How to Install the CrowdStrike Falcon Sensor on macOS

The CrowdStrike Falcon Sensor provides advanced endpoint protection for macOS, detecting and preventing threats in real time. Installing the Falcon Sensor on macOS ensures continuous security and visibility over your Apple devices.

This guide provides step-by-step instructions for installing the Falcon Sensor on macOS 10.15 (Catalina) and later, including macOS Ventura and Sonoma.

Requirements

• Administrator privileges on the macOS device.
• CrowdStrike Falcon Sensor download link and Customer ID (CID) from the CrowdStrike Falcon Console.
• Internet connection for cloud-based security updates.
• System Integrity Protection (SIP) enabled (required for newer macOS versions).

---

Step 1: Download the CrowdStrike Falcon Sensor

1. Log into the CrowdStrike Falcon Console
   • Open a browser and go to https://falcon.crowdstrike.com.
   • Sign in with your admin credentials.
2. Navigate to the Sensor Downloads Page
   • In the left-hand menu, click Host Setup and Management > Sensor Downloads.
3. Download the macOS Sensor
   • Select the macOS version that matches your device’s operating system.
   • Download the .pkg installation file.

📌 Note: The Falcon Sensor requires macOS 10.15 or later. Older versions are not supported.

---

Step 2: Install the Falcon Sensor on macOS

Method 1: Install via GUI (Graphical User Interface)

1. Locate the downloaded file (FalconSensorMacOS.pkg).
2. Double-click the file to launch the installer.
3. Follow the on-screen prompts and enter your admin credentials when required.
4. When prompted, enter your CrowdStrike Customer ID (CID).
5. Click Install and wait for the installation to complete.

---

Method 2: Install via Terminal (Command Line)

For silent installations, use the Terminal:

1. Open Terminal (Press Command + Space, type Terminal, and hit Enter).
2. Navigate to the directory where the Falcon Sensor installer is downloaded:

cd ~/Downloads

3. Run the installation command (replace YOUR-CUSTOMER-ID with your actual CID):

sudo installer -pkg FalconSensorMacOS.pkg -target /

4. Register the Falcon Sensor with your CID

sudo /Applications/Falcon.app/Contents/Resources/falconctl license YOUR-CUSTOMER-ID

5. Verify the installation

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

If installed correctly, you should see Sensor operational: true in the output.

---

Step 3: Approve System Extensions (Required for macOS 10.15 and Later)

Since macOS Catalina (10.15), Apple requires user approval for third-party system extensions.

1. Open System Settings (System Preferences on older macOS).
2. Go to Privacy & Security.
3. Look for a message stating that “CrowdStrike, Inc.” software was blocked.
4. Click Allow and enter your Mac administrator password if prompted.
5. Restart the Mac if required.

📌 Note: This step must be performed manually by the user or pre-approved via MDM (Mobile Device Management) for enterprise deployments.

---

Step 4: Approve Full Disk Access (Required for Falcon to Function Fully)

For Falcon to scan files effectively, Full Disk Access must be granted:

1. Open System Settings > Privacy & Security.
2. Scroll down and select Full Disk Access.
3. Click the + icon and add the following Falcon processes:
   • /Applications/Falcon.app/Contents/Resources/falconctl
   • /Applications/Falcon.app/Contents/Resources/falcond
4. Restart the system or run the following command in Terminal:bashCopyEditsudo killall falcond

---

Step 5: Verify the Falcon Sensor is Running

After installation, confirm that the sensor is active and communicating with CrowdStrike Falcon Console.

Check Sensor Status Using Terminal

Run the following command:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

You should see output confirming that the sensor is running and operational.

Check in the Falcon Console

1. Log into the CrowdStrike Falcon Console (https://falcon.crowdstrike.com).
2. Navigate to Hosts > Host Management.
3. Search for the Mac device by hostname or IP address.
4. If the sensor is successfully installed and reporting, it will appear as Connected.

📌 Note: It may take a few minutes for the device to appear in the console.

---

Troubleshooting Installation Issues

1. Sensor Does Not Appear in Falcon Console

• Restart the Mac and wait 5-10 minutes for the sensor to connect.
• Verify that the Falcon service is running:bashCopyEditsudo /Applications/Falcon.app/Contents/Resources/falconctl stats
• Ensure that the Mac has an active internet connection.

2. “System Extension Blocked” Message Appears

• Go to System Settings > Privacy & Security and Allow the CrowdStrike extension.

3. Full Disk Access Not Approved

• Check Privacy & Security > Full Disk Access and make sure Falcon processes are listed.

4. Installation Fails Due to SIP (System Integrity Protection) Issues

• Ensure SIP is enabled by running:bashCopyEditcsrutil status
• If disabled, enable it using macOS Recovery Mode.

---

Best Practices

✅ Use MDM for Large Deployments – Pre-approve system extensions and disk access via Jamf, Intune, or Workspace ONE.
✅ Monitor New Installs – Regularly check the Falcon Console to verify new installations.
✅ Keep Sensors Updated – Ensure that Mac sensors are up-to-date to stay protected from new threats.