Back to Tech Center

How to Install the Falcon Agent – Mac

CrowdStrike Tech Center

The greatest minds in cybersecurity are at Fal.Con in Las Vegas, Sept. 18-21.

Register now to build skills at hands-on workshops and learn from skilled threat hunters.

Introduction

This article walks through installation of the Falcon Sensor on a Mac.

Video

Read Video Transcript

Prerequisites

Installing the CrowdStrike Falcon® Sensor requires elevated privileges. For supported versions of MacOS see the CrowdStrike FAQs

Falcon Customers refer to the install guide available in the document section of the console

Browser Dependencies

CrowdStrike currently supports the Google Chrome browser for use with the Falcon UI. We support the current release of Chrome as well as the prior two major versions. Other browsers may work, but we do not support other browsers at this time.

Installing the Falcon Sensor for Mac

  1. Download the sensor installer from Hosts > Sensor Downloads. Use the Chrome browser.

    Navigating to sensor downloads

  2. Copy your Customer ID Checksum (CID) from Hosts > Sensor Downloads.
    CID Location in Host App
  3. Run the sensor installer on your device in one of these ways:
    1. Double-click the .pkg file.
    2. Run this command at a terminal, replacing <installer .pkg> with the path and file name of your installer package.

sudo installer -verboseR -package <installer_filename> -target /

Change in System Preferences

  1. When prompted, enter administrative credentials for the installer.
    1. For macOS Mojave 10.14 through macOS Catalina 10.15, after entering the credential for installation, you’re asked to approve the kernel extension on each host. The Apple message on the host identifies the CrowdStrike kernel extension as a blocked system extension signed by CrowdStrike Inc.
      System Extension blocked
    2. In the message, click Open Security Preferences. If the message no longer appears on the host, click the Apple icon and open System Preferences, then click Security & Privacy. 
    3. On the General tab, click Allow to allow the CrowdStrike kernel extension.
      1. Note: This approval prompt is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the kernel extension, future load attempts will cause the approval prompt to reappear but will not trigger another user alert. If you don’t see this approval option, restart the machine to get the approval prompt again.
      2. Kernel extension approval is required only once. If the Falcon sensor is subsequently reinstalled or updated, you will not see another approval prompt.
  2. Run falconctl, installed with the Falcon sensor, to provide your customer ID checksum (CID).
    1. This command is slightly different if you’re installing with password protection (see documentation).
    2. In this example, replace 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID.

    sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX

  3. For macOS Big Sur 11.0 and later, after providing your CID with the license command, you will be asked to approve the system extension on each host:

    1. In the message, when asked to filter network content, click Allow.

    2. When the System Extension Blocked message appears, click Open Security Preferences.

    3. On the General tab, click Allow to allow the Falcon system extension. You may need to click the lock icon to enable you to make security changes. If you do not approve the Falcon system extension when prompted on the host, run the falconctl load command to load Falcon again and show the prompts on the host for approval:

      sudo /Applications/Falcon.app/Contents/Resources/falconctl load

  4. Grant Full Disk Access (detailed instructions in product guide) – Beginning with macOS Catalina, Apple requires full disk access to be granted to CrowdStrike Falcon® in order to work properly. This is a Catalina requirement by Apple for files and folders containing personal data. This requirement is applicable to all 3rd-party software which need to access files across all users of the machine (e.g. backup software).
    1. Click the Apple icon and open System Preferences, then click Security & Privacy.

    2. On the Privacy tab, if privacy settings are locked, click the lock icon and specify the password.

    3. In the left pane, select Full Disk Access.

    4. For macOS Big Sur 11.0 and later, in the right pane, select the Agent check box:
      Full Disk Access

    5. For all macOS versions, in the right pane, click the plus icon.
    6. In finder, find Falcon in the list of applications (no “Agent” is required).

    7. Click Open and then click Quit Now:

    8. Click the lock icon to re-lock privacy settings.

After installation, the sensor runs silently. To confirm that the sensor is running, run this command at a terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more.

More resources

Related Content