CrowdStrike (CS): Installing the Falcon Sensor
Description
You must be logged into your CrowdStrike (Falcon) Management portal at the following URL to view CrowdStrike linked articles.
--Installing-the-Falcon-Sensor-kA1VN0000000FGs0AM-0EMVN00000Ensfa.gif)
Do NOT install devices/agents to a Parent CID.
- You will need to uninstall them and reinstall them to the correct desired Child CID (Client).
Table of Contents
Windows:
Installing in a Virtual Environment:
If you are going to be installing in a virtual environment please review steps and recommendations at the following link.
Confirm you are installing on a supported OS:
Downloading the Installer:
- Make sure you are viewing the Child CID where you will want the device/agent to register to.
- DO NOT install devices/agents to a Parent CID.
- Download the install file:
- Copy your CCID with checksum from the right hand side of the screen where you download the installer from.
- Save this in a text file or somewhere you can find it when needed.
- This will be unique per Child CID.
Manual Install:
If you have a small number of installs to do, manual installation might be your best option.
- Make sure the agent/sensor installer is available to the desired device.
- Double-click the installer to begin.
- Accept the license agreement and enter your customer ID checksum (CCID with checksum).
- Ignore the field for Installation Token, leave this blank.
- If you OS prompts you to allow the installation, click Yes.
- Allow the installer to complete.
Scripted and Silent Install:
- Make sure the agent/sensor installer is available to the desired device.
- Run or configure your deployment tool to use the following command to initiate a silent install via Command Prompt running as Administrator.
- Replace the <installer_filename> with the path and name of the install file you donloaded.
- Replace the <CCID> with the CCID with checksum for the desired Child CID.
<path to installer_filename> /install /quiet /norestart CID=<CCID with checksum>- For example:
C:\Temp\FalconSensor_Windows.exe /install /quiet /norestart CID=1111C11111C11111CC1111CC1C11CC1C1C-11
Verifying Sensor/Agent Installation:
- You can confirm a sensor/agent installation by review your hosts in your CrowdStrike (Falcon) management console.
- Make sure you are viewing only a specific Child CID if desired.
- Host management | Host setup and management | Falcon
- To validate that the Falcon sensor/agent for Windows is running on a host, run this command at a command prompt:
sc.exe query csagent- The following output should appear if the sensor is running:
SERVICE_NAME: csagent
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
MacOS:
Confirm you are installing on a supported OS:
Downloading the Installer:
- Make sure you are viewing the Child CID where you will want the device/agent to register to.
- DO NOT install devices/agents to a Parent CID.
- Download the install file:
- Copy your CCID with checksum from the right hand side of the screen where you download the installer from.
- Save this in a text file or somewhere you can find it when needed.
- This will be unique per Child CID.
Installing:
- Apple requires system extensions to be approved before they can be loaded.The Falcon sensor for Mac requires these additional authorizations on each host:
- Full Disk Access (FDA) to Falcon
--Installing-the-Falcon-Sensor-kA1VN0000000FGs0AM-0EMVN00000EnsfO.gif)
Important: If Full Disk Access is not enabled, the sensor enters reduced functionality mode (RFM). See Reduced functionality mode: Mac hosts.
- Falcon system extension
- Falcon non-removable system extension (macOS Sequoia 15 and later)
- Falcon network filter extension
- Full Disk Access (FDA) to Falcon
CrowdStrike recommends using an MDM and syncing profiles to the needed MacOS devices that will allow all needed permissions.
- CrowdStrike has some MDM profiles available that can be used:
- Important: There are different profiles for different versions of macOS. Ensure your MDM solution is configured to apply the correct profile to each host.
- CrowdStrike Customer Center article for Sonoma and earlier
- CrowdStrike Customer Center article for Sequoia and later
- You can also create your own MDM profile if desired:
Recommended installation method:
Alternative installation method:
Verifying Sensor/Agent Installation:
- You can confirm a sensor/agent installation by review your hosts in your CrowdStrike (Falcon) management console.
- Make sure you are viewing only a specific Child CID if desired.
- Host management | Host setup and management | Falcon
- To validate that the Falcon sensor for Mac is running on a host, run this command at a terminal:
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats- If the sensor is running, the output shows a list of details about the sensor, including its agent ID (AID), version, and Customer ID.
Linux:
Confirm you are installing on a supported OS and Kernel:
Downloading the Installer:
- Make sure you are viewing the Child CID where you will want the device/agent to register to.
- DO NOT install devices/agents to a Parent CID.
- Download the install file for the needed OS Version:
- Copy your CCID with checksum from the right hand side of the screen where you download the installer from.
- Save this in a text file or somewhere you can find it when needed.
- This will be unique per Child CID.
Installing:
Related Articles
not finding your answers?