Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

CrowdStrike Falcon Deploy Guide (#31814)

Browse source 
Guide for deploying CS Falcon.

Still needs a few links added, in draft for review

---------

Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Eric <eashaw@sailsjs.com>
This commit is contained in:
Harrison Ravazzolo 2025-08-13 18:01:05 -07:00 committed by GitHub
parent a4a9a3f79a
commit edf75479d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 452 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

137
articles/deploying-crowdstrike-with-fleet.md Normal file
View file

@ -0,0 +1,137 @@
# Deploy CrowdStrike Falcon with Fleet
This guide will show you how to deploy CrowdStrike Falcon on macOS, Linux and Windows using Fleet. It covers installing the CrowdStrike Falcon application, creating a post-install script for collecting the CrowdStrike Customer ID for activation and deploying required application configurations.
## Upload the CrowdStrike Falcon installer to Fleet
1. In the Falcon console, go to **Host setup and management** > **Sensor Downloads**.
2. Download the installer for the appropriate OS and architecture.
3. In Fleet, go to **Software > Add software > Custom package** to upload the installer.
4. Select **Automatic install** or **Self-service** if these options apply to your environment.
>If needed, use [labels](https://fleetdm.com/guides/managing-labels-in-fleet) to scope installations for different hardware architectures.
## Create a post-install script for collecting the CrowdStrike Customer ID
Your CrowdStrike **Customer ID** can be found on the Sensor download page in the CrowdStrike console.
The **Customer ID** _must be collected_ during the installation to activate the Falcon application. Adding the platfom-specifc scripts below as a post-install action to the uploaded CrowdStrike Falcon custom package settings in Fleet will allow the host on which the application has been installed to collect the **Customer ID** for activation in the CrowdStrike tenant.
>For reference, Crowdstrike Falcon scripts and install documentation can be found at: https://github.com/CrowdStrike/falcon-scripts
## macOS
If your organization is using Fleet GitOps and you want to pass the CrowdStrike site key as a secret, follow this guide: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles.
For admins using the macOS Setup Experience in Fleet, we recommend adding the Falcon application to the list of software being installed during initial provisioning.
### Upload a macOS post-install script to Fleet for collecting the CrowdStrike Customer ID
To use this script, copy your **Customer ID** from the CrowdStrike console, then, paste it into the value for the `CUSTOMER_ID` variable below. Next, copy the modified script to the CrowdStrike Falcon custom package settings as a post-install action in Fleet:
```
#!/bin/bash
CUSTOMER_ID="YOUR-CUSTOMER-ID-HERE"
FALCON_PATH="/Applications/Falcon.app/Contents/Resources/falconctl"
sudo "$FALCON_PATH" license "$CUSTOMER_ID"
# Check status
if [ $? -eq 0 ]; then
echo "Activation completed"
else
echo "Activation failed"
exit 1
fi
```
### Upload macOS configuration files to Fleet
CrowdStrike Falcon requires multiple `.mobileconfig` payloads on macOS.
>These payloads can be combined into a single Configuration Profile, or, delivered in separate Configuration Profiles for modularity and easier reading.
`crowdstrike-service-management.mobileconfig` - Configure CrowdStrike Falcon as a managed login item so its services can't be stopped by end users.
`crowdstrike-notification.mobileconfig` - Suppress notifications to reduce end user notifcation fatigue. (This is a best practice for many fully-managed applications.)
`crowdstrike-system-extension` - Install the CrowdStrike Falcon System Extension to allow all necessary application entitlements and access to the macOS kernel.
`crowdstrike-web-filter.mobileconfig` - Enable web filtering to monitor network traffic at the socket level.
`crowdstrike-full-disk-access.mobileconfig` - Grant full disk access to all CrowdStrike application processes using the CrowdStrike Apple Developer team identifier.
## Linux
### Upload a Linux post-install script to Fleet for collecting the CrowdStrike Customer ID
To use this script, copy your **Customer ID** from the CrowdStrike console, then, paste it into the value for the `FalconCid` variable below. Next, copy the modified script to the CrowdStrike Falcon custom package settings as a post-install action in Fleet:
```
#!/bin/bash
# Set your Customer ID here
FalconCid = "YOUR-CUSTOMER-ID-HERE
echo "Setting CrowdStrike Falcon Customer ID: $FalconCid"
# Set the Customer ID
sudo /opt/CrowdStrike/falconctl -s --cid="$FalconCid"
# Check if the command was successful
if [ $? -eq 0 ]; then
echo "Customer ID set successfully!"
# Verify the setting
echo "Verifying Customer ID..."
sudo /opt/CrowdStrike/falconctl -g --cid
else
echo "Error: Failed to set Customer ID"
exit 1
fi
```
Admins can verify the installation by running the following command which searches for the falcon-sensor binary:
```
sudo ps -e | grep falcon-sensor
```
## Windows
CrowdStrike offers `.exe` and `.msi` Falcon installers for Windows. Using the `.msi` inataller in Fleet is preferred as this installer type performs a silent, fully-automated installation when using the **Automatic install** option.
### Upload a Windows post-install script to Fleet for collecting the CrowdStrike Customer ID
To use this script, copy your **Customer ID** from the CrowdStrike console, then, paste it into the value for the `$FalconCid` variable below. Next, copy the modified script to the CrowdStrike Falcon custom package settings as a post-install action in Fleet:
```
# Set your Customer ID here
$FalconCid = "YOUR-CUSTOMER-ID-HERE"
$logFile = "${env:TEMP}/fleet-install-software.log"
try {
$installProcess = Start-Process msiexec.exe `
-ArgumentList "/quiet /norestart /lv ${logFile} /i `"${env:INSTALLER_PATH}`" CID=${FalconCid}" `
-PassThru -Verb RunAs -Wait
Get-Content $logFile -Tail 500
Exit $installProcess.ExitCode
} catch {
Write-Host "Error: $_"
Exit 1
}
```
There are several other flags that can be added to this script. See: https://github.com/CrowdStrike/falcon-scripts for a list of supported options.
## Conclusion
Fleet offers admins a straight-forward approach to deploying the CrowdStrike Falcon application across your macOS, Linux and Windows hosts. See https://fleetdm.com/guides/deploy-software-packages for more information on installing software packages using Fleet.
<meta name="articleTitle" value="Deploy CrowdStrike with Fleet">
<meta name="authorFullName" value="Harrison Ravazzolo">
<meta name="authorGitHubUsername" value="harrisonravazzolo">
<meta name="category" value="guides">
<meta name="publishedOn" value="2025-08-11">
<meta name="description" value="Deploy CrowdStrike with Fleet">
<meta name="articleImageUrl" value="../website/assets/images/articles/fleet-crowdstrike-cover-800x450@2x.png">

