Munki is designed to ensure a specific or newer version of an application is installed on a macOS computer. A job it excels at.
CrowdStrike Falcon does a great job of upgrading, and downgrading, itself. This includes the ability for admins to change their desired installed version across the fleet from the CrowdStrike console.
So how does a MacAdmin use Munki to deploy Falcon without disrupting the ability to change the installed version across the fleet on the fly?
Read on for details on how we handle it.
There are several ways that Munki decides what needs to be installed. For apps the most common method is an installs array.
When you need a little more control or flexibility, an installcheck_script is a great choice. This is the method we use for Falcon.
Falcon Installer
Instead of using Munki’s built-in functionality to evaluate the installed version we use a script to simply confirm that Falcon is installed, report the version and move on. If Falcon is missing, we’ll run the installer package.
#!/bin/bash
falconctl="/Applications/Falcon.app/Contents/Resources/falconctl"
# Make sure Falcon is installed
if [ -x "${falconctl}" ]; then
falcon_version=$(/usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" "/Applications/Falcon.app/Contents/Info.plist")
echo "Falcon is ${falcon_version}"
# Exit 1 to skip installation
exit 1
else
# Exit 0 to install CrowdStrike Falcon
exit 0
fi
This is included in the PkgInfo for the Falcon installer. With this script Munki will make sure Falcon is installed, like during new device setup, but otherwise not care about the specific version of the application.
Remediation NoPkg
With the script above Munki will make sure Falcon is installed, but it won’t do anything to make sure Falcon is actually running. For that we use a Munki NoPkg and a pair of scripts.
The first checks to make sure the Mac is MDM enrolled, the needed configuration profiles are installed and if Falcon is running.
#!/bin/bash
# Make sure Falcon is installed
falconctl="/Applications/Falcon.app/Contents/Resources/falconctl"
if [ ! -x "${falconctl}" ]; then
# Exit 1 to skip the postinstall_script if CrowdStrike Falcon's falconctl isn't executable because further checks will fail; the installcheck_script for the Falcon installer will remedy this condition
echo "CrowdStrike Falcon is not installed."
exit 1
fi
# Check the status of Falcon
if "${falconctl}" stats --silent; then
# If 'stats' exits 0 then Falcon is loaded, so Exit 1 to skip the postinstall_script
echo "Falcon sensor is loaded."
exit 1
else
# If 'stats' exits with an error then Falcon is not loaded
echo "Falcon remediation is needed."
fi
# Check for MDM enrollment and configuration profiles
if /usr/bin/profiles status -type enrollment | /usr/bin/grep "MDM enrollment: Yes"; then
profileList=$(/usr/bin/profiles list)
if echo "${profileList}" | /usr/bin/grep "com.example.profile.SystemExtension.CrowdStrike" && \
echo "${profileList}" | /usr/bin/grep "com.example.profile.WebContentFilter.CrowdStrike" && \
echo "${profileList}" | /usr/bin/grep "com.example.profile.Privacy.AllFiles" ; then
echo "MDM enrollment and configuration profiles confirmed"
# If all configuration is present then Exit 0 to trigger the postinstall_script
exit 0
fi
fi
# If MDM enrollment and configuration is missing we cannot load Falcon, so Exit 1 to skip the postinstall_script
echo "MDM enrollment and/or configuration profiles are not installed"
exit 1
The second script will attempt to load Falcon if necessary.
#!/bin/bash
falconctl="/Applications/Falcon.app/Contents/Resources/falconctl"
if "${falconctl}" load -v; then
echo "Successfully loaded the CrowdStrike Falcon background service."
exit 0
else
echo "Failed to load the CrowdStrike Falcon background service."
exit 1
fi
The full NoPkg is available on my GitHub at this link: https://github.com/kevinmcox/Munki-NoPkgs/blob/main/CrowdStrikeFalconRemediation.pkginfo
This NoPkg is an update_for our main CrowdStrike installer, so it only runs if Falcon is installed.