Jamf Nation Community

user-zBNtQAAFCi · ‎05-18-2021

Hey All:

Thanks in advance for the help.

I'm trying to see what computers I have in my environment without our Crowdstrike agent installed on them.

I'm guessing the only way is scripting this through an extensible attribute (EA).

I've placed this code in an EA:

if [ -e /library/CS/ ]; then
echo "<result>Has Alias</result>"
else
echo "<result>Does Not Have Alias</result>"
fi

exit

The EA only shows up blank.

Anything I'm doing wrong?

mickl089 · ‎05-18-2021

Try this one, works for me perfect:

#!/bin/bash
###

Variables

###
user=ls -la /dev/console | cut -d " " -f 4 result=() filesFound=0 suspiciousFiles=( "YOUR FILE OR FOLDER HERE" )
###

Script

###
for suspiciousFile in "${suspiciousFiles[@]}"; do echo "Looking for $suspiciousFile" if [ -e "$suspiciousFile" ]; then filesFound=$(expr $filesFound 1) result=("$suspiciousFile") fi done if [ $filesFound -ne 0 ]; then echo "<result>"Yes: "${result[@]}</result>" else echo "<result>No</result>" fi exit

glennmiller · ‎05-19-2021

Update to a later version of Crowdstrike and it becomes an app, not just a binary.
If you're not able to update from 6.15 or older, we used to use the below in an extension attribute:

Returns version of CS agent if 6.15 or older.

#!/bin/sh
RESULT="False"
if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "<result>$RESULT</result>"

chrisyeo · ‎05-19-2021

If the EA is turning up blank on your machines, it's likely that they haven't done an inventory (recon) run yet. Have you checked if machines with blank values have done an Inventory run since configuring the EA?

Jamf Nation Community

Check If Folder Exists (Crowdstrike Falcon)

I've placed this code in an EA:

exit

###

Variables

###

###

Script

###