How to Install the Falcon Agent – Mac

Introduction

This article walks through installation of the Falcon Sensor on a Mac.

Video

Read Video Transcript

Prerequisites

Installing the CrowdStrike Falcon Sensor requires elevated privileges. To see supported versions of MacOS see the CrowdStrike FAQs

Browser Dependencies

CrowdStrike currently supports the Google Chrome browser for use with the Falcon UI. We support the current release of Chrome as well as the prior two major versions. Other browsers may work, but we do not support other browsers at this time.

Installing the Falcon Sensor for Mac

  1. Download the sensor installer from Hosts > Sensor Downloads. Use the Chrome browser.
    • CrowdStrike currently supports the Google Chrome browser for use with the Falcon UI. We support the current release of Chrome as well as the prior two major versions. Other browsers may work, but we do not support other browsers at this time
  2. Copy your Customer ID Checksum (CID) from Hosts > Sensor Downloads.
    • CID Location in Host App
  3. Run the sensor installer on your device in one of these ways:
    • Double-click the .pkg file.
    • Run this command at a terminal, replacing <installer .pkg> with the path and file name of your installer package.sudo installer -verboseR -package <installer .pkg> -target /
  4. When prompted, enter administrative credentials for the installer.
    • Note: macOS 10.13 High Sierra: When you install the Falcon sensor, follow the OS prompts to approve installation of a kernel extension. This authorization is not required when installing via a desktop management tool, such as JAMF.
  5. Run falconctl, installed with the Falcon sensor, to provide your customer ID checksum (CID).
    • This command is slightly different if you’re installing with password protection (see documentation).
    • In this example, replace 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID.

    sudo /Library/CS/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX

  6. Approve the Kernel Extension (detailed instructions in product guide): 
    • Beginning with macOS 10.13
    • MDM Sensor Installation with KEXT Approval
    • Manual KEXT Approval. Also use these steps if your MDM (Mobile Device Management) doesn’t support kext whitelisting or you use DevOps/scripts to deploy the product
  7. Grant Full Disk Access (detailed instructions in product guide) – Beginning with macOS Catalina, Apple requires full disk access to be granted to CrowdStrike Falcon in order to work properly. This is a Catalina requirement by Apple for files and folders containing personal data. This requirement is applicable to all 3rd-party software which need to access files across all users of the machine (e.g. backup software).

After installation, the sensor runs silently. To confirm that the sensor is running, run this command at a terminal:

sysctl cs

The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial