Worklet - Installing CrowdStrike on MacOS

Hey Y’all!

As an IT administrator one of the first things you’ll find yourself doing is installing an endpoint security tool, which can be very difficult to automate across hundreds, if not thousands of devices.

Not with Automox. Automox Worklets gives you the power to deploy endpoint security tools to newly added endpoints as well as enforce installation on existing endpoint,s so you always know that your endpoints are running the security tools necessary to protect your IT environment.

The below Worklet is designed to deploy CrowdStrike Falcon Sensors to macOS endpoints. The Worklet will copy down the .pkg file to the endpoint and run the install if the Worklet determines if CrowdStrike is not installed.

Some things to remember when using this Worklet to install CrowdStrike Falcon:

  • You need to make sure that the CrowdStrike Falcon application is whitelisted for the devices so the KEXT does not prevent the installation. Otherwise, this Worklet will not install the app.

  • Be sure to check the system and network/firewall requirements for CrowdStrike Falcon to ensure that you are meeting those requirements. You can check this by viewing the Support Docs in the CrowdStrike Falcon dashboard.

  • Be sure to read the comments in the evaluation and remediation code below to ensure you are adding the Customer ID checksum unique to your organization. The Worklet will fail if this is not added.

To create the Automox Worklet:

  • Login into the Automox console and create a new policy from the System Mgmt page
  • From there select a “Worklet” policy for MacOS
  • Name the policy (required)
  • Copy the syntax below to each of the code blocks (evaluation, remediation)

Evaluation:

#!/bin/bash

#evaluate the device to see if the Crowdstrike service is running
#service running exit with a 0
#service not running exit with a 1

sysctl cs
 
if [[ $? -eq 0 ]]; then 
	exit 0
else
	exit 1
fi

Remediation:

#!/bin/bash

#Input your unique CS Customer ID checksum code below.  Replace your_customer_id with your install code.
##########################################
customerid=your_customer_id
##########################################

#copy the files to the /tmp directory of the device
scp FalconSensorMacOS.pkg /tmp

#run installation of Falcon Sensor on the device.  error logs are output to /tmp/axfalconinstall.log
sudo installer -verboseR -package /tmp/FalconSensorMacOS.pkg -target / 2> /tmp/axfalconinstall.log &
	process_id=$!
	
	wait $process_id
    
sudo /Library/CS/falconctl license $customerid 
 
#check to ensure the CS service is running to verify installation was successful
sysctl cs
 
if [[ $? -eq 0 ]]; then 
	exit 0
else
	exit 1
fi
  • Next, Load the FalconSensorMacOS.pkg installation file to the Worklet. The Worklet will reference this during the install.

  • Save The Worklet

  • Now you can set the Worklet to run on a schedule, or you can run the policy manually at any point on the endpoints.

You should be all set! When this policy runs it will check to see if a device has CrowdStrike Falcon Sensor installed. If not, it will install it. You can verify this by checking to see if the endpoint shows up in the Falcon dashboard

If you have any Questions feel free to reach out!

4 Likes