CrowdStrikebeginner

Install CrowdStrike on Mac: Falcon Sensor Deployment Guide for macOS

Install CrowdStrike Falcon sensor on macOS with step-by-step instructions. Includes sensor download, System Extension approval, Full Disk Access setup, and troubleshooting for Mac deployment.

5 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

The **CrowdStrike Falcon Sensor** provides advanced endpoint protection for macOS, detecting and preventing threats in real time. Installing the Falcon Sensor on macOS ensures continuous security and visibility over your Apple devices.

This guide provides step-by-step instructions for installing the Falcon Sensor on **macOS 10.15 (Catalina) and later**, including **macOS Ventura and Sonoma**.

## Requirements - **Administrator privileges** on the macOS device. - **CrowdStrike Falcon Sensor download link** and **Customer ID (CID)** from the CrowdStrike Falcon Console. - **Internet connection** for cloud-based security updates. - **System Integrity Protection (SIP) enabled** (required for newer macOS versions).

Step 1: Download the CrowdStrike Falcon Sensor

    - **Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant): ** - [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/).
     - [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/)

    • Sign in using your admin credentials

    • Navigate to the Sensor Downloads Page

    • In the left-hand menu, click Host Setup and Management > Sensor Downloads.

    • Download the macOS Sensor

    • Select the macOS version that matches your device’s operating system.

    • Download the .pkg installation file.

📌 **Note:** The Falcon Sensor requires **macOS 10.15 or later**. Older versions are not supported.

---

Step 2: Install the Falcon Sensor on macOS

Method 1: Install via GUI (Graphical User Interface)

    - **Locate the downloaded file** (FalconSensorMacOS.pkg). - **Double-click the file** to launch the installer. - Follow the **on-screen prompts** and enter your **admin credentials** when required. - When prompted, enter your **CrowdStrike Customer ID (CID)**. - Click **Install** and wait for the installation to complete.
---

Method 2: Install via Terminal (Command Line)

For **silent installations**, use the Terminal:

    - **Open Terminal** (Press **Command + Space**, type Terminal, and hit **Enter**). - **Navigate to the directory** where the Falcon Sensor installer is downloaded:
cd ~/Downloads
    - **Run the installation command** (replace YOUR-CUSTOMER-ID with your actual CID):
sudo installer -pkg FalconSensorMacOS.pkg -target /
    - **Register the Falcon Sensor** with your CID
sudo /Applications/Falcon.app/Contents/Resources/falconctl license YOUR-CUSTOMER-ID
    - **Verify the installation**
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

If installed correctly, you should see **Sensor operational: true** in the output.

---

Step 3: Approve System Extensions (Required for macOS 10.15 and Later)

Since **macOS Catalina (10.15)**, Apple requires **user approval for third-party system extensions**.

    - **Open System Settings (System Preferences on older macOS)**. - Go to **Privacy & Security**. - Look for a message stating that **“CrowdStrike, Inc.” software was blocked**. - Click **Allow** and enter your **Mac administrator password** if prompted. - Restart the Mac if required.

📌 **Note:** This step must be performed manually by the user or pre-approved via **MDM (Mobile Device Management)** for enterprise deployments.

---

Step 4: Approve Full Disk Access (Required for Falcon to Function Fully)

For Falcon to scan files effectively, **Full Disk Access** must be granted:

    - **Open System Settings** > **Privacy & Security**. - Scroll down and select **Full Disk Access**. - Click the **+** icon and add the following Falcon processes:

    • /Applications/Falcon.app/Contents/Resources/falconctl

    • /Applications/Falcon.app/Contents/Resources/falcond

    • Restart the system or run the following command in Terminal:bashCopyEditsudo killall falcond

Step 5: Verify the Falcon Sensor is Running

After installation, confirm that the sensor is active and communicating with **CrowdStrike Falcon Console**.

### Check Sensor Status Using Terminal Run the following command: 
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

You should see output confirming that the **sensor is running and operational**.

### Check in the Falcon Console
    - Log into the **CrowdStrike Falcon Console** ([https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/)). - Navigate to **Hosts** > **Host Management**. - Search for the **Mac device by hostname or IP address**. - If the sensor is successfully installed and reporting, it will appear as **Connected**.

📌 **Note:** It may take **a few minutes** for the device to appear in the console.

---

Troubleshooting Installation Issues

1. Sensor Does Not Appear in Falcon Console

  • Restart the Mac and wait 5-10 minutes for the sensor to connect.
  • Verify that the Falcon service is running:bashCopyEditsudo /Applications/Falcon.app/Contents/Resources/falconctl stats
  • Ensure that the Mac has an active internet connection.

2. “System Extension Blocked” Message Appears

  • Go to System Settings > Privacy & Security and Allow the CrowdStrike extension.

3. Full Disk Access Not Approved

  • Check Privacy & Security > Full Disk Access and make sure Falcon processes are listed.

4. Installation Fails Due to SIP (System Integrity Protection) Issues

  • Ensure SIP is enabled by running:bashCopyEditcsrutil status
  • If disabled, enable it using macOS Recovery Mode.

Best Practices

✅ **Use MDM for Large Deployments** – Pre-approve system extensions and disk access via **Jamf, Intune, or Workspace ONE**.
✅ **Monitor New Installs** – Regularly check the **Falcon Console** to verify new installations.
✅ **Keep Sensors Updated** – Ensure that Mac sensors are **up-to-date** to stay protected from new threats.

Frequently Asked Questions

Find answers to common questions

To ensure CrowdStrike Falcon Sensor installation complies with macOS security requirements, verify compatibility with macOS 10.15 (Catalina) or later. Enable System Integrity Protection (SIP) by checking its status with csrutil status in Terminal; if disabled, enable it via macOS Recovery Mode (restart and hold Command + R). After installation, grant Full Disk Access to Falcon processes by navigating to System Settings > Privacy & Security > Full Disk Access and adding the necessary executables if not listed. In enterprise settings, utilize Mobile Device Management (MDM) solutions like Jamf or Intune to pre-approve system extensions and streamline deployments. Regularly monitor the CrowdStrike Falcon Console to confirm installation status and compliance.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike