CrowdStrikebeginner

Install CrowdStrike on Mac: Falcon Sensor Deployment Guide for macOS

Install CrowdStrike Falcon sensor on macOS with step-by-step instructions. Includes sensor download, System Extension approval, Full Disk Access setup, and troubleshooting for Mac deployment.

5 min readUpdated January 2025

The CrowdStrike Falcon Sensor provides advanced endpoint protection for macOS, detecting and preventing threats in real time. Installing the Falcon Sensor on macOS ensures continuous security and visibility over your Apple devices.

This guide provides step-by-step instructions for installing the Falcon Sensor on macOS 10.15 (Catalina) and later, including macOS Ventura and Sonoma.

Requirements

  • Administrator privileges on the macOS device.
  • CrowdStrike Falcon Sensor download link and Customer ID (CID) from the CrowdStrike Falcon Console.
  • Internet connection for cloud-based security updates.
  • System Integrity Protection (SIP) enabled (required for newer macOS versions).

Step 1: Download the CrowdStrike Falcon Sensor

  1. Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant):
  2. Sign in using your admin credentials
  3. Navigate to the Sensor Downloads Page
    • In the left-hand menu, click Host Setup and Management > Sensor Downloads.
  4. Download the macOS Sensor
    • Select the macOS version that matches your device’s operating system.
    • Download the .pkg installation file.

📌 Note: The Falcon Sensor requires macOS 10.15 or later. Older versions are not supported.

Step 2: Install the Falcon Sensor on macOS

Method 1: Install via GUI (Graphical User Interface)

  1. Locate the downloaded file (FalconSensorMacOS.pkg).
  2. Double-click the file to launch the installer.
  3. Follow the on-screen prompts and enter your admin credentials when required.
  4. When prompted, enter your CrowdStrike Customer ID (CID).
  5. Click Install and wait for the installation to complete.

Method 2: Install via Terminal (Command Line)

For silent installations, use the Terminal:

  1. Open Terminal (Press Command + Space, type Terminal, and hit Enter).
  2. Navigate to the directory where the Falcon Sensor installer is downloaded:
cd ~/Downloads
  1. Run the installation command (replace YOUR-CUSTOMER-ID with your actual CID):
sudo installer -pkg FalconSensorMacOS.pkg -target /
  1. Register the Falcon Sensor with your CID
sudo /Applications/Falcon.app/Contents/Resources/falconctl license YOUR-CUSTOMER-ID
  1. Verify the installation
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

If installed correctly, you should see Sensor operational: true in the output.

Step 3: Approve System Extensions (Required for macOS 10.15 and Later)

Since macOS Catalina (10.15), Apple requires user approval for third-party system extensions.

  1. Open System Settings (System Preferences on older macOS).
  2. Go to Privacy & Security.
  3. Look for a message stating that “CrowdStrike, Inc.” software was blocked.
  4. Click Allow and enter your Mac administrator password if prompted.
  5. Restart the Mac if required.

📌 Note: This step must be performed manually by the user or pre-approved via MDM (Mobile Device Management) for enterprise deployments.

Step 4: Approve Full Disk Access (Required for Falcon to Function Fully)

For Falcon to scan files effectively, Full Disk Access must be granted:

  1. Open System Settings > Privacy & Security.
  2. Scroll down and select Full Disk Access.
  3. Click the + icon and add the following Falcon processes:
    • /Applications/Falcon.app/Contents/Resources/falconctl
    • /Applications/Falcon.app/Contents/Resources/falcond
  4. Restart the system or run the following command in Terminal:bashCopyEditsudo killall falcond

Step 5: Verify the Falcon Sensor is Running

After installation, confirm that the sensor is active and communicating with CrowdStrike Falcon Console.

Check Sensor Status Using Terminal

Run the following command:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

You should see output confirming that the sensor is running and operational.

Check in the Falcon Console

  1. Log into the CrowdStrike Falcon Console (https://falcon.crowdstrike.com).
  2. Navigate to Hosts > Host Management.
  3. Search for the Mac device by hostname or IP address.
  4. If the sensor is successfully installed and reporting, it will appear as Connected.

📌 Note: It may take a few minutes for the device to appear in the console.

Troubleshooting Installation Issues

1. Sensor Does Not Appear in Falcon Console

  • Restart the Mac and wait 5-10 minutes for the sensor to connect.
  • Verify that the Falcon service is running:bashCopyEditsudo /Applications/Falcon.app/Contents/Resources/falconctl stats
  • Ensure that the Mac has an active internet connection.

2. “System Extension Blocked” Message Appears

  • Go to System Settings > Privacy & Security and Allow the CrowdStrike extension.

3. Full Disk Access Not Approved

  • Check Privacy & Security > Full Disk Access and make sure Falcon processes are listed.

4. Installation Fails Due to SIP (System Integrity Protection) Issues

  • Ensure SIP is enabled by running:bashCopyEditcsrutil status
  • If disabled, enable it using macOS Recovery Mode.

Best Practices

Use MDM for Large Deployments – Pre-approve system extensions and disk access via Jamf, Intune, or Workspace ONE.
Monitor New Installs – Regularly check the Falcon Console to verify new installations.
Keep Sensors Updated – Ensure that Mac sensors are up-to-date to stay protected from new threats.

Frequently Asked Questions

Find answers to common questions

To ensure CrowdStrike Falcon Sensor installation complies with macOS security requirements, verify compatibility with macOS 10.15 (Catalina) or later. Enable System Integrity Protection (SIP) by checking its status with csrutil status in Terminal; if disabled, enable it via macOS Recovery Mode (restart and hold Command + R). After installation, grant Full Disk Access to Falcon processes by navigating to System Settings > Privacy & Security > Full Disk Access and adding the necessary executables if not listed. In enterprise settings, utilize Mobile Device Management (MDM) solutions like Jamf or Intune to pre-approve system extensions and streamline deployments. Regularly monitor the CrowdStrike Falcon Console to confirm installation status and compliance.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Create and manage user roles in CrowdStrike Falcon with custom permissions. Step-by-step guide to configure role-based access control (RBAC), assign permissions, and restrict user access to Falcon console features.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike