CrowdStrike Falcon Install via Jamf Pro

j_allenbrand
Contributor

Hi, Has anyone been able to deploy Crowdstrike Falcon via jamf?

We need to deploy this to 180+ machines and don't want to manually install every device.

15 REPLIES 15

jameson
Contributor II

Yes is very easy to deploy

mwoodruff
New Contributor III
New Contributor III

Some info here: https://www.jamf.com/jamf-nation/third-party-products/636/crowdstrike-falcon?view=info

pmendez
New Contributor III

We use it in the company I work for. I have an ongoing policy scoped to computers that don't have crowdstrike installed. I deploy a pkg and insert the license with a very short script after install:

#!/bin/sh
/Library/CS/falconctl license $4
exit 0

where $4= your license

we also added an approved kernel extension (more info here and here)

dennisnardi
Contributor

There's a thread about CrowdStrike at https://www.jamf.com/jamf-nation/discussions/26080/crowdstrike-falcon-does-it-blend that has some good info.

tlarkin
Honored Contributor

Yes, it is like a million times easier to install on macOS than it is on Windows. I deploy mine at boostrap/enrollment and then have healthchecks that will report on failed instances. Phase 2 is auto remediation of those tools, but I haven't tackled that yet

j_allenbrand
Contributor

I am bumping this up since we are now trying to upgrade our base sensors.

I am getting. error; any ideas?

Executing Policy CrowdStrike Sensor Test
Downloading FalconSensorMacOS-3.pkg...
Verifying package integrity...
Installing FalconSensorMacOS-3.pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS-3.pkg”.)
Running script CrowdStrike Installer Script...
Script exit code: 1
Script result: Error: This machine is already licensed
Error running script: return code was 1.

Jason33
Contributor III

@j_allenbrand That machine is already licensed, according to the result. You can reach out to the user to ask them to verify if Falcon is running, by doing ps aux | grep falcon, or there are a couple of EA's you can run to get the connected state, and version of the sensor installed.

sk8559
New Contributor III

even i am getting same issue as @j_allenbrand . Not sure what is failing. we see on some machine same package is working fine and on some it is not. In extension I see service is stoped.

Installing FalconSensorMacOS (2).pkg...
Installation failed. The installer reported: installer: Package name is CrowdStrike Falcon Sensor
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “FalconSensorMacOS (2).pkg”.)
Running script CrowdStrike Reload...
Script exit code: 0
Script result: Error: A maintenance token is required to unload. Specify one with -t.
Error: This machine is already licensed
Falcon sensor is loaded

Same issue for me any solution for this please

danny_gutman
New Contributor III

How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.

You guys are getting a prompt to approve or deny Notifications for Falcon?

CrowdStrike calls it notifications from a second app hidden in the app bundle. 

/Applications/Falcon.app/Contents/Library/LaunchServices/Falcon\ Notifications.app

Use the Bundle ID of "com.crowdstrike.falcon.UserAgent" in a Notifications Configuration Profile. 

 

Screen Shot 2021-07-15 at 3.16.04 PM.png

 

gachowski
Valued Contributor II

I am seeing "Script result: Error: This machine is already licensed" and the AE show that it's not installed are you guys still seeing the same thing?

C

jlombardo
Contributor

Anyone have a solution to this issue? For me, I had a group of test machines install CS and they did not show up in the CS portal... So there is not a token I can use to uninstall the app locally from the Macs.

jlombardo
Contributor

I was able to solve my issue by going into safe mode with no network, running the uninstall script, booting the machine back out of safe mode and running the install script.

This made the machine that was not originally in the portal appear

This is the critical point here i think. Machines get the "already licensed" issue that dont show in the portal. Even with EAs we can check for install and loaded, but they still might not be in the portal. I think this is more of a falcon issue then anything with jamf. But it would be nice to have a reinstall script that can resolve this. I would assume running  

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall with the maintenance token and then re install.