How to Guide: Manually Installing the Crowdstrike Falcon Sensor on a Mac

Installing the CrowdStrike Falcon Sensor has sometimes been a challenge on Macs, especially without using a mobile device management (MDM), and recent re-releases from Apple have only amplified that.

Users have been required to approve kernel extensions (kexts) within the Security & Privacy window for each app that uses them since macOS 10.14 (Mojave). However, with macOS 11 (Big Sur), Apple has made their position regarding kexts even more clear by forcing users to agree to “Reduced Security” mode from the boot menu before they even get those approval requests.

Furthermore, starting in late 2020, Apple has begun shipping computers that use their own proprietary chip – the Apple Silicon or M1 – rather than Intel processors. Many applications specifically built for Intel-based Macs require a “translator” to work on M1 Macs. This translator is called Rosetta and is free to download, install, and use, but it can feel like another speed bump for end users (or admins) who are trying to deploy applications across a varied landscape of user devices.

What do these new releases mean for institutions that rely on CrowdsSrike for their security? The good news is, it is still possible to manually install the CrowdStrike Falcon Sensor on a Mac running Big Sur and using the M1 chip, it just takes a couple extra steps. See below for the full installation guide.

For more information about kext extensions in macOS, check out this guide from Apple; and for more information about Rosetta, check out this article.

Enable Kernel Extensions

1. Shut down the computer.
2. Once it is off, hold down the power button until you see the following screen:
   
   
3. Click Options.
4. Click Utilities > Startup Security Utility.
   
   
5. Click Security Policy.
   
   
6. On the following screen:
   1. Select Reduced Security.
   2. Check Allow user management of kernel extensions from identified developers.
   3. Click OK.
      
      
7. Restart the computer and boot up normally.

Install Rosetta 2

1. Launch Terminal.
2. Run the following command: /usr/sbin/softwareupdate --install-rosetta --agree-to-license

Install CrowdStrike Falcon Sensor

1. Download the sensor installer.
2. Run the sensor installer on your device using one of these two methods:
   1. Double-click the .pkg file or
   2. Run this command at a terminal, replacing <installer_filename> with the path and file name of your installer package: sudo installer -verboseR -package <installer_filename> -target /
3. When prompted, enter administrative credentials for the installer.
4. Click Allow when Falcon asks to monitor network activity:
   
   
5. Click Open Security Preferences when “CrowdStrike Inc.” tries to load a new system extension:
   
   
6. In the Security & Privacy window…
   1. Click on the General tab.
   2. Click the padlock icon and enter administrative credentials to unlock.
   3. Click Allow next to the notification about “CrowdStrike Inc.”
      
      
7. Still within the Security & Privacy window…
   1. Click on the Privacy tab.
   2. In the left pane, select Full Disk Access.
   3. In the right pane, scroll through the list and check both Agent and Falcon.
   4. Click the + button.
      
      
8. Still in the Security & Privacy window…
   1. Click the padlock icon again to lock it.
      
      

Confirm the CrowdStrike Falcon Sensor Installed Successfully

1. Launch Terminal.
2. Run the following command: sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

The output should show details about the sensor, including its agent ID (AID), version, customer ID, etc.

FAQs