Documentation Index
Fetch the complete documentation index at: https://docs.getprimo.com/llms.txt
Use this file to discover all available pages before exploring further.
CrowdStrike Falcon requires manual setup before deployment. Download the installer packages from the CrowdStrike console, upload them, and configure the install scripts with your
CustomerID.How to deploy
Download the installers and retrieve your CustomerID
- In the CrowdStrike admin console, go to Host setup and management > Deploy > Sensor downloads.
- Download the macOS (
.pkg) and Windows (.exe) installers. - Copy your
CustomerID(CID) — you’ll need it in the next step.
Deploy as Custom Software
For each installer (macOS and Windows):
- Go to MDM > Software > Add app > Custom app.
- Upload the installer file and click Add software.
Add install and uninstall scripts (Windows only)
In the Windows Click Save changes.
.exe package configuration, open Show advanced options and replace the scripts below. No script changes are needed for the macOS package.- Install script
- Uninstall script
Replace
CustomerID with your actual CID:$exeFilePath = "${env:INSTALLER_PATH}"
try {
$processOptions = @{
FilePath = "$exeFilePath"
ArgumentList = "/install /quiet /norestart CID=CustomerID"
PassThru = $true
Wait = $true
}
$process = Start-Process @processOptions
$exitCode = $process.ExitCode
Write-Host "Install exit code: $exitCode"
Exit $exitCode
} catch {
Write-Host "Error: $_"
Exit 1
}
try {
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
)
$app = $regPaths |
ForEach-Object { Get-ChildItem $_ -ErrorAction SilentlyContinue } |
Get-ItemProperty |
Where-Object { $_.DisplayName -like "CrowdStrike Windows Sensor*" } |
Select-Object -First 1
if (-not $app) {
Write-Host "CrowdStrike Falcon not found, nothing to uninstall"
Exit 0
}
$processOptions = @{
FilePath = $app.UninstallString
ArgumentList = "/quiet /norestart"
PassThru = $true
Wait = $true
}
$process = Start-Process @processOptions
$exitCode = $process.ExitCode
Write-Host "Uninstall exit code: $exitCode"
Exit $exitCode
} catch {
Write-Host "Error: $_"
Exit 1
}
Create a deployment policy
- macOS
- Windows
- In FleetDM, go to Policies > Add Policy, name it CrowdStrike installed (macOS), and use the query:
SELECT 1 FROM apps WHERE bundle_identifier = 'com.crowdstrike.falcon'; - Go to Manage automations > Software and link the policy to the macOS installer. Fleet will automatically push the installer to any device that fails the policy check.
- In FleetDM, go to Policies > Add Policy, name it CrowdStrike installed (Windows), and use the query:
SELECT 1 FROM programs WHERE name = 'Falcon'; - Go to Manage automations > Software and link the policy to the Windows installer. Fleet will automatically push the installer to any device that fails the policy check.
Upload the system extension profile (macOS only)
Go to MDM > Controls, open your macOS control, and upload the CrowdStrike system extension mobileconfig as a Custom file.
Show CrowdStrike Falcon mobileconfig
Show CrowdStrike Falcon mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures Privacy Preferences Policy Control settings for CrowdStrike</string>
<key>PayloadDisplayName</key>
<string>Full Disk Access - Crowdstrike</string>
<key>PayloadIdentifier</key>
<string>com.fleet.privacy</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C7B25543-8A46-4782-B5F1-FABF2CC07934</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.App</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
</array>
</dict>
</dict>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BundleIdentifier</key>
<string>com.crowdstrike.falcon.UserAgent</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Notifications</string>
<key>PayloadIdentifier</key>
<string>com.fleet.notifications</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>F5E94A3F-6E76-4A28-AF32-068455731244</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadDescription</key>
<string>Configures Service Management settings for CrowdStrike Falcon</string>
<key>PayloadDisplayName</key>
<string>Service Management</string>
<key>PayloadIdentifier</key>
<string>com.fleet.servicemanagement</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>B2C3D4E5-F6G7-8901-2345-678901BCDEFG</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>RuleType</key>
<string>BundleIdentifier</string>
<key>RuleValue</key>
<string>com.crowdstrike.falcon.UserAgent</string>
</dict>
<dict>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>X9E956P446</string>
</dict>
</array>
</dict>
<dict>
<key>AllowedSystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>NonRemovableFromUISystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>PayloadDescription</key>
<string>Configures System Extensions Policy settings for CrowdStrike Falcon</string>
<key>PayloadDisplayName</key>
<string>System Extensions - Crowdstrike</string>
<key>PayloadIdentifier</key>
<string>com.fleet.systemextensions</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>6527669C-0C1F-4B84-998F-33902DBFEB86</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
<key>FilterGrade</key>
<string>inspector</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>Organization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>Web Content Filter</string>
<key>PayloadIdentifier</key>
<string>com.fleet.webfilter</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>E63C7607-408B-485F-BF2F-0900AAE6797F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.crowdstrike.falcon.App</string>
<key>UserDefinedName</key>
<string>CrowdStrike</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>CrowdStrike Falcon - Full configuration (Full Disk Access, Notifications, Service Management, System Extensions, Web Filter)</string>
<key>PayloadDisplayName</key>
<string>CrowdStrike Falcon Configuration</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.primo.crowdstrike</string>
<key>PayloadOrganization</key>
<string>Primo</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D269B6A4-2E8D-4EC1-B818-ADAE81B8CF0B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>