Troubleshooting the CrowdStrike Falcon Sensor for macOS

Troubleshooting the CrowdStrike Falcon Sensor for macOS

NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned will place the device under Duke policies and under Duke control.

Full Documentation and Further Assistance

A recent copy of the full CrowdStrike Falcon Sensor for macOS documentation (from which most of this information is taken) can be found at https://duke.box.com/v/CrowdStrikeDocs (Duke NetID required).

If you have questions or issues that this document doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.

Troubleshooting Sensor Installation

Installation fails

The actual installation of the CrowdStrike Falcon Sensor for macOS is fairly simple and rarely has issues, with issues generally stemming from the configuration of the software after installation. If you do experience issues during the installation of the software, confirm that CrowdStrike software is not already installed. Duke's CrowdStrike Falcon Sensor for macOS policies have Tamper Protection enabled by default. With Tamper Protection enabled, the CrowdStrike Falcon Sensor for macOS cannot be uninstalled or manually updated without providing a computer-specific "maintenance token". If you need a maintenance token to uninstall an operating sensor or to attempt upgrading a non-functional sensor, please contact your Security Office for assistance.

Verifying that sensor components were installed

To verify the Falcon system extension is enabled and activated by the operating system, run the following command in Terminal:

systemextensionsctl list

Amongst the output, you should see something similar to the following line:

* * X9E956P446 com.crowdstrike.falcon.Agent (6.35/148.01) Agent [activated enabled]

If the system extension is not installed, manually load the sensor again to show the prompts for approval by running the following command:

sudo /Applications/Falcon.app/Contents/Resources/falconctl load

Troubleshooting general sensor issues

Verifying that the sensor is running

To verify that the Falcon Sensor for macOS is running, run this command in Terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats agent_info

The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more, similar to the following:

=== agent_info ===

version: 6.35.14801.0
agentID: 96A00E4A-64E5-43B7-95A6-703939F7CB7C
customerID: F858934F-17DC-46B6-A1BF-A69994AF93F8
Sensor operational: true

(Note: The "Sensor operational" value is not present on macOS 10.15.)

Verifying the sensor is connected to the CrowdStrike cloud

You can verify that the host is connected to the cloud using Planisphere or a command line on the host.
  • Planisphere: If a device is communicating with the CrowdStrike cloud, Planisphere will collect information about that device on its regular polling of CrowdStrike. You can see the timing of the last and next polling on the Planisphere Data Sources tab. You can see the specific information for your device on the device's Details tab.

  • Host:

First, check to see that the computer can reach the CrowdStrike cloud by running the following command in Terminal:

nc -vz ts01-b.cloudsink.net 443

A properly communicating computer should return:

Connection to ts01-b.cloudsink.net port 443 [tcp/https] succeeded!

Any other response indicates that the computer cannot reach the CrowdStrike cloud. This might be due to a network misconfiguration or your computer might require the use of a proxy server. See the full documentation (linked above) for information about proxy configuration.

If the nc command returned the above results, run the following command in Terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats Communications | head -n 7
(This command is case-sensitive: note the capital "C" in "Communications".)

A properly communicating computer should return:

=== Communications ===

Cloud Info
    Host: ts01-b.cloudsink.net
    Port: 443
    State: connected

A value of 'State: connected' indicates the host is connected to the CrowdStrike cloud. Any other result indicates that the host can't connect to the CrowdStrike cloud. Review the Networking Requirements in the full documentation (linked above) and check your network configuration.

Article number: KB0035361

Valid to: January 29, 2025