Skip to main content

Hey Y’all!



As an IT administrator one of the first things you’ll find yourself doing is installing an endpoint security tool, which can be very difficult to automate across hundreds, if not thousands of devices.



Not with Automox. Automox Worklets gives you the power to deploy endpoint security tools to newly added endpoints as well as enforce installation on existing endpoint,s so you always know that your endpoints are running the security tools necessary to protect your IT environment.



The below Worklet is designed to deploy CrowdStrike Falcon Sensors to macOS endpoints. The Worklet will copy down the .pkg file to the endpoint and run the install if the Worklet determines if CrowdStrike is not installed.



Some things to remember when using this Worklet to install CrowdStrike Falcon:







  • You need to make sure that the CrowdStrike Falcon application is whitelisted for the devices so the KEXT does not prevent the installation. Otherwise, this Worklet will not install the app.







  • Be sure to check the system and network/firewall requirements for CrowdStrike Falcon to ensure that you are meeting those requirements. You can check this by viewing the Support Docs in the CrowdStrike Falcon dashboard.







  • Be sure to read the comments in the evaluation and remediation code below to ensure you are adding the Customer ID checksum unique to your organization. The Worklet will fail if this is not added.







To create the Automox Worklet:





  • Login into the Automox console and create a new policy from the System Mgmt page


  • From there select a “Worklet” policy for MacOS


  • Name the policy (required)


  • Copy the syntax below to each of the code blocks (evaluation, remediation)




Evaluation:



#!/bin/bash





#evaluate the device to see if the Crowdstrike service is running


#service running exit with a 0


#service not running exit with a 1





sysctl cs


 


if r  $? -eq 0 ]]; then 


	exit 0


else


	exit 1


fi


Remediation:



#!/bin/bash





#Input your unique CS Customer ID checksum code below.  Replace your_customer_id with your install code.


##########################################


customerid=your_customer_id


##########################################





#copy the files to the /tmp directory of the device


scp FalconSensorMacOS.pkg /tmp





#run installation of Falcon Sensor on the device.  error logs are output to /tmp/axfalconinstall.log


sudo installer -verboseR -package /tmp/FalconSensorMacOS.pkg -target / 2> /tmp/axfalconinstall.log &


	process_id=$!


	


	wait $process_id


    


sudo /Library/CS/falconctl license $customerid 


 


#check to ensure the CS service is running to verify installation was successful


sysctl cs


 


if r  $? -eq 0 ]]; then 


	exit 0


else


	exit 1


fi




  • Next, Load the FalconSensorMacOS.pkg installation file to the Worklet. The Worklet will reference this during the install.




11%20PM


11%20PM744×212 7.5 KB







  • Save The Worklet







  • Now you can set the Worklet to run on a schedule, or you can run the policy manually at any point on the endpoints.







You should be all set! When this policy runs it will check to see if a device has CrowdStrike Falcon Sensor installed. If not, it will install it. You can verify this by checking to see if the endpoint shows up in the Falcon dashboard



If you have any Questions feel free to reach out!

Dude,



Thank you for this. I manage all our physical endpoints and ill tell you that installing crowdstrike on macs (because of the KEXT nonsense) was a PITA…look forward to trying this worklet out.



Switow

@sswitow



You’ll still need to whitelist Crowdstrike’s KEXT through an MDM if you don’t want any user interaction, unfortunately no workarounds for that. Many AV KEXTs are hopefully getting deprecated soon in favor of using Apple’s Endpoint Security framework (in macOS Catalina and higher).

bummer 😕 Maybe Mac will work on that

That’ll be a change crowdstrike will have to make, i would reach out to them to see what their timeline is to deprecate their kernel extension.

I was under the impression that crowdstrike needed kernel permissions to fully function…especially with Mac. Am I misinformed?

indeed, but Apple has begun the process of deprecating (almost) all kernel extensions in favor of software vendors using their Endpoint Security framework. I imagine Crowdstrike is in process of making that change.

Noticing that this command is not working for Big Sur 11.0.1 systems. I’m trying to figure out a way ahead but Mac is not my strong suite. Anyone have recommendations?



sysctl cs


RUNNING PROCESSES


Falcon sensor for Mac version 6.11 and later uses system extensions. As a result, there’s a change to what processes the sensor uses to run. When running on macOS Big Sur 11.0 and later, the only running process for the sensor is com.crowdstrike.falcon.Agent . This is the system extension.



To find the state of the system extension, run the command systemextensionsctl list



Custom health check scripts or VPN compliance checks may need to be updated using these new processes.



To check for sensor health, run /Applications/Falcon.app/Contents/Resources/falconctl stats

I believe systemextensionctl list replaced the sysctl command. Something like systemextensionctl list | grep cs might work here.



update: to expand on what i wrote earlier. sysctl still exists on macOS Big Sur, but CrowdStrike has moved from a kernel extension to a system extension, so you need to use systemextensionctl

Heads up for others. Falcon Sensor 6.11 requires some added steps and CrowdStrike has a profile you can download from their support portal and push with your MDM.



https://supportportal.crowdstrike.com/s/article/Tech-Alert-Preparing-for-macOS-Falcon-Sensor-6-11



Within the remediation code replace



sudo /Library/CS/falconctl license $customerid


with



sudo /Applications/Falcon.app/Contents/Resources/falconctl license $customerid

Reply


Terms & ConditionsCookie settings