This article provides basic information about the installation of CrowdStrike Falcon sensor using Jamf Pro.
Jamf Pro 10.9 and later
macOS High Sierra (10.13.x) or above
Required Jamf Pro Elements
The profiles below can be combined, but best practices calls for using one profile per application per payload.
- Privacy Preferences Policy Control payload
- Grants full disk access to /Library/CS/falcond
- Approved Kernel Extensions payload
- Team ID X9E956P446 approved
The following two scripts are needed to build your CrowdStrike Falcon Sensor install policy.
JAMF Host: Uninstall Script
#!/bin/sh ## Uninstall any remnants to clear way for the new package if [ -d /Library/CS ]; then if [ -f /Library/CS/uninstall.sh ]; then echo "Running legacy uninstall" /Library/CS/uninstall.sh exit $? fi echo "Running uninstall" /Library/CS/falconctl uninstall exit $? fi
JAMF Host: Register
#!/bin/sh ## $4 = CID with Checksum n=0 until [ $n -ge 5 ] do echo "Register attempt number: $n" ## $4 = CID with Checksum /Library/CS/falconctl --verbose license $4 && break # must end with '&& break' for success n=$[$n+1] sleep 15 done
Create a policy in JAMF that does four things:
- Uninstalls any existing sensor
- Installs the FalconHost.pkg file
- Runs a script to register the host with your CID
- Updates the JAMF inventory
Additional Mac and JAMF resources:
Support Document – https://supportportal.crowdstrike.com/s/article/Mac-Sensor-Deployment-with-Jamf