X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Deploy CrowdStrike Falcon Using Jamf Pro

Introduction

This article provides basic information about the installation of CrowdStrike Falcon sensor using Jamf Pro.

Prerequisites

Jamf Pro 10.9 and later
macOS High Sierra (10.13.x) or above

Required Jamf Pro Elements

Configuration Profiles
The profiles below can be combined, but best practices calls for using one profile per application per payload.

  • Privacy Preferences Policy Control payload 
    • Grants full disk access to /Library/CS/falcond
  • Approved Kernel Extensions payload
    • Team ID X9E956P446 approved

Scripts

The following two scripts are needed to build your CrowdStrike Falcon Sensor install policy.

JAMF Host: Uninstall Script

#!/bin/sh

## Uninstall any remnants to clear way for the new package
if [ -d /Library/CS ]; then
    if [ -f /Library/CS/uninstall.sh ]; then
        echo "Running legacy uninstall"
        /Library/CS/uninstall.sh
        exit $?
    fi
    echo "Running uninstall"
    /Library/CS/falconctl uninstall
    exit $?
fi

JAMF Host: Register

#!/bin/sh
## $4 = CID with Checksum

n=0
until [ $n -ge 5 ]
do
   echo "Register attempt number: $n"

   ## $4 = CID with Checksum
   /Library/CS/falconctl --verbose license $4 && break  # must end with '&& break' for success
  
   n=$[$n+1]
   sleep 15
done

Computer Policy

Create a policy in JAMF that does four things:

  1. Uninstalls any existing sensor
  2. Installs the FalconHost.pkg file
  3. Runs a script to register the host with your CID
  4. Updates the JAMF inventory

 

JAMF Mac Install

 

 

 

 

 

 

JAMF

 

 

 

 

 

 

 

 

 

Additional Mac and JAMF resources:

Support Document – https://supportportal.crowdstrike.com/s/article/Mac-Sensor-Deployment-with-Jamf

More Information about Falcon Sensor for Mac

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial