THIS IS A WORK IN PROGRESS DOCUMENT, ALL INFORMATION CONTAINED & THE LAYOUT IS SUBJECT TO CHANGE!
This article documents the rollout of the CrowdStrike Agent across Windows, Linux, & Mac OS's. Unless stated otherwise, all deployment steps are relevant regardless of the CrowdStrike package: Package 1(MDR), Package 2 (XDR), or Package 3 (EDR). For ease of management, it is suggested that only method of tagging be used.
Installation steps assume the possession of Administrative credentials (Domain or Local).
<installer_filename> /install /quiet /norestart CID=<CCID>An Example: WindowsSensor.MaverickGyr.exe /install /norestart CID=2XXX9BF3XXXXX900XXXE8FXXXXXX67FA-E3
You will need to build a Mobile Device Management (MDM) sync profile using the following information. If you encounter any issues, reach out to CrowdStrike support for assistance.
When creating your own profile, you must specify MDM properties to approve the needed MacOS extension and to approve full disk access. Unless otherwise stated, all payloads are applicable to all MacOS versions.
Payload: SystemExtensions
| Property | Value |
| AllowedSystemExtensions | Dict: {Key: X9E956P446Value: com.crowdstrike.falcon.Agent} |
| AllowUserOverrides Caution: If any SystemExtensions payload has a value of false for an AllowUserOverrides property, manual end user approval of non-specified system extensions will not be permitted. |
true |
Payload: com.apple.servicemanagement
| Property | Value |
| Rules | Array [ {Key:RuleType,Value:BundleIdentifier, Key:RuleValue,Value:com.crowdstrike.falcon.UserAgent}, {Key:RuleType,Value:TeamIdentifier, Key:RuleValue,Value:X9E956P446} ] |
Payload: WebContentFilter
| Property | Value |
| FilterDataProviderBundleIdentifier | com.crowdstrike.falcon.Agent |
| FilterDataProviderDesignatedRequirement | identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446" |
| FilterGrade | inspector |
| FilterPackets | false |
| FilterSockets | true |
| FilterType | Plugin |
| Organization | CrowdStrike Inc. |
| PluginBundleID | com.crowdstrike.falcon.App |
Approving Full Disk Access using MDM
To approve Full Disk Access, use the Privacy Preferences Policy Control payload with a SystemPolicyAllFiles (developer.apple article) property and specify this information in XML format:
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.App</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
</array>
</dict>Debian, Ubuntu
sudo dpkg -i <installer_filename>RHEL, CentOS, Alama, etc.
sudo yum install <installer_filename>sudo /opt/CrowdStrike/falconctl -s --cid=<CCID>Hosts with SysVinit
service falcon-sensor startHosts with Systemd
systemctl start falcon-sensorps -e | grep falcon-sensor[root@localhost ~]# ps -e | grep falcon-sensor 905 ? 00:00:02 falcon-sensor
Tags added during the agent deployment are called SensorGroupingTags. These tags are considered the “stickier” method of tagging agents, as the only way to alter the tag after it is applied is to make a RegEdit or using the CSSensorSettings.exe.
Run or Configure your deployment tool to use the following command, replacing <installer_filename> with the name of the installer that was downloaded, and <CCID> with the Customer ID Checksum.
<installer_filename> /install /quiet /norestart CID=<CCID> GROUPING_TAGS="TAGNAME"An Example: WindowsSensor.MaverickGyr.exe /install /norestart CID=2XXX9BF3XXXXX900XXXE8FXXXXXX67FA-E3 GROUPING_TAGS="MiSecure"
Mac SensorGroupingTags are not able to be added during agent deployments due to how the Mac OS installs applications. However the following is how you can manually add SensorGroupingTags to Mac's. NOTE: multiple tags can be added at once, separate tags with commas. The combined length of all tags for a host, including comma separators cannot exceed 256 characters.
Run the following command from a terminal:
sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags
set "TagName 1,TagName 2"
Tag changes take effect at the next sensor restart, i.e., device restart. To restart the sensor, run the following commands from a terminal:
sudo /Applications/Falcon.app/Contents/Resources/falconctl unload
sudo /Applications/Falcon.app/Contents/Resources/falconctl load
Tags added after agent deployment are called FalconGroupingTags. These tags are not as “sticky” as the SensorGroupingTags, but they offer easier alterations should a device be incorrectly tagged.