Skip to main content
CrowdStrikebeginner

Install CrowdStrike on Mac: Falcon Sensor Deployment Guide for macOS

Install CrowdStrike Falcon sensor on macOS with step-by-step instructions. Includes sensor download, System Extension approval, Full Disk Access setup, and troubleshooting for Mac deployment.

5 min readUpdated January 2026

The CrowdStrike Falcon Sensor provides advanced endpoint protection for macOS, detecting and preventing threats in real time. Installing the Falcon Sensor on macOS ensures continuous security and visibility over your Apple devices.This guide provides step-by-step instructions for installing the Falcon Sensor on macOS 10.15 (Catalina) and later, including macOS Ventura and Sonoma.

Requirements

  • Administrator privileges on the macOS device.
  • CrowdStrike Falcon Sensor download link and Customer ID (CID) from the CrowdStrike Falcon Console.
  • Internet connection for cloud-based security updates.
  • System Integrity Protection (SIP) enabled (required for newer macOS versions).

CrowdStrike Falcon Command Builder

Generate CrowdStrike Falcon sensor commands for Windows, macOS, and Linux: install with CID and provisioning tokens, uninstall with a maintenance token, verify the sensor is running, configure proxies, and set grouping tags.

Open the full CrowdStrike Falcon Command Builder
Loading interactive tool...

Want us to handle this for you?

Get expert help →

Step 2: Install the Falcon Sensor on macOS

Method 1: Install via GUI (Graphical User Interface)

  1. Locate the downloaded file (FalconSensorMacOS.pkg).
  2. Double-click the file to launch the installer.
  3. Follow the on-screen prompts and enter your admin credentials when required.
  4. When prompted, enter your CrowdStrike Customer ID (CID).
  5. Click Install and wait for the installation to complete.

Method 2: Install via Terminal (Command Line)

For silent installations, use the Terminal:

  1. Open Terminal (Press Command + Space, type Terminal, and hit Enter).

  2. Navigate to the directory where the Falcon Sensor installer is downloaded:

    cd ~/Downloads

  3. Run the installation command (replace YOUR-CUSTOMER-ID with your actual CID):

    sudo installer -pkg FalconSensorMacOS.pkg -target /

  4. Register the Falcon Sensor with your CID:

    sudo /Applications/Falcon.app/Contents/Resources/falconctl license YOUR-CUSTOMER-ID

  5. Verify the installation:

    sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

If installed correctly, you should see Sensor operational: true in the output.

Step 3: Approve System Extensions (Required for macOS 10.15 and Later)

Since macOS Catalina (10.15), Apple requires user approval for third-party system extensions.1. Open System Settings (System Preferences on older macOS). 2. Go to Privacy & Security. 3. Look for a message stating that “CrowdStrike, Inc.” software was blocked. 4. Click Allow and enter your Mac administrator password if prompted. 5. Restart the Mac if required.📌 Note: This step must be performed manually by the user or pre-approved via MDM (Mobile Device Management) for enterprise deployments.

Step 4: Approve Full Disk Access (Required for Falcon to Function Fully)

For Falcon to scan files effectively, Full Disk Access must be granted:1. Open System Settings > Privacy & Security. 2. Scroll down and select Full Disk Access. 3. Click the + icon and add the following Falcon processes: 4. /Applications/Falcon.app/Contents/Resources/falconctl 5. /Applications/Falcon.app/Contents/Resources/falcond 6. Restart the system or run the following command in Terminal:bashCopyEditsudo killall falcond

Step 5: Verify the Falcon Sensor is Running

After installation, confirm that the sensor is active and communicating with CrowdStrike Falcon Console.

Check Sensor Status Using Terminal

Run the following command:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
You should see output confirming that the **sensor is running and operational**.

Check in the Falcon Console

  1. Log into the CrowdStrike Falcon Console (https://falcon.crowdstrike.com).
  2. Navigate to Hosts > Host Management.
  3. Search for the Mac device by hostname or IP address.
  4. If the sensor is successfully installed and reporting, it will appear as Connected.📌 Note: It may take a few minutes for the device to appear in the console.

