Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Crowdstrike Falcon - does it blend?

I noticed Crowdstrike Falcon was added to Third Party Products.

It was added by @pingebrigtsen who works for the company.

Is anyone using it? Asking because there are no discussions about it on this forum. Zero. Nada. Zilch.

Did you replace another solution (McAfee, Symantec, etc.) with it?

What does it do that you like?

What does it not do that you hoped it would?

How is it working out for your environment?

Just curious, not trying to start an anti-malware war. :)

Like Comment
Order by:
SOLVED Posted: by chuinder

I was asked to deploy it by our InfoSec department last month. Very easy deploy.. ended up removing the uninstaller from the folder through a script, since a lot of our users have admin rights.. But other than that pretty straight forward. InfoSec seems happy with it. I don't really have any other interaction with it, so I can't tell you anything about that end. I know that there's different ways to use it. We're currently using it in tandem with Sophos. We did have to create a rule for Sophos to not scan the CrowdStrike folder.. But other than that they are playing together nicely.

Like
SOLVED Posted: by dpertschi

I'd ditch McAfee in a heartbeat to use is simply because it has a cool icon!

Like
SOLVED Posted: by briangoldstein

We just launched a project to roll it out globally to our Win and Mac machines, replacing McAfee on the Win side. The install is a breeze and I def agree about removing the uninstaller if your users have admin rights. It was very low overhead and none of our POC users had any complaints like they do about McAfee or others.

Like
SOLVED Posted: by northernchap

Can anyone share some info about how they installed this with JAMF please? I'm kind of new to JAMF, haven't done software deployment yet so not entirely sure the best way to go about it - are you running it as a script, or passing arguments to the pkg, or what? Thanks! :)

Like
SOLVED Posted: by Warren

We will soon deploy CrowdStrike to the company owned Macs. I am new to using JAMF and haven't figured out the best way to deploy the agent along with the sudo command to the devices. @chuinder or @briangoldstein can either of you provide assistance in helping deploy. Thanks in advance.

Like
SOLVED Posted: by zachary.fisher

I use Crowdstrike Falon for a few companies that I support.

To deploy it is quite easy.

1) Create a policy that runs at enrollment or once per computer at checkin that install the PKG from the CS Portal and after runs this scripts:

sudo /Library/CS/falconctl license LICENSEIDHERE

That is it. If you want to go a step further you could create an extension attribute that looks for the CS folder or agent. You can then scope your policy to a smart group that only installs it on machines w/o the agent.

Like
SOLVED Posted: by briangoldstein

The latest Falcon Sensor for Mac (6103) finally allows password protection of the uninstall (only the Windows sensor had this previously). CrowdStrike support recommends a python script to pass the password over to the installer without putting it into command line in clear text. That said, the python script is still storing the password in plain text. Not the best idea, but tis all they had to offer for now and better than leaving it unprotected since all of our users are local admins (for now).

My install policy does the following:
Installs Falcon Sensor via the package provided in the Falcon Console
Places the password python script (Falcon-Protect.py) into /Library/CS/
Run's my install script (installFalconSensor.sh) stored in JAMF pro.

Falcon-Protect.py

#!/usr/bin/env python
from __future__ import print_function
password = 'MAGICWORDSGOHERE'
try:
    while True:
        print(password)
except IOError:
    pass

installFalconSensor.sh:

#!/bin/bash
/Library/CS/falconctl license LICENSEHERE
/Library/CS/Falcon-Protect.py | sudo /Library/CS/falconctl installguard
sudo rm /Library/CS/Falcon-Protect.py

I also created the following extension attribute to report what version sensor the machines are running:

#!/bin/bash
#########################################################################################
# A script to collect the version of the CrowdStrike Falcon Sensor currently installed.  #
# If CrowdStrike Falcon is not installed "Not Installed" will return back               #
#########################################################################################
RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi

echo "<result>$RESULT</result>"
Like
SOLVED Posted: by jec1

to: Zachary.fisher - Your policy instructions worked great on all systems earlier than 10.13.3. I've not been able to get this policy working on 10.13.3. Any solutions you've come across? I've been searching with no luck.

Thanks - John

Like
SOLVED Posted: by chrijens

@briangoldstein How did you go about copying your Falcon-Protect.py script into /Library/CS/ ?

Like
SOLVED Posted: by briangoldstein

@chrijens sorry for the delay, was traveling when you sent that and the notification got lost. I just tossed the script in a package w/ composer.

