Addigy supports silent, automated deployment of CrowdStrike Falcon to managed Mac devices using Smart Software. This guide covers obtaining the installer, configuring the installation script, and setting up the required Device Settings (MDM Profiles) for a fully automated deployment.
Prerequisites
Before you begin, make sure you have the following:
- A macOS PKG installer for CrowdStrike Falcon (obtained from CrowdStrike)
- Your organization's CrowdStrike license key
- Familiarity with Smart Software — see Creating Smart Software if you haven't set one up before
How to Deploy CrowdStrike Falcon
CrowdStrike Falcon is deployed using a Smart Software item with the PKG installer from CrowdStrike and a custom installation script.
- In Addigy, navigate to Catalog > Software and create a new Smart Software item.
- Upload the CrowdStrike Falcon
.pkgfile as the Installation File. - In the Installation Command field, enter the following script — replacing
INSERT LICENSE HEREwith your organization's CrowdStrike license key,Falcon (1.0)with the name of your Smart Software item, andFalconSensorMacOS.pkgwith the name of your pkg Installation File:
falcon="INSERT LICENSE HERE" falconpath="/Applications/Falcon.app/Contents/Resources/falconctl" /usr/sbin/installer -pkg "/Library/Addigy/ansible/packages/Falcon (1.0)/FalconSensorMacOS.pkg" -target / sudo $falconpath license $falcon
Note: The third line of the script (the
/usr/sbin/installercommand) can be auto-generated by clicking the Add Install Command button next to your uploaded PKG file. The remaining lines should stay as written above.
How to Add the Required Device Settings (MDM Profiles)
CrowdStrike Falcon requires four Device Settings for full, automated functionality. Create each profile in Catalog > Device Settings before deploying the Smart Software item.
Important: Device Settings must be installed on a device before the Smart Software item runs. When added to a policy, this happens automatically based on default Installation Priority. If installing on an individual device via GoLive, deploy the Device Settings first.
1. System Extensions Profile
This profile allows CrowdStrike's system extensions to load without prompting the user. For instructions on creating this profile type, see Allow System Extensions with Addigy MDM.
Configure the profile to whitelist CrowdStrike by Team ID:
- Enable Allowed Team Identifiers: Enabled
-
Team ID:
X9E956P446
Note: Whitelisting by Team ID allows all current and future CrowdStrike system extensions to load automatically, without needing to update the profile when new extensions are introduced.
2. PPPC Profile (Full Disk Access)
This profile grants CrowdStrike Falcon access to protected and system admin files. For instructions on creating a PPPC profile, see How to Create a PPPC Payload for Full Disk Access.
Add the following two entries, enabling Access to All Protected Files and System Administration Files:
| Bundle ID | Code Requirement |
|---|---|
com.crowdstrike.falcon.Agent |
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 |
com.crowdstrike.falcon.App |
identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 |
3. Web Content Filter Profile
This profile enables CrowdStrike's network filtering extension. Navigate to Catalog > Device Settings, create a new Web Content Filter profile, and configure it with the following settings:
- Filter Type: Plug-In
-
User Defined Name:
Crowdstrike -
Plugin Bundle ID:
com.crowdstrike.falcon.App -
Organization:
Crowdstrike Inc. -
Filter Socket Traffic: Enabled
-
Bundle Identifier:
com.crowdstrike.falcon.Agent -
Designated Requirement:
identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
-
Bundle Identifier:
- Filter Grade: Inspector
Note: Network connectivity may be briefly interrupted when a Web Content Filter profile is deployed to a device.
4. Service Management Profile (macOS Ventura)
This profile prevents users from disabling the CrowdStrike Falcon UserAgent via System Settings on macOS Ventura (13.x). Per CrowdStrike's documentation, this profile is currently intended for macOS Ventura only — behavior on later macOS versions may vary.
Navigate to Catalog > Device Settings, create a new Service Management profile, and configure it as follows:
- Rule Type: Label
-
Rule Value:
com.crowdstrike.falcon.UserAgent -
Team Identifier:
X9E956P446
- Enter the values above and click Add Rule.
- Add a Payload Name (e.g.,
Crowdstrike Service Management) and click Create Profile.
Frequently Asked Questions
Where do I get the CrowdStrike PKG installer and license key?
Both are provided directly by CrowdStrike. Contact your CrowdStrike account representative or download the installer from your CrowdStrike console.
What's the correct order of operations when deploying to individual devices?
When using GoLive to deploy to a single device, install all Device Settings first, then run the Smart Software item. In a policy, this ordering is handled automatically based on default Installation Priority.
Why whitelist CrowdStrike by Team ID instead of individual Bundle IDs?
Whitelisting by Team ID covers all extensions signed by CrowdStrike under that team certificate. This means the profile remains valid even as CrowdStrike updates or adds new extensions, without requiring profile updates on your end.