Installing the CrowdStrike Falcon Sensor for macOS
NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned device will place the device under Duke policies and under Duke control.
Install the CrowdStrike Falcon Sensor for macOS by following these steps.
- Download the latest Falcon Sensor installer from Duke Software Licensing or Duke OIT SSI OneGet (accessible only from Duke network).
- Retrieve the proper CrowdStrike "Customer ID with Checksum" (or "CCID") string from the link below:
- Run the installer, entering administrative credentials when prompted.
- When prompted for a “Customer ID with checksum”, enter the string retrieved above. An optional “Installation token” is not required. Select Continue.
- If prompted to manually approve the CrowdStrike Network Filter, select “Setup”, then select “Allow” when prompted by macOS. Select Continue.
- If prompted to manually approve the CrowdStrike System Extension, select “Setup”, then select “Open System Settings” when prompted by macOS. Then select “Allow” and provide administrative credentials where is says that “System software from application “Falcon” was blocked from loading”. Back in the CrowdStrike installer, select Continue.
- If prompted to grant Full Disk Access to the CrowdStrike Falcon Sensor, select “System Settings” then enable the slider for “Falcon Sensor” under Full Disk Access. Wait for the installer to recognize that this access has been granted. If it does not recognize this in a short time, you may close the dialog. Otherwise, select Continue.
- Select Close on the installer dialog.
After installation, the sensor runs silently with no visible user interface.
Verifying sensor installation
To confirm that the CrowdStrike Falcon Sensor is operational, go to Applications and open the Falcon app. A CrowdStrike Falcon Sensor Setup dialog should display the current state of the sensor regarding its registration, operation, and connection. Select Finish to close this dialog.
To validate that the Falcon sensor for macOS is running on a host via Terminal, run this command:
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats agent_info
Output similar to the following should display if the sensor is properly configured and running:
=== agent_info ===
Sensor operational: true
If you do not see output similar to this, please see Troubleshooting the CrowdStrike Falcon Sensor for macOS.
(Note: The "
customerID" value should match the Customer ID retrieved during installation.)
Tamper Protection and Uninstalling the Falcon Sensor
Duke's CrowdStrike Falcon Sensor for macOS policies have Tamper Protection enabled by default. With Tamper Protection enabled, the CrowdStrike Falcon Sensor for macOS cannot be uninstalled or manually updated without providing a computer-specific "maintenance token". If you need a maintenance token to uninstall an operating sensor or to attempt upgrading a non-functional sensor, please contact your Security office for assistance.
Once you've received a maintenance token, enter the following command in Terminal:
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token
and provide the maintenance token when prompted.
If the CrowdStrike Falcon Sensor is not functioning properly and the above command does not work, see "Uninstalling a non-functional CrowdStrike Falcon Sensor" (NetID Required) for additional uninstallation options.
Configuring a proxy
The Falcon sensor for macOS uses Proxies as configured under Network in System Preferences. Computers on the Duke University network without traditional access to the Internet can use
proxy-sec.oit.duke.edu:3128, which only allows proxy connections to Duo and CrowdStrike servers.
If you have questions or issues that Troubleshooting the CrowdStrike Falcon Sensor for macOS doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to email@example.com.
Article number: KB0035358
Valid to: January 17, 2025