Help

Uninstalling Crowdstrike Falcon Sensor - Help with script

walterchuck
New Contributor

Posted on β€Ž05-14-2020 11:46 AM

Good day!

I need to uninstall Crowdstrike Falcon Sensor from some of our Macs. Crowdstrike's instructions to uninstall via Terminal are as follows:

sudo /Library/CS/falconctl uninstall --maintenance-token

  • Terminal prompts for user password. Password is entered.
  • Terminal then prompts for "Falcon Maintenance Token". Falcon Maintenance Token is entered.
  • Crowdstrike Falcon Sensor is uninstalled.

I'm a script noob and can't seem to Google-fu my way to finding how to:
1. Prefill a separate local admin user & password
2. Add syntax that would allow the script to enter the Falcon Maintenance Token after it's prompted

Is this even possible?

Thanks so much!

5 REPLIES 5

DBrowning
Valued Contributor II

Posted on β€Ž05-15-2020 04:48 AM

If you are running the script via Jamf, sudo is not needed as scripts are run as root. I would also suggest maybe talking with your CS Admin to see if they are willing to disable the InstallGuard on the specific machines you are looking to remove CS from. Then you can have a simple script of the below and be done with it.

/Library/CS/falconctl unisntall
0 Kudos

KurdTech
New Contributor II

Posted on β€Ž09-01-2020 01:25 PM

i have the same issue did you figure out how to run the script? Also, how to run the script for bunch of machines? i am aware each machine have unique token.

0 Kudos

LaMantia
New Contributor III

Posted on β€Ž09-01-2020 01:35 PM

Look at this thread

link

Posted: 7/23/2018 at 6:12 PM CDT by nkalister

0 Kudos

daniel_ross
Contributor III

Posted on β€Ž03-29-2021 05:16 PM

Going to bump this post and see if anyone has figured out how to do this with a maintance token installed or if you get the response from Jamf upon install 

Script result: Error: This machine is already licensed

We see the computer in the Falcon console but Jamf keeps saying the above message. Hoping a quick uninstall might be possible via a script but haven't figured out how to deploy it properly yet.

0 Kudos

ifbell
Contributor

Posted on β€Ž04-15-2021 06:05 AM

What we have found is that you will need to do a manual uninstall with the maintenance token. Once the product is removed then we have Jamf check if CS is missing and re-install it.

I am working on a new script to try to accomplish the whole process from Jamf itself.