Troubleshooting the CrowdStrike Falcon Sensor for macOS
NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned will place the device under Duke policies and under Duke control.
Full Documentation and Further AssistanceA recent copy of the full CrowdStrike Falcon Sensor for macOS documentation (from which most of this information is taken) can be found at https://duke.box.com/v/CrowdStrikeDocs (Duke NetID required).
If you have questions or issues that this document doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.
Troubleshooting Sensor InstallationInstallation fails
The actual installation of the CrowdStrike Falcon Sensor for macOS is fairly simple and rarely has issues, with issues generally stemming from the configuration of the software after installation. If you do experience issues during the installation of the software, confirm that CrowdStrike software is not already installed. Duke's CrowdStrike Falcon Sensor for macOS policies have Tamper Protection enabled by default. With Tamper Protection enabled, the CrowdStrike Falcon Sensor for macOS cannot be uninstalled or manually updated without providing a computer-specific "maintenance token". If you need a maintenance token to uninstall an operating sensor or to attempt upgrading a non-functional sensor, please contact your Security Office for assistance.
Verifying that sensor components were installed
To verify the Falcon system extension is enabled and activated by the operating system, run the following command in Terminal:
systemextensionsctl list
Amongst the output, you should see something similar to the following line:
* * X9E956P446 com.crowdstrike.falcon.Agent (6.35/148.01) Agent [activated enabled]
If the system extension is not installed, manually load the sensor again to show the prompts for approval by running the following command:
sudo /Applications/Falcon.app/Contents/Resources/falconctl load
Verifying that the sensor is running
To verify that the Falcon Sensor for macOS is running, run this command in Terminal:
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats agent_info
The output shows a list of details about the sensor, including its agent ID (AID), version, customer ID, and more, similar to the following:
=== agent_info ===
version: 6.35.14801.0
agentID: 96A00E4A-64E5-43B7-95A6-703939F7CB7C
customerID: F858934F-17DC-46B6-A1BF-A69994AF93F8
Sensor operational: true
(Note: The "Sensor operational
" value is not present on macOS 10.15.)
Verifying the sensor is connected to the CrowdStrike cloud
- Planisphere: If a device is communicating with the CrowdStrike cloud, Planisphere will collect information about that device on its regular polling of CrowdStrike. You can see the timing of the last and next polling on the Planisphere Data Sources tab. You can see the specific information for your device on the device's Details tab.
- Host:
First, check to see that the computer can reach the CrowdStrike cloud by running the following command in Terminal:
nc -vz ts01-b.cloudsink.net 443
A properly communicating computer should return:
Connection to ts01-b.cloudsink.net port 443 [tcp/https] succeeded!
Any other response indicates that the computer cannot reach the CrowdStrike cloud. This might be due to a network misconfiguration or your computer might require the use of a proxy server. See the full documentation (linked above) for information about proxy configuration.
If the nc
command returned the above results, run the following command in Terminal:
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats Communications | head -n 7
(This command is case-sensitive: note the capital "C" in "Communications".)
A properly communicating computer should return:
=== Communications ===
Cloud Info
Host: ts01-b.cloudsink.net
Port: 443
State: connected
A value of 'State: connected'
indicates the host is connected to the CrowdStrike cloud. Any other result indicates that the host can't connect to the CrowdStrike cloud. Review the Networking Requirements in the full documentation (linked above) and check your network configuration.
Article number: KB0035361
Valid to: January 29, 2025