Troubleshooting Installation Issues

1. Sensor Does Not Appear in Falcon Console

  • Restart the Mac and wait 5-10 minutes for the sensor to connect.
  • Verify that the Falcon service is running:bashCopyEditsudo /Applications/Falcon.app/Contents/Resources/falconctl stats
  • Ensure that the Mac has an active internet connection.

2. “System Extension Blocked” Message Appears

  • Go to System Settings > Privacy & Security and Allow the CrowdStrike extension.

3. Full Disk Access Not Approved

  • Check Privacy & Security > Full Disk Access and make sure Falcon processes are listed.

4. Installation Fails Due to SIP (System Integrity Protection) Issues

  • Ensure SIP is enabled by running:bashCopyEditcsrutil status
  • If disabled, enable it using macOS Recovery Mode.
Free Download

The CrowdStrike Falcon Admin Cheat Sheet

Quick-reference commands, pre-built exclusion templates for SQL Server, SCCM, Exchange, and Domain Controllers, plus sensor health check scripts.

CrowdStrike Falcon Cheat SheetCommands, exclusion templates, and health scripts

No spam. Unsubscribe anytime.

Best Practices

  • Use MDM for Large Deployments – Pre-approve system extensions and disk access via Jamf, Intune, or Workspace ONE.
  • Monitor New Installs – Regularly check the Falcon Console to verify new installations.
  • Keep Sensors Updated – Ensure that Mac sensors are up-to-date to stay protected from new threats.

Frequently Asked Questions

Find answers to common questions

To ensure CrowdStrike Falcon Sensor installation complies with macOS security requirements, verify compatibility with macOS 10.15 (Catalina) or later. Enable System Integrity Protection (SIP) by checking its status with csrutil status in Terminal; if disabled, enable it via macOS Recovery Mode (restart and hold Command + R). After installation, grant Full Disk Access to Falcon processes by navigating to System Settings > Privacy & Security > Full Disk Access and adding the necessary executables if not listed. In enterprise settings, utilize Mobile Device Management (MDM) solutions like Jamf or Intune to pre-approve system extensions and streamline deployments. Regularly monitor the CrowdStrike Falcon Console to confirm installation status and compliance.

If the Falcon Sensor installation fails due to System Integrity Protection (SIP) issues on macOS, first check SIP status by running csrutil status in Terminal. If SIP is disabled, enable it by restarting your Mac in Recovery Mode (hold Command + R), opening Terminal from the Utilities menu, and executing csrutil enable. Restart your Mac normally and attempt the installation again, ensuring you follow the correct procedures and have administrative privileges. If the installation still fails, check for conflicts with other security applications. Review system logs using the Console app for error messages during installation. For ongoing issues, contact CrowdStrike support with the log details for further assistance.

If your Mac does not appear in the CrowdStrike Falcon Console after installing the Falcon Sensor, first verify the installation by running sudo /Applications/Falcon.app/Contents/Resources/falconctl stats in Terminal. Look for 'Sensor operational: true'. If it’s not operational, the installation may have failed.

Next, ensure your Mac has a stable internet connection, as the sensor needs it to communicate with the CrowdStrike cloud. If connected, restart your Mac, as it may take time for the sensor to establish a connection after installation.

If the issue persists, check firewall settings and ensure that necessary ports (e.g., 443 for HTTPS) are open. If your device still doesn't appear in the console, contact CrowdStrike support for further assistance.

Need help shipping something?

Productized MVP development for founders. 9 SaaS apps shipped — yours could be next, in 6 weeks.

Learn About Secure MVPExplore Custom Software Development

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →

Related Tools

Free tools to help you implement what you learned

EDR Needs Assessment

Evaluate your endpoint detection and response requirements

Try it free →

MITRE ATT&CK Explorer

Map threats to the MITRE ATT&CK framework

Try it free →

Incident Response Playbook

Generate customized IR playbooks for your organization

Try it free →
Back to CrowdStrike