Installing the CrowdStrike Falcon Sensor for macOS

Installing the CrowdStrike Falcon Sensor for macOS

NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned device will place the device under Duke policies and under Duke control.

Install the CrowdStrike Falcon Sensor for macOS by following these steps.

  1. Download the latest Falcon Sensor installer from Duke Software Licensing or Duke OIT SSI OneGet (accessible only from Duke network).

  2. Retrieve the proper CrowdStrike "Customer ID with Checksum" (or "CCID") string from the link below:
  3. Run the installer, entering administrative credentials when prompted.

  4. When prompted for a “Customer ID with checksum”, enter the string retrieved above. An optional “Installation token” is not required. Select Continue.

  5. If prompted to manually approve the CrowdStrike Network Filter, select “Setup”, then select “Allow” when prompted by macOS. Select Continue.

  6. If prompted to manually approve the CrowdStrike System Extension, select “Setup”, then select “Open System Settings” when prompted by macOS. Then select “Allow” and provide administrative credentials where is says that “System software from application “Falcon” was blocked from loading”. Back in the CrowdStrike installer, select Continue.

  7. If prompted to grant Full Disk Access to the CrowdStrike Falcon Sensor, select “System Settings” then enable the slider for “Falcon Sensor” under Full Disk Access. Wait for the installer to recognize that this access has been granted. If it does not recognize this in a short time, you may close the dialog. Otherwise, select Continue.

  8. Select Close on the installer dialog.

After installation, the sensor runs silently with no visible user interface.

Verifying sensor installation

Via App:

To confirm that the CrowdStrike Falcon Sensor is operational, go to Applications and open the Falcon app. A CrowdStrike Falcon Sensor Setup dialog should display the current state of the sensor regarding its registration, operation, and connection. Select Finish to close this dialog.

Via Terminal:

To validate that the Falcon sensor for macOS is running on a host via Terminal, run this command:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats agent_info

Output similar to the following should display if the sensor is properly configured and running:

=== agent_info ===

version: 7.00.0000.0
agentID: 12345678-90AB-CDEF-1234-567890ABCDEF
customerID: ABCDEF12-3456-7890-ABCD-EF1234567890
Sensor operational: true

If you do not see output similar to this, please see Troubleshooting the CrowdStrike Falcon Sensor for macOS.

(Note: The "customerID" value should match the Customer ID retrieved during installation.)

Advanced Installation Options

Tamper Protection and Uninstalling the Falcon Sensor

Duke's CrowdStrike Falcon Sensor for macOS policies have Tamper Protection enabled by default. With Tamper Protection enabled, the CrowdStrike Falcon Sensor for macOS cannot be uninstalled or manually updated without providing a computer-specific "maintenance token". If you need a maintenance token to uninstall an operating sensor or to attempt upgrading a non-functional sensor, please contact your Security office for assistance.

Once you've received a maintenance token, enter the following command in Terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token

and provide the maintenance token when prompted.

If the CrowdStrike Falcon Sensor is not functioning properly and the above command does not work, see "Uninstalling a non-functional CrowdStrike Falcon Sensor" (NetID Required) for additional uninstallation options.

Configuring a proxy

The Falcon sensor for macOS uses Proxies as configured under Network in System Preferences. Computers on the Duke University network without traditional access to the Internet can use proxy-sec.oit.duke.edu:3128, which only allows proxy connections to Duo and CrowdStrike servers.

Need assistance?

If you have questions or issues that Troubleshooting the CrowdStrike Falcon Sensor for macOS doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.

Article number: KB0035358

Valid to: January 17, 2025