Jamf Nation Community

I'd ditch McAfee in a heartbeat to use is simply because it has a cool icon!

We just launched a project to roll it out globally to our Win and Mac machines, replacing McAfee on the Win side. The install is a breeze and I def agree about removing the uninstaller if your users have admin rights. It was very low overhead and none of our POC users had any complaints like they do about McAfee or others.

Can anyone share some info about how they installed this with JAMF please? I'm kind of new to JAMF, haven't done software deployment yet so not entirely sure the best way to go about it - are you running it as a script, or passing arguments to the pkg, or what? Thanks! :)

We will soon deploy CrowdStrike to the company owned Macs. I am new to using JAMF and haven't figured out the best way to deploy the agent along with the sudo command to the devices. @chuinder or @briangoldstein can either of you provide assistance in helping deploy. Thanks in advance.

I use Crowdstrike Falon for a few companies that I support.

To deploy it is quite easy.

1) Create a policy that runs at enrollment or once per computer at checkin that install the PKG from the CS Portal and after runs this scripts:

sudo /Library/CS/falconctl license LICENSEIDHERE

That is it. If you want to go a step further you could create an extension attribute that looks for the CS folder or agent. You can then scope your policy to a smart group that only installs it on machines w/o the agent.

The latest Falcon Sensor for Mac (6103) finally allows password protection of the uninstall (only the Windows sensor had this previously). CrowdStrike support recommends a python script to pass the password over to the installer without putting it into command line in clear text. That said, the python script is still storing the password in plain text. Not the best idea, but tis all they had to offer for now and better than leaving it unprotected since all of our users are local admins (for now).

My install policy does the following:
Installs Falcon Sensor via the package provided in the Falcon Console
Places the password python script (Falcon-Protect.py) into /Library/CS/
Run's my install script (installFalconSensor.sh) stored in JAMF pro.

Falcon-Protect.py

#!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
    while True:
        print(password)
except IOError:
    pass

installFalconSensor.sh:

#!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py

I also created the following extension attribute to report what version sensor the machines are running:

#!/bin/bash
#########################################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed.  #
# If CrowdStrike Falcon is not installed "Not Installed" will return back               #
#########################################################################################
RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi

echo "<result>$RESULT</result>"

to: Zachary.fisher - Your policy instructions worked great on all systems earlier than 10.13.3. I've not been able to get this policy working on 10.13.3. Any solutions you've come across? I've been searching with no luck.

Thanks - John

@briangoldstein How did you go about copying your Falcon-Protect.py script into /Library/CS/ ?

@chrijens sorry for the delay, was traveling when you sent that and the notification got lost. I just tossed the script in a package w/ composer.

Could you use script parameters to pass in the password, so it isn't hard-coded within the script? I haven't done much with this functionality, but we're looking at rolling out CS as well and ways to do so intelligently/securely.

@KSchroeder You can use an input parameter, but the password prompt is interactive with the binary. So, an 'except' script can negotiate both the password and password confirmation prompts. Assuming your password was reassigned from $4 to PWD: PWD="$4"

expect <<- DONE set timeout -1 spawn /Library/CS/falconctl installguard expect "Falcon Password:" send -- "${PWD} " expect "Confirm Falcon Password:" send -- "${PWD} " expect eof DONE

one thing to note, if you're setting the password with an expect script as part of a postinstall script in your pkg you should remove the

spawn /Library/CS/falconctl installguard

since the installer invokes it on it's own.

I never understood why a password would ever make sense in a managed environment.

Troubleshooting would be impacted, so problems will take longer to resolve, sensitive password is now floating around, and potentially SLAs might be missed...etc.

So we have this thing Jamf Pro. which can easily ensure Crowdstrike is both installed and running...so why not use it?

• Is Crowdstrike installed, if not install it.
• Is Crowdstrike process running, if not reinstall it.
• Are any log/defs files being updated, if not reinstall it.

Its a much more manageable/sustainable approach...but yea I can see unmanaged environments using passwords.

#dosCentavos #healthcheckLogic

yeah, I know what you mean @donmontalvo , but you can still do all that even with a password set.

What would be the value to check if Crowdstrike has been deployed and currently running?

@nkalister do you have a script that works to uninstall a password protected client? If so can you share? :)

@donmontalvo sure, this is working for me:

#!/bin/bash

expect -c "
  spawn /Library/CS/falconctl uninstall --password
  expect "Falcon Password:"
  send password
  send 
  expect eof
  "

substitute your client password for password in the codeblock.

