Skip to main content

CrowdStrike Falcon Protection (macOS)

Description

Needing to deploy to CrowdStrike Falcon antivirus to your macOS fleet? FileWave has you covered.

CrowdStrike's flagship product is called Falcon, which is a cloud-native platform that combines next-generation antivirus, endpoint detection and response (EDR), threat intelligence, and proactive threat hunting. Falcon aims to provide real-time visibility into endpoint activity, rapid threat detection, and automated response to security incidents.

Ingredients

  • FileWave Admin Central
  • CrowdStrike Falcon ProfileProfiles (Intel
      or
    • One Applefor Silicon)macOS Sonoma and earlier
    • One for macOS Sequoia and later
  • CrowdStrike PKG installer
  • CrowdStrike License code

Directions

Deploying the CrowdStrike Falcon to your devices

CrowdStrike deployment foron macOS requires three filesets: two Filesets: one TCC profileprofiles and the PKG installer. The required TCC profileprofiles is dependentdepend on whichthe architecturemacOS version in your macOSenvironment. fleetScreenshot is, bothexamples are providedincluded in this article foras download.a reference if you choose to create the profiles manually.

The PKG installer hasshould also include two scripts that will execute withapply your CrowdStrike Falcon license and checkverify forthat the appropriate TCC profile to beis installed before the CrowdStrike application.application is deployed.

Download the TCC profile

Note: Please downloadlog in to your CrowdStrike portal and verifydownload the latest TCC profiles. The screenshots below are provided for reference if you choose to create the TCC profileprofiles for your macOS architecture. Below are screen shots of both Intel and Apple Siliconmanually.

IntelFalcon based macOS devices:

FalconConfiguration Profile for Intel.fileset.zipSonoma and earlier:

IntelSonoma basedand earlier TCC Profile

Security & Privacy Payload:

 

  • Bundle ID:
    • com.crowdstrike.falcon.Agent
    • com.crowdstrike.falcon.App
  • Code requirement:
    • identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
  • Access to service:
    • Full Disk Access
FalconProfileIntel.pngFalcon Configuration Profile for Sonoma and earlier0.png
  • Agent configuration
Agent.png
  • App configuration
App.png

System Extension Policy Payload:

 

  • Check box 'Can approve additional system extensions'
  • Allowed Team Identifiers:
    • X9E956P446
  • Allowed System Extensions
    • com.crowdstrike.falcon.Agent
  • Allowed System Extension Types:
    • Network
    • Endpoint security
Falcon Configuration Profile for Sonoma and earlier1.png

Web Content Filter Payload:

 

  • Name: Falcon
  • Identifier: com.crowdstrike.falcon.App
  • Filter Network Traffic
  • Socket Filter Bundle Identifier:
    • com.crowdstrike.falcon.Agent

  • Socket Filter Designated Requirement:

    • identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"
Falcon Configuration Profile for Sonoma and earlier2.png

Apple Silicon based macOS devices:

Falcon profileConfiguration Profile for M1.fileset.zipSequoia and later:

AppleSequoia Siliconand basedlater TCC Profile

System Extension Policy Payload:

 

  • Team Identifiers:
    • X9E956P446
  • Non Removable From UI System Extensions:
    • com.crowdstrike.falcon.Agent
FalconProfileAppleSilicon.pngFalcon Configuration Profile Update for Sequoia and later0.png

Download the PKG installer

The PKG installer willfileset haveincludes three componentscomponents. The template below can be used to upload your specific version of the CrowdStrike PKG installer. Ensure the installation folder and PKG file name are labeled correctly to support a successful deployment.

Note: Please log in theto Fileset.your NoteCrowdStrike portal and download the latest PKG installer,installer to ensure a successful import and deployment. The PKG installer must be used along with the two required scripts: athe requirementRequirement script and activationthe Activation script.

The PKG installer included with this Fileset is version 7.29.20103.0 (updated 9/11/25) of CrowdStrike for macOS Big Sur and beyond (This version will not install on macOS Catalina).

Note: We will attempt to keep this Fileset updated with recent versions of the installer. If it is out-of-date, you can download the newest version and replace it in Fileset Contents of the included Fileset, and send a note to kb@filewave.com.

PKG - FalconSensorMacOS.MaverickGyr.fileset.zip

CrowdStrikeFilesetContents.pngUpdatedCrowdstrikemacOSinstallation.png

CrowdStrike License

Customizing the Fileset with your CrowdStrike license is required. The Fileset has a License.sh script to edit and enter in your license code.

