CrowdStrike Falcon is a cloud-native endpoint protection platform developed by CrowdStrike, a leading cybersecurity company. CrowdStrike Falcon requires a paid subscription from CrowdStrike to enable the use of the software packages.
To install CrowdStrike, there are three required steps for the macOS package and two required step for the Windows package:
macOS
Installer profiles: You can download the CrowdStrike-provided MDM profile for macOS at the support page.
After the profile is downloaded, you can deploy the profile using Swif's custom policy function at Policy Management. Here is a sample CrowdStrike MDM profile for the M1 Macbook for your reference: Falcon Profile - no Kext.mobileconfig. For custom profiles, copy everything inside of the array tag you see right after the <key>PayloadContent</key> part of the file you download.
Then add the custom profile to your device group to automate the deployment.
Install the app: You can choose to deploy the package to any device group to automate the deployment in 2 ways:
Download the pkg on the CrowdStrike download page and upload it to your team's software page on Swif.
Or you can use our prebuilt CrowdStrike Falcon package on the Software page and Click "Add" to add to your team software.
Run a scheduled command
falconctlto configure the Falcon license. Running as a Command until then is fine for the first-time rollout to devices, but if you add a new device to a device group with all of this configured, there's no guarantee when the command will run, and may run before the software is installed, you could create a scheduled cron job Command to run every day or something to just check if the command is successful, and if not, re-execute the command too.Run a schedule command. To make the command work on all devices, you can make the scheduled command "Run as Swif admin" (Step 2). Swif admin password is available via Device Details > Account tab > Swif admin > Change password > Click to View.
Then Run the command as sudo:
Note, first apply the license command with your CID, then run the load command, and then run the stats command to confirm the connection is working.echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-YY
echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl load
echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl statsThen add the command to your device group to automate the deployment.
After the command is executed, you can use this command to verify on a device to see if it has been configured successfully.
echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl stats
=== CloudInfo === Cloud Info Host: ts01-gyr-maverick.cloudsink.net Port: 443 State: connected ...
For #3, you can now (Jun 2024) use pre-install and post-install scripts on a macOS custom package to run such scripts.
Windows
Install the app: You can choose to deploy the package to devices in 2 ways:
Download the pkg on the CrowdStrike download page and upload it to your team's software page on Swif.
Or you can use our prebuilt CrowdStrike Falcon package on the Software page and Click "Add" to add to your team software.
For the Windows package, you can configure installer arguments like below to configure your package.
Name: "CrowdStrike Windows Sensor" (So the package name will match the application name)
Installer Arguments: /install /quiet /norestart CID="AB....-DC" (Enter each argument separately like the attached screenshot). To obtain your Falcon CID, you can follow this article.
Uninstall the app: There is a way to do a silent uninstall by using their CSUninstallTool. The uninstaller should look like this:
βCsUninstallTool.exe MAINTENANCE_TOKEN=<your token> /quiet
You can also manually uninstall CrowdStrike. When you uninstall Falcon from devices or groups on Swif, Windows uninstaller for Falcon will require you to manually enter a maintenance token on the devices that are uninstalling Falcon.