Also, my previous post about not needing the

spawn /Library/CS/falconctl installguard

line was incorrect! While using the --password switch as described in the CS documentation appears to password protect the clients (the prompt for a password appeared) it actually still allowed the client to be removed without the password! I've now gone back to running the license command without the --password switch and am using the installguard command instead and it's working as expected.

@nkalister thanks! Will test later in the week.

Does anyone have a way monitor if CrowdStrike is running using an EA?

So I have been working with infosec to deploy crowd strike again on Macs . we had to remove it because it would cause kernel panic if you had Box client on your Mac when trying to upgrade to High Sierra. Secondly we are currently trying to uninstall CS from a Mac and it causes a kernel panic to. has anyone seen this or any thought on this.

We're using CS in our environment and have had no issues at all. It's pretty lightweight because all the analysis happens in the cloud. I've had no kernel panics in general, or upon any OS upgrades. Our InfoSec team seem to love it. The only downside I've encountered is there's not any local notifications; InfoSec will get notified and then has to handle notifications to techs or users.

I have 3 EA's I use to collect info on it.

#!/bin/sh
#Falcon CrowdStrike Connection State

falconConnState=`sysctl cs.comms.cloud_connection_state | awk '{print $2}'`
echo "<result>$falconConnState</result>"

#!/bin/sh
#Falcon CrowdStrike Sensor ID

falconHostID=`sysctl cs.sensorid | awk '{print $2}'`
echo "<result>$falconHostID</result>"

#!/bin/sh
#Falcon CrowdStrike Sensor Version

RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi

echo "<result>$RESULT</result>"

@nkalister So replace Falcon Password: with the password that we set?

@briangoldstein i'm stuck at 'Running script Falcon-protect.py...' it just hangs and doesn't proceed.

@dennisnardi. Kind of new with jamf. Looking at you EA for Falcon. This is great, but I don't know much scripting but learning. How would I setup the Smart Group Criteria? I am just a little confused on what goes into the Operator and Value fields. Appreciate any help.

@tavaresj A few versions of CS back they changed their binary commands, so here is an updated EA script that will get the correct connection state:

#!/bin/sh

#  CS Connection State
#  

falconConnState=`sudo /Library/CS/falconctl stats | grep -i "State: " | awk '{print $2}'`

echo "<result>$falconConnState</result>"

That either returns "Connected" or blank (I think). Once you have the EA you can make your smart group criteria, and so mine is just "Name of EA" "is" "Connected". That will show all the computers with a working install of CS.

Those commands are deprecated - has anyone modified them for the new binary location inside Falcon.app? The cs.xxxxx commands no longer work either.

@davidi4 This is the new location.

#!/bin/sh
## $4 = CID with Checksum
sudo /Applications/Falcon.app/Contents/Resources/falconctl license REPLACEWITHSERIAL#
exit 0

@keric Thanks! Next issue - Has anyone successfully done an upgrade in place using Jamf? I've got 6.14.12704.0 from InfoSec. It appears to install successfully, but everything CS stays at 6.12. I've been installing 5.32.11301.0 since we implemented CS, and the devices update the agent via CS cloud. I need to get everyone upgraded to a Big Sur-compatible version, with SEXTs enabled instead of KEXT before I release BS to production.

Thoughts?

@davidi4 Crowdstrike does not use SysExt's under Catalina. And there's a known issue with the 6.x agent not working when a machine is upgraded to Big Sur. Supposed to be fixed in the upcoming 6.15.

Suggested workflow for now is to keep Catalina on 5.41, and Big Sur on 6.14. The 5.41 works enough that it can self-update to 6.14 once it's on Big Sur.

You will need to deploy the updated profile that includes SysExt approvals and web content filter payloads. Sample profile is on CS's support portal. You can deploy that profile to Catalina, but not Mojave.

@davidi4 Crowd Strike (Falcon Sensor) cloud should be updating clients itself. Tell your CS admin to get on the ball. You should only require an install on new machines or machines that have it removed. The console can also protect the install with out you having to package the client with a cert/token or what ever. The new installs work without removal, test one, check Falcon console for the version the machine is now reporting. We just started deploying the AV protection and ditched Symantec.

A determined intruder can blend into the day-to- day noise of a typical In this review of Falcon OverWatch, CrowdStrike's managed threat hunting service.
CredibleBH

Hi,

@dennisnardiI used your script to get the status of falcon sensor but that is not working.

Also unable to uninstall the sensor and getting an error

Error: InstallGuard is not ready

Also, we have ~400 devices on JAMF and Falcon sensor is installed but somehow ~100 machines are not showing up on the Hostmanagement page of CrowdStrike.

Any idea, how can we do these solved please?