How to use Uninstall Protection for the Falcon Agent

CrowdStrike Tech Center

Introduction

Crowdstrike offers an easy to use Uninstall Protection process for the Falcon Agent. Uninstall Protection can be controlled by policy, making it easier to lock down sensitive devices. Once enabled in the policy, helpdesk teams can provide one-time device-specific maintenance tokens as needed. Uninstall Protection also adds a layer of protection that prevents unauthorized users from removing the sensor.

Maintenance Manager Role

The “Maintenance Manager” role is available which grants permission to access the maintenance tokens. This role must be enabled against the Falcon user’s account in order to obtain maintenance tokens or manage policy related to Uninstall Protection.

Uninstall Protection Policy

Within the Falcon Update Policy, Sensor Uninstall Protection is configurable (Configuration > Sensor Update Policies > [Policy] > Sensor Protection). With this policy applied to our devices, an uninstall will now require a token to complete.

Falcon Uninstall Workflow with Protection Enabled

To simplify the management of protected Falcon Agent installations, maintenance tokens can be accessed from the Hosts app. Navigate to Host App > Host Management, then select the host of interest and click “Reveal maintenance token” and you are presented with the one-time maintenance token, which can be given to the end-user/technician updating or uninstalling the Falcon Agent.

Even if the device is offline, the token will allow the uninstall/update to proceed.

 

When Uninstall Protection is enabled and an uninstall is initiated, users are presented with the setup dialog and are required to input the token obtained from the Falcon UI.

Windows

Open add/remove programs and select the Falcon Agent, and click uninstall:

Mac OS

# Uninstall Falcon Agent
sudo /Library/CS/falconctl uninstall --maintenance-token
INPUT_YOUR_TOKEN

Further Reading on Uninstall Steps

For a full listing of commands and scenarios, see the Deployment guide for Windows and Mac OS.
https://falcon.crowdstrike.com/support/documentation/23/falcon-sensor-for-windows-deployment-guide
https://falcon.crowdstrike.com/support/documentation/22/falcon-sensor-for-mac-deployment-guide
If you are interested in enabling uninstall protection but also require manual updates of the Falcon Agent, please see: our article on How to configure Manual Updates.

API

Through use of the Falcon API’s, the Uninstall Protection workflow can be integrated into any existing processes to make things easier. For example, Maintenance tokens can be accessed programmatically over the Falcon API in conjunction with your internal ticketing system. Additionally the Sensor Update Policies can be modified over the Falcon API in the event that you already integrate with the Sensor Update Policy modifications.

Conclusion

Uninstall protection prevents unauthorized users from uninstalling the Falcon Agent, but also streamlines the workflow for helpdesk teams to uninstall the Falcon Agent in the case of necessary maintenance.

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial