Uninstalling Crowdstrike Falcon Sensor - Help with script

walterchuck
New Contributor

Good day!

I need to uninstall Crowdstrike Falcon Sensor from some of our Macs. Crowdstrike's instructions to uninstall via Terminal are as follows:

sudo /Library/CS/falconctl uninstall --maintenance-token

  • Terminal prompts for user password. Password is entered.
  • Terminal then prompts for "Falcon Maintenance Token". Falcon Maintenance Token is entered.
  • Crowdstrike Falcon Sensor is uninstalled.

I'm a script noob and can't seem to Google-fu my way to finding how to:
1. Prefill a separate local admin user & password
2. Add syntax that would allow the script to enter the Falcon Maintenance Token after it's prompted

Is this even possible?

Thanks so much!

8 REPLIES 8

DBrowning
Valued Contributor II

If you are running the script via Jamf, sudo is not needed as scripts are run as root. I would also suggest maybe talking with your CS Admin to see if they are willing to disable the InstallGuard on the specific machines you are looking to remove CS from. Then you can have a simple script of the below and be done with it.

/Library/CS/falconctl unisntall

KurdTech
New Contributor II

i have the same issue did you figure out how to run the script? Also, how to run the script for bunch of machines? i am aware each machine have unique token.

LaMantia
New Contributor III

Look at this thread

link

Posted: 7/23/2018 at 6:12 PM CDT by nkalister

daniel_ross
Contributor III

Going to bump this post and see if anyone has figured out how to do this with a maintance token installed or if you get the response from Jamf upon install

Script result: Error: This machine is already licensed

We see the computer in the Falcon console but Jamf keeps saying the above message. Hoping a quick uninstall might be possible via a script but haven't figured out how to deploy it properly yet.

ifbell
Contributor

What we have found is that you will need to do a manual uninstall with the maintenance token. Once the product is removed then we have Jamf check if CS is missing and re-install it.

I am working on a new script to try to accomplish the whole process from Jamf itself.

joethedsa
Contributor II

Anyone make any progress on this?  I have some of the ground work in a script but am trying to leverage the Crowdstrike API to get the maintenance token for uninstall since it is unique to each machine.  I have limited experience with accessing APIs using Curl and how to authenticate when there is a authentication token that is also required.

Dorr7
New Contributor

CrowdStrike's KB article suggests using a small Python script to provide the maintenance token to the falconctl CLI command. Unfortunately, Python is not a good option anymore. I am researching to find a solution. If I find one, I will link or repost it here. 

Did you come up with a solution @Dorr7 ?

Why is python not a good option?