Skip to main content

Install/Uninstall CrowdStrike Falcon

Updated over 2 weeks ago

CrowdStrike Falcon is a cloud-native endpoint protection platform developed by CrowdStrike, a leading cybersecurity company. CrowdStrike Falcon requires a paid subscription from CrowdStrike to enable the use of the software packages.

To install CrowdStrike, there are three required steps for the macOS package and two required steps for the Windows package:

macOS

1. Installer profiles

You can download the CrowdStrike-provided MDM profile for macOS at the support page.

  1. After the profile is downloaded, you can deploy the profile using Swif's custom policy function at Policy Management. Here is a sample CrowdStrike MDM profile for the M1 MacBook for your reference: Falcon Profile - no Kext.mobileconfig. For custom profiles, copy everything inside the array tag you see right after the <key>PayloadContent</key> part of the file you download.

  2. Then add the custom profile to your device group to automate the deployment.

2. Install the app

You can choose to deploy the package to any device group to automate the deployment in 2 ways:

  1. Download the pkg on the CrowdStrike download page and upload it to your team's software page on Swif.

  2. Or you can use our prebuilt CrowdStrike Falcon package on the Software page and click "Add" to add to your team's software.

3. Configure the Falcon license

Running as a Command until then is fine for the first-time rollout to devices, but if you add a new device to a device group with all of this configured, there's no guarantee when the command will run, and may run before the software is installed, you could create a scheduled cron job Command to run every day or something to just check if the command is successful, and if not, re-execute the command too.

  1. Run a schedule command. To make the command work on all devices, you can make the scheduled command "Run as Swif admin" (Step 2). The Swif admin password is available via Device Details > Account tab > Swif admin > Change password > Click to View.

  2. Then Run the command as sudo:
    Note: first apply the license command with your CID, then run the load command, and then run the stats command to confirm the connection is working.

    echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl license XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-YY
    echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl load
    echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl stats

  3. Then use pre-install and post-install scripts on a macOS custom package to run such scripts.

  4. After the command is executed, you can use this command to verify on a device to see if it has been configured successfully.

    echo "password here" | sudo -S /Applications/Falcon.app/Contents/Resources/falconctl stats

    === CloudInfo === Cloud Info Host: ts01-gyr-maverick.cloudsink.net Port: 443 State: connected ...

Windows

1. Install the app

You can choose to deploy the package to devices in 2 ways:

  1. Download the pkg on the CrowdStrike download page and upload it to your team's software page on Swif.

  2. Or you can use our prebuilt CrowdStrike Falcon package on the Software page and Click "Add" to add to your team software.

  3. For the Windows package, you can configure installer arguments like below to configure your package.

    1. Name: "CrowdStrike Windows Sensor" (So the package name will match the application name)

    2. Installer Arguments: /install /quiet /norestart CID="AB....-DC" (Enter each argument separately like the attached screenshot). To obtain your Falcon CID, you can follow this article.

2. Uninstall the app

There is a way to do a silent uninstall by using their CSUninstallTool. The uninstaller should look like this:
CsUninstallTool.exe MAINTENANCE_TOKEN=<your token> /quiet

You can also manually uninstall CrowdStrike. When you uninstall Falcon from devices or groups on Swif, the Windows uninstaller for Falcon will require you to manually enter a maintenance token on the devices that are uninstalling Falcon.

DEB-Based Linux Devices

This guide explains how to deploy the CrowdStrike Falcon Sensor on DEB-based (x64/amd64) Linux devices using the Swif platform’s custom application feature.

1. Overview

  • Deployment Method: Use Swif’s custom application upload to install the CrowdStrike Falcon Sensor.

  • Why this method? Direct installation via APT package manager may not be reliable or available in all environments. The custom app upload ensures consistent deployment and management.

2. Prepare the Custom Application Package

  1. Download the DEB File:
    Obtain the correct Falcon-sensor DEB package for your device architecture.
    Example download:
    falcon-sensor_7.28.0-18108_amd64.deb

  2. Verify the File Hash:
    SHA256:

    023a9000731420bd489de8f60c7ad0e8a8d10de36ae2394c58e6167cae73901b

3. Configure the Application in Swif

When creating the custom application, use the following configuration fields:

a. Installation Item

DEB: You can download the .deb installer from Crowdstrike

b. Post-Install Script

This script sets the CID key, restarts the service, and validates the installation.

#!/bin/bash

CID_KEY="XXX"

sudo /opt/CrowdStrike/falconctl -s --cid="$CID_KEY"
sudo systemctl restart falcon-sensor

sudo /opt/CrowdStrike/falconctl -g --cid | grep -q "$CID_KEY"
if [ $? -eq 0 ]; then
  exit 0
else
  exit 1
fi

c. Check Script

This script checks if the package is installed and the service is running.

#!/bin/bash

if dpkg -l | grep -qw falcon-sensor && systemctl is-active --quiet falcon-sensor; then
    exit 1
else
    exit 0
fi

Note: Depending on your system’s convention, you may need to swap exit 1 and exit 0 in the check script.

d. Uninstall Script

This script fully removes the sensor and its files.

#!/bin/bash

if dpkg -l | grep -q falcon-sensor; then
    sudo systemctl stop falcon-sensor
    sudo dpkg --purge falcon-sensor
    sudo rm -rf /opt/CrowdStrike
    sudo rm -rf /var/log/falcon-sensor
    sudo rm -f /etc/opt/CrowdStrike/falcon.cfg
    if ! dpkg -l | grep -q falcon-sensor && [ ! -d /opt/CrowdStrike ] && [ ! -d /var/log/falcon-sensor ]; then
        exit 0
    else
        exit 1
    fi
else
    exit 0
fi

4. Assign the Application to Devices

  • In the Swif platform, assign the custom CrowdStrike application to your target DEB-based devices.

  • The system will push the DEB file and execute the scripts as configured.

5. Validation

  • After the assignment, check the device status in Swif to confirm installation.

  • Optionally, verify on the device:

    • Service status:
      sudo systemctl status falcon-sensor

    • Falconctl presence:
      sudo /opt/CrowdStrike/falconctl -h

    • Running process:
      ps ax | grep falcond | grep -v grep

Related Articles
Antivirus (EDR) detection and reporting
Installing Custom Software via Swif
Install/Uninstall SentinelOne Agent (macOS & Windows)
Configuring CrowdStrike Falcon Exclusions for Swif.ai to Prevent False Positives
Installing swif-agent via Linux Repository
Did this answer your question?