79
assets/configuration-profiles/crowdstrike-full-disk-access.mobileconfig Normal file
View file

@ -0,0 +1,79 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures Privacy Preferences Policy Control settings for CrowdStrike</string>
<key>PayloadDisplayName</key>
<string>Full Disk Access - Crowdstrike</string>
<key>PayloadIdentifier</key>
<string>com.fleet.privacy</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C7B25543-8A46-4782-B5F1-FABF2CC07934</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.App</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>CrowdStrike Falcon Full Disk Access</string>
<key>PayloadDisplayName</key>
<string>CrowdStrike - Privacy Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.fleet.privacy</string>
<key>PayloadOrganization</key>
<string>Fleet</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A4A2274E-370D-4641-A248-7A637ADFB169</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

58
assets/configuration-profiles/crowdstrike-notification.mobileconfig Normal file
View file

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BundleIdentifier</key>
<string>com.crowdstrike.falcon.UserAgent</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Notifications</string>
<key>PayloadIdentifier</key>
<string>com.fleet.notifications</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>F5E94A3F-6E76-4A28-AF32-068455731244</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>CrowdStrike Falcon Notification settings</string>
<key>PayloadDisplayName</key>
<string>CrowdStrike - Notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.fleet.notifications</string>
<key>PayloadOrganization</key>
<string>Fleet</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>F749D9AF-DE8B-45B0-98F5-CACA98C67FEC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

60
assets/configuration-profiles/crowdstrike-service-management.mobileconfig Normal file
View file

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures Service Management settings for CrowdStrike Falcon</string>
<key>PayloadDisplayName</key>
<string>Service Management</string>
<key>PayloadIdentifier</key>
<string>com.fleet.servicemanagement</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>B2C3D4E5-F6G7-8901-2345-678901BCDEFG</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>RuleType</key>
<string>BundleIdentifier</string>
<key>RuleValue</key>
<string>com.crowdstrike.falcon.UserAgent</string>
</dict>
<dict>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>X9E956P446</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>CrowdStrike Falcon Service Management configuration</string>
<key>PayloadDisplayName</key>
<string>CrowdStrike - Service Management</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.fleet.servicemanagement</string>
<key>PayloadOrganization</key>
<string>Fleet</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5007F4E7-372B-4B90-8E64-BDC59E4C1D93</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

61
assets/configuration-profiles/crowdstrike-system-extension.mobileconfig Normal file
View file

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>NonRemovableFromUISystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>PayloadDescription</key>
<string>Configures System Extensions Policy settings for CrowdStrike Falcon</string>
<key>PayloadDisplayName</key>
<string>System Extensions - Crowdstrike</string>
<key>PayloadIdentifier</key>
<string>com.fleet.systemextensions</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>6527669C-0C1F-4B84-998F-33902DBFEB86</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>CrowdStrike Falcon System Extensions configuration</string>
<key>PayloadDisplayName</key>
<string>CrowdStrike - System Extensions</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.fleet.systemextensions</string>
<key>PayloadOrganization</key>
<string>Fleet</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C84A8495-1B68-4C28-B29B-FDF3A40018D4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

57
assets/configuration-profiles/crowdstrike-web-filter.mobileconfig Normal file
View file

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
<key>FilterGrade</key>
<string>inspector</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>Organization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>Web Content Filter</string>
<key>PayloadIdentifier</key>
<string>com.fleet.webfilter</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>E63C7607-408B-485F-BF2F-0900AAE6797F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.crowdstrike.falcon.App</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>CrowdStrike Falcon Web Content Filter configuration</string>
<key>PayloadDisplayName</key>
<string>CrowdStrike - Web Filter</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.fleet.webfilter</string>
<key>PayloadOrganization</key>
<string>Fleet</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>141ECE18-BC29-4A0E-9743-055A4E649512</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

BIN
website/assets/images/articles/fleet-crowdstrike-cover-800x450@2x.png vendored Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 61 KiB