here, not notifications.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.