How to deploy CrowdStrike Falcon Sensor to macOS using Hexnode?Solved

Hi @remi,
Thank you for reaching out to us. Deploying the CrowdStrike Falcon Sensor on macOS requires specific configuration steps to ensure it runs flawlessly, specifically regarding system permissions. Here is the step-by-step guide:

Step 1: Upload the Falcon sensor PKG file to Hexnode’s App Inventory

1. Download the Falcon sensor PKG file from your CrowdStrike console (Host setup and management > Sensor downloads).
2. In your Hexnode UEM portal, navigate to the Apps tab.
3. Click on the +Add Apps dropdown and select Enterprise App.
4. Select macOS, enter the application’s required details, and upload the PKG file.
5. Click Add.

Step 2: Create a Policy to Deploy and Configure CrowdStrike

You need to configure System Extensions, Kernel Extensions (if running macOS 10.14 or below), and PPPC settings.

1. Navigate to Policies > New Policy > Create a fully custom policy > macOS.
2. Add the App: Go to Required Apps, click Configure, then +Add > Add App and select your CrowdStrike PKG file. (You can add pre-install script, post-install script or audit script scripts here if needed).
3. Configure System Extensions: Select System Extensions from the left menu and click Configure. Under Team Identifier, enter X9E956P446 as the Team ID and click Add.
4. Configure Kernel Extensions (Older Macs only): Select Kernel Extensions and click Configure. Enter X9E956P446 as the Team ID and click Add.
5. Configure PPPC (Full Disk Access): Select Privacy Preferences and click Configure. Click +Add new preferences.
   1. Set the All Files option to Allow.
   2. Click on Specify Bundle IDs/Path.
   3. Add the following two components for Full Disk Access:

   Sl No	Identifier Type	Identifier	Code Requirement
   1.	Bundle ID	com.crowdstrike.falcon.Agent	identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
   2.	Bundle ID	com.crowdstrike.falcon.App	identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446

Step 3: Deploy Custom Configurations (Web Filtering & Notifications)

You will need to use the Deploy Custom Configuration policy payload to push an XML configuration profile for Notification Settings and the third-party Plugin web content filter.

For macOS Sequoia 15.0.1 and later, you must also deploy a custom configuration profile to prevent users from manually removing the system extension via System Settings.

You will find the exact sample configuration profiles for both of these requirements in our documentation here: How to deploy CrowdStrike Falcon Sensor to your Mac devices using Hexnode UEM.

Step 4: Associate the Policy

Once all configurations are added, navigate to Policy Targets, select your required macOS devices, and click Save.

What happens next?

• The PKG installs the Agent and Sensor apps.
• The system/kernel extensions allocate necessary permissions.
• Full Disk Access is granted (Note: they might not visually appear in the device’s System Settings under Privacy & Security, but the permissions are granted).

Step 5: License the Product

Finally, execute the following script to license your CrowdStrike Falcon agent using Hexnode’s Execute Custom Scripts action or Live Terminal:

If you have any other questions, let me know.

Regards,
Eden Pierce
Hexnode