Deploying CrowdStrike as a Custom App

How to deploy CrowdStrike's Falcon agent to your macOS devices as a Custom App.

 

Download Custom Profile

For the easiest deployment, we've created a downloadable configuration profile that will approve Crowdstrike for all of its Kernel Extension, System Extension, PPPC and web filtering needs. This profile is backwards compatible with the falcon agent that leverages the Kernel Extension, as well as the latest falcon agent that leverages a system extension.


Download the custom profile here.

Add a Custom Profile:

  1. Click Library in the left-hand navigation bar.
  2. Click Add New in the upper right-hand corner.
  3. Click Custom Profile from the Add New window.

Configure the Custom Profile:

  1. Upload the Crowdstrike.mobileconfig file you downloaded previously 
  2. Set the Device Families to Mac.
  3. Assign your Custom Profile to a test Blueprint.
  4. Save your Custom Profile.

    crowdstrike v2@2x

    Add a Custom App:

    1. Click Library on the left-hand navigation bar.
    2. Click Add New in the upper right-hand corner.
    3. Click Custom App from the Add New window.
    Configure the Custom App:
    1. Give your Custom App a Name.
    2. Assign your Custom App to a test Blueprint.
    3. Select Audit and Enforce as the execution frequency.
    4. Paste the Audit Script from below (No modifications needed).
    5. Upload the FalconSensor package.
    6. Paste the Post-Install Script from below.*
    7. Click Save

      CleanShot 2020-07-24 at 09.55.21@2x-1

    *Replace Put Your CID Here with your CrowdStrike CustomerID inside the quotes. Place your InstallToken inside the quotes if applicable, otherwise leave blank. 

    Audit Script:

    #!/bin/zsh

    csStat=$(sysctl cs 2>&1)
    csSeStat=$(pgrep com.crowdstrike.falcon.Agent)

    if [ "${csStat}" = "sysctl: unknown oid 'cs'" ]; then
    echo "Crowdstrike KEXT is not running... checking for newer process"

    if [ "${csSeStat}" != "" ]; then
    echo "Crowdstrike System Extension is running... no action needed"
    exit 0

    else
    echo "Crowdstrike is not running...forcing reinstall..."
    exit 1

    fi
    else
    echo "Crowdstrike KEXT is running... no action needed"
    exit 0

    fi

    Post-Install Script:

    #!/bin/sh
    #This script licenses the CrowdStrike Falcon agent

    #Put your install token here if applicable, otherwise leave blank. Example : customerIDChecksum="A43190DDA81403RANd-91"
    customerIDChecksum="Put Your CID Here"

    #Put your install token here if applicable, otherwise leave blank. Example : installToken="A313G7326"
    installToken=""

    #license CrowdStrike Agent
    /Applications/Falcon.app/Contents/Resources/falconctl license ${customerIDChecksum} ${installToken} 2>&1

    exit 0