Skip to main content

Install/Uninstall CrowdStrike Falcon

Updated this week

CrowdStrike Falcon is a cloud-native endpoint protection platform developed by CrowdStrike, a leading cybersecurity company. CrowdStrike Falcon requires a paid subscription from CrowdStrike to enable the use of the software packages.

To install CrowdStrike, there are three required steps for the macOS package and two required steps for the Windows package:

macOS

1. Use the Prebuilt CrowdStrike Falcon package

Use our prebuilt CrowdStrike Falcon package on the Software page and click "Add" to add it to your team's software.

2. Upload the installer

Upload the installer to the template to continue the app template creation. Download the pkg on the CrowdStrike download page and upload it here:

3. Post-install script

Change your license key at CID_KEY="XXX."

Here is the post-install script on a macOS custom package to load the license key.

#!/bin/bash

CID_KEY="XXX"
FALCONCTL_PATH="/Applications/Falcon.app/Contents/Resources/falconctl"

"$FALCONCTL_PATH" license "$CID_KEY"
"$FALCONCTL_PATH" load

# Verify connection
if "$FALCONCTL_PATH" stats | grep -q "State: connected"; then
  exit 0
else
  exit 1
fi

4. Validation file path

Here is the install check file path to validate whether Crowdstrike was installed successfully or not.

5. A custom profile will be automatically created

The app template automatically created the CrowdStrike-provided MDM profile for macOS, which is the same one you would find on the CrowdStrike support page.


The custom profile will be automatically created at Swif's custom policy function at Policy Management.

Here is a sample CrowdStrike MDM profile for the M1 MacBook for your reference: Falcon Profile - no Kext.mobileconfig.

Then add the newly created custom profile to your device group to automate the deployment.

Windows

1. Install the app

You can choose to deploy the package to devices in 2 ways:

  1. Download the pkg on the CrowdStrike download page and upload it to your team's software page on Swif.

  2. Or you can use our prebuilt CrowdStrike Falcon package on the Software page and Click "Add" to add to your team software.

  3. For the Windows package, you can configure installer arguments like below to configure your package.

    1. Name: "CrowdStrike Windows Sensor" (So the package name will match the application name)

    2. Installer Arguments: /install /quiet /norestart CID="AB....-DC" (Enter each argument separately like the attached screenshot). To obtain your Falcon CID, you can follow this article.

2. Uninstall the app

There is a way to do a silent uninstall by using their CSUninstallTool. The uninstaller should look like this:
CsUninstallTool.exe MAINTENANCE_TOKEN=<your token> /quiet

You can also manually uninstall CrowdStrike. When you uninstall Falcon from devices or groups on Swif, the Windows uninstaller for Falcon will require you to manually enter a maintenance token on the devices that are uninstalling Falcon.

DEB-Based Linux Devices

This guide explains how to deploy the CrowdStrike Falcon Sensor on DEB-based (x64/amd64) Linux devices using the Swif platform’s custom application feature.

1. Overview

  • Deployment Method: Use Swif’s custom application upload to install the CrowdStrike Falcon Sensor.

  • Why this method? Direct installation via APT package manager may not be reliable or available in all environments. The custom app upload ensures consistent deployment and management.

2. Prepare the Custom Application Package

  1. Download the DEB File:
    Obtain the correct Falcon-sensor DEB package for your device architecture.
    Example download:
    falcon-sensor_7.28.0-18108_amd64.deb

  2. Verify the File Hash:
    SHA256:

    023a9000731420bd489de8f60c7ad0e8a8d10de36ae2394c58e6167cae73901b

3. Configure the Application in Swif

When creating the custom application, use the following configuration fields:

a. Installation Item

DEB: You can download the .deb installer from Crowdstrike

b. Post-Install Script

This script sets the CID key, restarts the service, and validates the installation.

#!/bin/bash

CID_KEY="XXX"

sudo /opt/CrowdStrike/falconctl -s --cid="$CID_KEY"
sudo systemctl restart falcon-sensor

sudo /opt/CrowdStrike/falconctl -g --cid | grep -q "$CID_KEY"
if [ $? -eq 0 ]; then
  exit 0
else
  exit 1
fi

c. Check Script

This script checks if the package is installed and the service is running.

#!/bin/bash

if dpkg -l | grep -qw falcon-sensor && systemctl is-active --quiet falcon-sensor; then
    exit 1
else
    exit 0
fi

Note: Depending on your system’s convention, you may need to swap exit 1 and exit 0 in the check script.

d. Uninstall Script

This script fully removes the sensor and its files.

#!/bin/bash

if dpkg -l | grep -q falcon-sensor; then
    sudo systemctl stop falcon-sensor
    sudo dpkg --purge falcon-sensor
    sudo rm -rf /opt/CrowdStrike
    sudo rm -rf /var/log/falcon-sensor
    sudo rm -f /etc/opt/CrowdStrike/falcon.cfg
    if ! dpkg -l | grep -q falcon-sensor && [ ! -d /opt/CrowdStrike ] && [ ! -d /var/log/falcon-sensor ]; then
        exit 0
    else
        exit 1
    fi
else
    exit 0
fi

4. Assign the Application to Devices

  • In the Swif platform, assign the custom CrowdStrike application to your target DEB-based devices.

  • The system will push the DEB file and execute the scripts as configured.

5. Validation

  • After the assignment, check the device status in Swif to confirm installation.

  • Optionally, verify on the device:

    • Service status:
      sudo systemctl status falcon-sensor

    • Falconctl presence:
      sudo /opt/CrowdStrike/falconctl -h

    • Running process:
      ps ax | grep falcond | grep -v grep

Related Articles
Antivirus (EDR) detection and reporting
How to run Commands as sudo on macOS with Swif
Installing Custom Software via Swif
Configuring CrowdStrike Falcon Exclusions for Swif.ai to Prevent False Positives
Installing swif-agent via Linux Repository
Did this answer your question?