How to deploy CrowdStrike Falcon to your Macs using Hexnode UEM?

What is CrowdStrike Falcon?

CrowdStrike Falcon is a cloud-based endpoint security system that provides an industry-leading anti-virus solution for your macOS and Windows devices. The Falcon is powered by the latest technologies in AI and ML to ensure that security breaches and malware are neutralized before they cause significant damage to your devices.

The capabilities of the CrowdStrike Falcon platform are:

• Industry-leading next-generation anti-virus (NGAV) solution
• Endpoint detection and response (EDR) system
• Cyber threat intelligence
• Managed threat hunting
• Security hygiene

Once the Falcon sensor gets installed on your device, you can monitor all your devices from the Falcon console.

Steps to deploy the CrowdStrike Falcon sensor

Upload the Falcon sensor PKG file to Hexnode’s app inventory

The Falcon sensor PKG file can be downloaded from the Crowdstrike console under Host setup and management > Sensor downloads. Follow the steps below to upload the PKG file to Hexnode’s app inventory:

1. Navigate to the Apps tab, click on the +Add Apps dropdown, and select Enterprise App.
2. Select macOS, enter the application’s required details, and upload the PKG file.
3. Click on Add.

Create a policy to deploy CrowdStrike Falcon sensor along with the required configurations

You need to configure System Extensions, Kernel Extensions and PPPC settings for the CrowdStrike Falcon sensor to operate flawlessly on your devices. Kernel Extensions must be configured only if your Mac runs on macOS 10.14 and below. Follow the steps given below to create a policy with all the required configurations to deploy the CrowdStrike Falcon sensor:

1. Navigate to Policies > New Policy > macOS.
2. To deploy the CrowdStrike Falcon sensor,
   1. Select Mandatory Apps from the left menu and click on Configure.
   2. Click on +Add > Add App and select the CrowdStrike sensor PKG file.
   3. Click on Done.
   4. Once the app is added, click Configure next to the app under the Scripts column to add pre-install script, post-install script or audit script to customize app deployment based on the requirements.
3. To configure System Extensions,
   1. Select System Extensions from the left menu and click on Configure.
   2. Under Team Identifier, enter X9E956P446 as the Team ID and click on Add.
4. To configure Kernel Extensions,
   1. Select Kernel Extensions from the left menu and click on Configure.
   2. Under Team Identifier, enter X9E956P446 as the Team ID and click on Add.
5. To configure PPPC,
   1. Select Privacy Preferences from the left menu and click on Configure.
   2. Select +Add new preferences.
   3. Set the All Files option to Allow.
   4. Click on Specify Bundle IDs/Path.

Full Disk Access needs to be given for the following components:

Sl No	Identifier Type	Identifier	Code Requirement
1.	Bundle ID	com.crowdstrike.falcon.Agent	identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
2.	Bundle ID	com.crowdstrike.falcon.App	identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446

6. To configure third-party Plugin web content filter and Notification Settings, select Deploy Custom Configuration and upload your configuration profile. Here’s a sample configuration profile:
   Custom Configuration Profile for deploying Crowdstrike

   <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>NotificationSettings</key> <array> <dict> <key>BundleIdentifier</key> <string>com.crowdstrike.falcon.UserAgent</string> <key>CriticalAlertEnabled</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Notifications</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.C0CF3EF6-9747-4476-8154-98C009EAF07C</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>C0CF3EF6-9747-4476-8154-98C009EAF07C</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>FilterDataProviderBundleIdentifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> <key>FilterGrade</key> <string>inspector</string> <key>FilterPacketProviderBundleIdentifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>FilterPacketProviderDesignatedRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> <key>FilterPackets</key> <true/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>Organization</key> <string>Crowdstrike Inc</string> <key>PayloadDisplayName</key> <string>Crowdstrike</string> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.37A525E7-88FB-44A2-9966-1EDB43D4C692</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>37A525E7-88FB-44A2-9966-1EDB43D4C692</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.crowdstrike.falcon.App</string> <key>UserDefinedName</key> <string>Crowdstrike Falcon</string> </dict> </array> <key>PayloadDisplayName</key> <string>CrowdstrikeFalcon</string> <key>PayloadIdentifier</key> <string>D02B6591-182E-42E9-9C4E-61D852243FAC</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>D02B6591-182E-42E9-9C4E-61D852243FAC</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

   <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>NotificationSettings</key> <array> <dict> <key>BundleIdentifier</key> <string>com.crowdstrike.falcon.UserAgent</string> <key>CriticalAlertEnabled</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Notifications</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.C0CF3EF6-9747-4476-8154-98C009EAF07C</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>C0CF3EF6-9747-4476-8154-98C009EAF07C</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>FilterDataProviderBundleIdentifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> <key>FilterGrade</key> <string>inspector</string> <key>FilterPacketProviderBundleIdentifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>FilterPacketProviderDesignatedRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> <key>FilterPackets</key> <true/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>Organization</key> <string>Crowdstrike Inc</string> <key>PayloadDisplayName</key> <string>Crowdstrike</string> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.37A525E7-88FB-44A2-9966-1EDB43D4C692</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>37A525E7-88FB-44A2-9966-1EDB43D4C692</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.crowdstrike.falcon.App</string> <key>UserDefinedName</key> <string>Crowdstrike Falcon</string> </dict> </array> <key>PayloadDisplayName</key> <string>CrowdstrikeFalcon</string> <key>PayloadIdentifier</key> <string>D02B6591-182E-42E9-9C4E-61D852243FAC</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>D02B6591-182E-42E9-9C4E-61D852243FAC</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

7. To associate the policy with your devices, navigate to Policy Targets, select all your required devices, and click on Save.

What happens once the policy is associated?

After associating the policy with the device, the following processes are initiated, depending on the configurations specified in the policy.

1. The CrowdStrike sensor PKG gets installed on the device, consisting of two apps: the Crowdstrike agent app and the Crowdstrike sensor app.
2. The system extensions and kernel extensions configurations allocate the necessary permissions to the applications accordingly.
3. The Crowdstrike agent and Crowdstrike sensor apps are granted Full Disk Access. The apps may or may not appear in list under Privacy & Security > Full Disk Access with the toggle button on/off on the device end. Rest assured that the permissions have been successfully granted to them.
4. Third-party Plugin web content filtering and Notification Settings are configured.

License the Product using Custom Scripting

Execute the following script to license your CrowdStrike Falcon agent using Custom Scripts or Live Terminal:

Uninstalling the Falcon Sensor

If maintenance protection is disabled, run the following script using Custom Scripts or Live Terminal:

Follow the below steps when the maintenance protection is enabled:

1. In the CrowdStrike cloud console, find the endpoint on the Host Management screen and click on it to access further details about the host.
2. Click the Reveal maintenance token button.
3. Write a reason for using the token and click the Reveal Token button. Note the maintenance token.
4. Start the Live Terminal from the device management tab and run the following script:
License token script

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token

1	sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token

5. Enter the maintenance token when prompted.

The CrowdStrike Falcon will be uninstalled.