Jamf Nation Community

Some info here: https://www.jamf.com/jamf-nation/third-party-products/636/crowdstrike-falcon?view=info

We use it in the company I work for. I have an ongoing policy scoped to computers that don't have crowdstrike installed. I deploy a pkg and insert the license with a very short script after install:

#!/bin/sh
/Library/CS/falconctl license $4
exit 0

where $4= your license

we also added an approved kernel extension (more info here and here)

There's a thread about CrowdStrike at https://www.jamf.com/jamf-nation/discussions/26080/crowdstrike-falcon-does-it-blend that has some good info.

Yes, it is like a million times easier to install on macOS than it is on Windows. I deploy mine at boostrap/enrollment and then have healthchecks that will report on failed instances. Phase 2 is auto remediation of those tools, but I haven't tackled that yet

I am bumping this up since we are now trying to upgrade our base sensors.

I am getting. error; any ideas?

Executing Policy CrowdStrike Sensor Test
Downloading FalconSensorMacOS-3.pkg...
Verifying package integrity...
Installing FalconSensorMacOS-3.pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS-3.pkg”.)
Running script CrowdStrike Installer Script...
Script exit code: 1
Script result: Error: This machine is already licensed
Error running script: return code was 1.

@j_allenbrand That machine is already licensed, according to the result. You can reach out to the user to ask them to verify if Falcon is running, by doing ps aux | grep falcon, or there are a couple of EA's you can run to get the connected state, and version of the sensor installed.

even i am getting same issue as @j_allenbrand . Not sure what is failing. we see on some machine same package is working fine and on some it is not. In extension I see service is stoped.

Installing FalconSensorMacOS (2).pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS (2).pkg”.)
Running script CrowdStrike Reload...
Script exit code: 0
Script result: Error: A maintenance token is required to unload. Specify one with -t.
Error: This machine is already licensed
Falcon sensor is loaded

How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.

You guys are getting a prompt to approve or deny Notifications for Falcon?

I am seeing "Script result: Error: This machine is already licensed" and the AE show that it's not installed are you guys still seeing the same thing?

C

Anyone have a solution to this issue? For me, I had a group of test machines install CS and they did not show up in the CS portal... So there is not a token I can use to uninstall the app locally from the Macs.

I was able to solve my issue by going into safe mode with no network, running the uninstall script, booting the machine back out of safe mode and running the install script.

This made the machine that was not originally in the portal appear