Help

Uninstalling Crowdstrike Falcon Sensor - Help with script

walterchuck
New Contributor

Posted on ‎05-14-2020 11:46 AM

Good day!

I need to uninstall Crowdstrike Falcon Sensor from some of our Macs. Crowdstrike's instructions to uninstall via Terminal are as follows:

sudo /Library/CS/falconctl uninstall --maintenance-token

  • Terminal prompts for user password. Password is entered.
  • Terminal then prompts for "Falcon Maintenance Token". Falcon Maintenance Token is entered.
  • Crowdstrike Falcon Sensor is uninstalled.

I'm a script noob and can't seem to Google-fu my way to finding how to:
1. Prefill a separate local admin user & password
2. Add syntax that would allow the script to enter the Falcon Maintenance Token after it's prompted

Is this even possible?

Thanks so much!

Reply
8 REPLIES 8

DBrowning
Valued Contributor II

Posted on ‎05-15-2020 04:48 AM

If you are running the script via Jamf, sudo is not needed as scripts are run as root. I would also suggest maybe talking with your CS Admin to see if they are willing to disable the InstallGuard on the specific machines you are looking to remove CS from. Then you can have a simple script of the below and be done with it.

/Library/CS/falconctl unisntall
0 Kudos
Reply

KurdTech
New Contributor II

Posted on ‎09-01-2020 01:25 PM

i have the same issue did you figure out how to run the script? Also, how to run the script for bunch of machines? i am aware each machine have unique token.

0 Kudos
Reply

LaMantia
New Contributor III

Posted on ‎09-01-2020 01:35 PM

Look at this thread

link

Posted: 7/23/2018 at 6:12 PM CDT by nkalister

0 Kudos
Reply

daniel_ross
Contributor III

Posted on ‎03-29-2021 05:16 PM

Going to bump this post and see if anyone has figured out how to do this with a maintance token installed or if you get the response from Jamf upon install 

Script result: Error: This machine is already licensed

We see the computer in the Falcon console but Jamf keeps saying the above message. Hoping a quick uninstall might be possible via a script but haven't figured out how to deploy it properly yet.

0 Kudos
Reply

ifbell
Contributor

Posted on ‎04-15-2021 06:05 AM

What we have found is that you will need to do a manual uninstall with the maintenance token. Once the product is removed then we have Jamf check if CS is missing and re-install it.

I am working on a new script to try to accomplish the whole process from Jamf itself.

Reply

joethedsa
Contributor II

Posted on ‎01-12-2023 06:30 AM

Anyone make any progress on this?  I have some of the ground work in a script but am trying to leverage the Crowdstrike API to get the maintenance token for uninstall since it is unique to each machine.  I have limited experience with accessing APIs using Curl and how to authenticate when there is a authentication token that is also required.

0 Kudos
Reply

Dorr7
New Contributor

Posted on ‎03-21-2023 08:35 AM

CrowdStrike's KB article suggests using a small Python script to provide the maintenance token to the falconctl CLI command. Unfortunately, Python is not a good option anymore. I am researching to find a solution. If I find one, I will link or repost it here. 

0 Kudos
Reply

rodderzzz
New Contributor
In response to Dorr7

Posted on ‎11-22-2023 01:01 PM

Did you come up with a solution @Dorr7 ?

Why is python not a good option?

0 Kudos
Reply