Like
SOLVED Posted: by KSchroeder

Could you use script parameters to pass in the password, so it isn't hard-coded within the script? I haven't done much with this functionality, but we're looking at rolling out CS as well and ways to do so intelligently/securely.

Like
SOLVED Posted: by leungn

@KSchroeder You can use an input parameter, but the password prompt is interactive with the binary. So, an 'except' script can negotiate both the password and password confirmation prompts. Assuming your password was reassigned from $4 to PWD: PWD="$4"

expect <<- DONE set timeout -1 spawn /Library/CS/falconctl installguard expect "Falcon Password:" send -- "${PWD}\r" expect "Confirm Falcon Password:" send -- "${PWD}\r" expect eof DONE
Like
SOLVED Posted: by nkalister

one thing to note, if you're setting the password with an expect script as part of a postinstall script in your pkg you should remove the

spawn /Library/CS/falconctl installguard

since the installer invokes it on it's own.

Like
SOLVED Posted: by donmontalvo

I never understood why a password would ever make sense in a managed environment.

Troubleshooting would be impacted, so problems will take longer to resolve, sensitive password is now floating around, and potentially SLAs might be missed...etc.

So we have this thing Jamf Pro. which can easily ensure Crowdstrike is both installed and running...so why not use it?

  • Is Crowdstrike installed, if not install it.
  • Is Crowdstrike process running, if not reinstall it.
  • Are any log/defs files being updated, if not reinstall it.

Its a much more manageable/sustainable approach...but yea I can see unmanaged environments using passwords.

#dosCentavos #healthcheckLogic

Like
SOLVED Posted: by nkalister

yeah, I know what you mean @donmontalvo , but you can still do all that even with a password set.

Like
SOLVED Posted: by SergioMonster

What would be the value to check if Crowdstrike has been deployed and currently running?

Like
SOLVED Posted: by donmontalvo

@nkalister do you have a script that works to uninstall a password protected client? If so can you share? :)

Like
SOLVED Posted: by nkalister

@donmontalvo sure, this is working for me:

#!/bin/bash

expect -c "
  spawn /Library/CS/falconctl uninstall --password
  expect \"Falcon Password:\"
  send password
  send \r
  expect eof
  "

substitute your client password for password in the codeblock.

Also, my previous post about not needing the

spawn /Library/CS/falconctl installguard

line was incorrect! While using the --password switch as described in the CS documentation appears to password protect the clients (the prompt for a password appeared) it actually still allowed the client to be removed without the password! I've now gone back to running the license command without the --password switch and am using the installguard command instead and it's working as expected.

Like
SOLVED Posted: by donmontalvo

@nkalister thanks! Will test later in the week.

Like
SOLVED Posted: by jriv

Does anyone have a way monitor if CrowdStrike is running using an EA?

Like
SOLVED Posted: by Tigerhaven

So I have been working with infosec to deploy crowd strike again on Macs . we had to remove it because it would cause kernel panic if you had Box client on your Mac when trying to upgrade to High Sierra. Secondly we are currently trying to uninstall CS from a Mac and it causes a kernel panic to. has anyone seen this or any thought on this.

Like
SOLVED Posted: by dennisnardi

We're using CS in our environment and have had no issues at all. It's pretty lightweight because all the analysis happens in the cloud. I've had no kernel panics in general, or upon any OS upgrades. Our InfoSec team seem to love it. The only downside I've encountered is there's not any local notifications; InfoSec will get notified and then has to handle notifications to techs or users.

I have 3 EA's I use to collect info on it.

#!/bin/sh
#Falcon CrowdStrike Connection State

falconConnState=`sysctl cs.comms.cloud_connection_state | awk '{print $2}'`
echo "<result>$falconConnState</result>"
#!/bin/sh
#Falcon CrowdStrike Sensor ID

falconHostID=`sysctl cs.sensorid | awk '{print $2}'`
echo "<result>$falconHostID</result>"
#!/bin/sh
#Falcon CrowdStrike Sensor Version

RESULT="Not Installed"

if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi

echo "<result>$RESULT</result>"
Like
SOLVED Posted: by wblack

@nkalister So replace Falcon Password:\ with the password that we set?

Like
SOLVED Posted: by richard.ballesta

@briangoldstein i'm stuck at 'Running script Falcon-protect.py...' it just hangs and doesn't proceed.

Like

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!