Installation on Apple macOS

There are three methods for installing the falcon sensor on your macOS system:

  1. Interactively installing the package
  2. Installing the package file via terminal
  3. Deploying the sensor via your MDM system

Note: If you currently already use an MDM to manage your macOS devices, this method is vastly preferred since it diminishes the risk that a user disapproves the sensor installation which prevents the sensor from working.

You can also checkout this Video walkthrough from CrowdStrike.

All three installation methods will result in the following being created:

  • /Applications/ the location of the falcon sensor installation.
  • /Library/Application Support/CrowdStrike/Falcon: the location of the falcon sensor data files.
  • com.crowdstrike.falcon.Agent: the Endpoint Security Framework System Extension being registered. (systemextensionsctl list)

1. Interactively installing the sensor package

  1. Retrieve your sensor installation file from IRON.

  2. Locate the file falcon-sensor.pkg on your device and double-click it.

  3. Click through the installation wizard. When asked to fill in the CID, enter your IRON CID you received.


2. Installing the package file via terminal

  1. Retrieve your sensor installation file from IRON.

  2. Run the following command in terminal, replacing it with the actual path of your falcon-sensor.pkg file:

% sudo installer -pkg path/to/falcon-sensor.pkg -target /
  1. During the installation you will be asked to provide your account password for the installer to elevate to administrator.

  2. Now you will need to approve the System Extension to run so the sensor can start doing its job:

There will be a message box showing you a program tried to load new system extensions signed by “Crowdstrike.Inc”.

  1. You’re now asked to approve the System Extension, when the system extension blocked message appears click Open security preferences.

    If this is not the case, open your System Preferences, pick Security & Privacy and then open the General tab.

    At the bottom there will be a button to approve the sensor System Extension. Click it.

Note: the notification disappears if you don’t interact with it in the next 30 minutes. Restart your device to get the approval message again.

  1. Allow the sensor to capture network traffic by pressing Allow in the Network Filter approval message.

  2. Now allow the sensor Full Disk Access in the Security & Privacy window by going through to the Privacy tab and clicking Full Disk Access.

    In the right pane click the plus item and navigate to /Applications and select Now click Open.

    Click Quit now if this is required.

  3. The sensor should now be running. You will still need to link your sensor to your account using your CID:

% sudo /Applications/ license YOUR-CID
  1. Verify your sensor installed correctly and is communicating to our cloud via:
% sudo /Applications/ stats | grep 'Cloud Info' -C3 | tail -n+4

It should mention State: connected.


3. Deploying the sensor via your MDM system

  1. Ensure the falcon macOS profile is installed to your endpoints so the necessary permissions are automatically granted to the sensor.

    We typically recommend you to do this at least a few days prior to the sensor deployment.

  2. Provide the falcon-sensor.pkg file to your MDM system for installation and deploy it to your endpoints.

    You will need to trigger a /Applications/ license YOUR-CID on your endpoints as root.