Deploying CrowdStrike as a Custom App

Learn how to deploy CrowdStrike's Falcon agent to your macOS devices as a custom app.

 

Download Custom Profile

For the easiest deployment, we've created a downloadable configuration profile that will approve Crowdstrike for all of its kernel extension, system extension, PPPC, and web-filtering needs. This profile is backward-compatible with the Falcon agent that leverages the kernel extension, as well as the latest Falcon agent that leverages a system extension.

Download the custom profile here.

Add a Custom Profile:

  1. Click Library in the left-hand navigation bar.
  2. Click Add New in the upper right-hand corner.
  3. Click Custom Profile from the Add New window.

Configure the Custom Profile:

  1. Upload the Crowdstrike.mobileconfig file you downloaded previously. 
  2. Set the Device Families to Mac.
  3. Assign your custom profile to a test Blueprint.
  4. Save your custom profile.

    crowdstrike v2@2x

    Add a Custom App:

    1. Click Library on the left-hand navigation bar.
    2. Click Add New in the upper right-hand corner.
    3. Click Custom App from the Add New window

    Configure the Custom App:

    1. Give your custom app a Name.
    2. Assign your custom app to a test Blueprint.
    3. Select Audit and Enforce as the execution frequency.
    4. Paste the Audit Script from below. (No modifications needed.)
    5. Upload the FalconSensor package.
    6. Paste the Post-Install Script from below.*
    7. Click Save.

      CleanShot 2020-07-24 at 09.55.21@2x-1

    *Replace Put Your CID Here with your CrowdStrike CustomerID inside the quotes. Place your InstallToken inside the quotes if applicable, otherwise leave blank. 

    Audit Script:

    #!/bin/zsh

    csStat=$(sysctl cs 2>&1)
    csSeStat=$(pgrep com.crowdstrike.falcon.Agent)

    if [ "${csStat}" = "sysctl: unknown oid 'cs'" ]; then
    echo "Crowdstrike KEXT is not running... checking for newer process"

    if [ "${csSeStat}" != "" ]; then
    echo "Crowdstrike System Extension is running... no action needed"
    exit 0

    else
    echo "Crowdstrike is not running...forcing reinstall..."
    exit 1

    fi
    else
    echo "Crowdstrike KEXT is running... no action needed"
    exit 0

    fi

    Post-Install Script:

    #!/bin/sh
    #This script licenses the CrowdStrike Falcon agent

    #Put your install token here if applicable, otherwise leave blank. Example : customerIDChecksum="A43190DDA81403RANd-91"
    customerIDChecksum="Put Your CID Here"

    #Put your install token here if applicable, otherwise leave blank. Example : installToken="A313G7326"
    installToken=""

    #license CrowdStrike Agent
    /Applications/Falcon.app/Contents/Resources/falconctl license ${customerIDChecksum} ${installToken} 2>&1

    exit 0