Crowdstrike offers an easy to use Uninstall Protection process for the Falcon Agent. Uninstall Protection can be controlled by policy, making it easier to lock down sensitive devices. Once enabled in the policy, helpdesk teams can provide one-time device-specific maintenance tokens as needed. Uninstall Protection also adds a layer of protection that prevents unauthorized users from removing the sensor.
Maintenance Manager Role
The “Maintenance Manager” role is available which grants permission to access the maintenance tokens. This role must be enabled against the Falcon user’s account in order to obtain maintenance tokens or manage policy related to Uninstall Protection.
Uninstall Protection Policy
Within the Falcon Update Policy, Sensor Uninstall Protection is configurable (Configuration > Sensor Update Policies > [Policy] > Sensor Protection). With this policy applied to our devices, an uninstall will now require a token to complete.
Falcon Uninstall Workflow with Protection Enabled
To simplify the management of protected Falcon Agent installations, maintenance tokens can be accessed from the Hosts app. Navigate to Host App > Host Management, then select the host of interest and click “Reveal maintenance token” and you are presented with the one-time maintenance token, which can be given to the end-user/technician updating or uninstalling the Falcon Agent.
Even if the device is offline, the token will allow the uninstall/update to proceed.
When Uninstall Protection is enabled and an uninstall is initiated, users are presented with the setup dialog and are required to input the token obtained from the Falcon UI.
Open add/remove programs and select the Falcon Agent, and click uninstall:
# Uninstall Falcon Agent sudo /Library/CS/falconctl uninstall --maintenance-token INPUT_YOUR_TOKEN
Further Reading on Uninstall Steps
For a full listing of commands and scenarios, see the Deployment guide for Windows and Mac OS.
If you are interested in enabling uninstall protection but also require manual updates of the Falcon Agent, please see: our article on How to configure Manual Updates.
Through use of the Falcon API’s, the Uninstall Protection workflow can be integrated into any existing processes to make things easier. For example, Maintenance tokens can be accessed programmatically over the Falcon API in conjunction with your internal ticketing system. Additionally the Sensor Update Policies can be modified over the Falcon API in the event that you already integrate with the Sensor Update Policy modifications.
Uninstall protection prevents unauthorized users from uninstalling the Falcon Agent, but also streamlines the workflow for helpdesk teams to uninstall the Falcon Agent in the case of necessary maintenance.