Editing the License.sh script

  1. Highlight your CrowdStrike PKG installer Fileset 
  2. Select Scripts to open the Script window.
  3. Highlight License.sh
  4. Click Edit
 CrowdStrikeScripts1.png

Entering in your license code

  1. Highlight the ####### string and enter in your CrowdStrike License code
  2. Click OK to save
  3. Click OK to save again to save your license code for the CrowdStrike Fileset

CrowdStrikeScripts2.png

License code script 
#!/bin/zsh

echo "License is being set"
/Applications/Falcon.app/Contents/Resources/falconctl license ##########
echo "License is set"

exit 0

 

Check for Falcon ProfileProfiles

The Payloadpayload Identifiersidentifiers are alreadypreconfigured setin andthe entered.provided template fileset. The steps below areexplain step-by-step instructionshow to add your own Payload Bundle Identifier if needed.

NoteNote:: The Requirement script verifies that the CrowdStrike Falcon ProfileTCC isprofiles are installed successfully BEFORE runningbefore the installationCrowdStrike ofinstaller CrowdStrike.

Thereruns. The script checks for both profiles and confirms they are twoinstalled entriesbefore forproceeding your profile identifiers: you may enter bothwith the IntelCrowdStrike and Apple Silicon as the script will check for either profile is installed successfully BEFORE running installation of CrowdStrike.deployment.

Editing the CheckForFalconProfile.sh

 

  1. Highlight your CrowdStrike PKG installer Fileset
  2. Select Scripts to open the Scripts window
  3. Highlight the CheckForFalconProfile.sh script
  4. Click Edit
 CheckForFalconProfile1.png

Entering in your Intel and/or Apple SiliconPayload Profile IdentifierIdentifiers

 

  1. Highlight the string after profile_id="#####"
  2. Replace the ######, with your TCC profile Identifier.
  3. If not sure, open your Intel or Apple Silicon Profile and copy the Identifier.
  4. Click OK to save
  5. Click OK to save again to save your changes to the CrowdStrike Fileset

CheckForFalconProfile2.pngScreenshot 2026-01-30 at 17.46.23.png


Check for Falcon profile script 
#!/bin/zsh

profile_id="863BE372-D1FA-4082-85B2-3B8FE63797C5"9BCE1C20-633D-405D-84D8-6F6C2D3AE66C"
profile_id2="C1A6E28A-21EF-49C6-B85F-84E845731E22"

found_profile=$(profiles list all | awk -v search=$profile_id  '$0 ~ search {print $NF}')
found_profile2=$(profiles list all | awk -v search=$profile_id2  '$0 ~ search {print $NF}')

i=0
if [ -z $found_profile ]
then
        echo "Did not find $profile_id" 
        i=$((i+1))
fi

if [ -z $found_profile2 ]
then
        echo "Did not find $profile_id2"
        i=$((i+1))
fi

if [ $i = 2 ]
then
       echo "Both Profiles are missing"
       exit 1
fi
echo $missing
echo "Found installed profile: $profile_id or $profile_id2"
exit 0

 

CheckForFalconProfile3.pngScreenshot 2026-01-30 at 17.47.17.png

Creating a Fileset Group

Keeping your Filesetsfilesets organized is gooda recommended best practice, especially ifwhen there aremanaging multiple Filesets for software deployment.deployments. You may create a Newnew Fileset Group,Group label(for itexample, CrowdStrike Falcon (macOS 2023),) and move all therelated Filesets you createdfilesets into that Filesetgroup. Group.This Thenallows you to associate the Fileset Group labeled CrowdStrike Flacon (macOS 2023) towith your devices versusinstead of assigning individual Filesets.filesets separately.

Once all the Filesetfilesets and Profileprofiles have been created, you maycan associateassign the Fileset Group labeled CrowdStrike Falcon (macOS 2023) Fileset Group to a few devicestest as a test.devices. This is tohelps verify and confirm that the software isinstalls installedcorrectly properlyand basedthat onthe yourconfigured license code configured.is applied successfully.

FileWave Custom Fields to validate installation

Monitoring the CrowdStrike Falcon Sensor through FileWave custom fields helps ensure endpoint protection remains active and compliant. By validating that the Falcon service is running and reporting the installed sensor version, administrators can quickly detect inactive or outdated agents that may leave devices exposed.

Related Content

Back to top