Installing the Falcon sensor for Mac requires administrator privileges, also known as elevated privileges.
The Falcon sensor for Mac is currently supported on these macOS versions:
| macOS Version | Minimum Sensor Version | Falcon End-of-Support Date |
|---|---|---|
| macOS Sequoia 15 | All supported sensor versions Intel CPUs and Apple silicon native support included |
December 31, 2027 |
| macOS Sonoma 14 | All supported sensor versions Intel CPUs and Apple silicon native support included |
December 31, 2026 |
| macOS Ventura 13 | All supported sensor versions Intel CPUs and Apple silicon native support included |
December 31, 2025 |
Note: Falcon does not support hosts running in containers, such as Docker.
Apple requires system extensions to be approved before they can be loaded. The Falcon sensor for Mac requires these additional authorizations on each host:
- Full Disk Access (FDA) to Falcon
| Important | If Full Disk Access is not enabled, the sensor enters reduced functionality mode (RFM). See Reduced functionality mode: Mac hosts. |
|---|
- Falcon system extension
- Falcon non-removable system extension (macOS Sequoia 15 and later)
- Falcon network filter extension
If you use profiles provided by CrowdStrike, these authorizations are already configured for you. Apple doesn't allow profiles to be deployed outside of an MDM solution. We strongly recommend you use an MDM solution to distribute the profile to your endpoints prior to the deployment process. These authorizations are only required once. Subsequent upgrades using the built-in upgrade functionality of the sensor will not require additional confirmation approvals on the host.
The profile provided by CrowdStrike for Sonoma and earlier OS versions worked as per our expections. However, the one for Sequoia did not work correctly. We have fixed that for you!!! You can refer the above-attached profiles only to meet your requirements.
There are different methods to successfully install the sensor:
- Recommended installation method: Use an MDM solution to distribute the profile we provide to your endpoints prior to the deployment process. This streamlines the deployment and avoids manual authorization steps on hosts.
- Alternate installation methods:
- Use the standalone installer which streamlines your authorization and post-verification steps.
| Note | If you don’t use an MDM to distribute the profile we provide, multiple authentication confirmations from the OS occur on the host and must manually be approved. |
|---|
- Use an MDM to deploy the correct profile to the hosts. This step can be performed any time prior to sensor deployment. You can utilize the profiles mentioned above.
- Use the Google Chrome browser to download the sensor installer
- Copy your customer ID checksum (CCID) from Host setup and management > Deploy > Sensor downloads.
- Run the sensor installer on your device using one of these two methods:
- Double-click the .pkg file.
- Run this command at a terminal, replacing <installer_filename> with the path and file name of your installer package:
sudo installer -verboseR -package <installer_filename> -target /
- When prompted, enter administrative credentials for the installer.
- Run falconctl, installed with the Falcon sensor, to provide your customer ID checksum (CCID). This command is slightly different if you're installing with installation tokens. In this example, replace 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX with your CID.
sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX\You can automate the complete execution by using any MDM application to install the agent. For our scenario, we would be utilizing Intune.
You can follow the traditional methods to create a task in Intune. 2 Tasks can be craeted where one would be created for pushing the profiles on the workstation and the other task would be used to perform installation of CS Falcon using the above provided commandline.