X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Deploy CrowdStrike Falcon Using Jamf Pro

Introduction

This article provides basic information about the installation of Crowd Strike Falcon sensor using Jamf Pro server.

Prerequisites

Versions Supported: Jamf Pro 10.6.0 and later
Jamf Nation account
Jamf Pro
One Mac running Sierra or above
Jamf Composer

Procedure

MacOS 10.12-10.13.2 / JAMF 9.x

Set a policy in JAMF that does four things:

  1. Uninstalls any existing sensor
  2. It installs the FalconHost.pkg file
  3. Runs a script to register the host with our CID
  4. Updates the JAMF inventory

Scope this policy to include systems that you plan on deploying to (e.g., test systems)

Policy Creation

Script tab

Falcon Host: Uninstall Script

#!/bin/bash
## Uninstall any remnants to clear way for the new package
sudo /Library/CS/uninstall.sh

Falcon Host: Register Script

#!/bin/bash
## $4 = CID with Checksum
sudo /Library/CS/falconctl license $4

JAMF like a Pro

Places the password python script (Falcon-Protect.py) into /Library/CS/
Run install script (InstallFalconSensor.sh) stored in JAMF Pro.

FalconProtect.py

#!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
    while True:
        print(password)
except IOError:
    pass

InstallFalconSensor.sh:

#!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py

Created the following extension attribute to report what version sensor the machines are running:

#!/bin/bash
#########################################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed. #
# If CrowdStrike Falcon is not installed "Not Installed" will return back               #
#########################################################################################
RESULT="Not Installed"
if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "<result>$RESULT</result>"

Uninstall with Password

#!/bin/bash
expect -c "
  spawn /Library/CS/falconctl uninstall --password
  expect \"Falcon Password:\"
  send password
  send \r
  expect eof
  "

Additional Mac and JAMF resources:

Support Document – https://supportportal.crowdstrike.com/s/article/Mac-Sensor-Deployment-with-Jamf

More Information about Falcon Sensor for Mac

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial