How to configure Manual Updates
Preface
Organizations have different policies regarding endpoint software updates. Falcon Agent Updates are configurable via the Sensor Update Policies. Within the update policies you can specify if the Agent should be updated automatically (most common), to a specific version, or disable updates altogether in favor of software deployment tools for updating.
For more information related to applying and understanding Sensor Update Policies see: https://www.crowdstrike.com/blog/tech-center/update-falcon-sensor/
Configuring Manual Updates
For customers opting to use software deployment tools for updating the sensor, policy options are available to disable cloud updates. From within the Sensor Update Policy, set the version dropdown to “Sensor version updates off”, with this set updates will be pushed to endpoints with the given policy applied.
Manual Updates with Uninstall Protection
Uninstall Protection acts as a safeguard to protect the Falcon Agent install. To perform manual updates with Uninstall Protection, the policy must be configured appropriately. The appropriate Sensor Update Policy enables the use of a single, policy-derived maintenance token for the group of endpoints being updated. This policy-derived maintenance token is used to maintain integrity and allow the update to proceed.
Note: Without the properly configured manual update policy, each device will require a one-time, device-specific token to perform the update.
To create a proper manual update policy navigate to the Sensor Update Policy, and set the version to “Sensor version updates off” then enable the option for “Bulk maintenance mode”.
When performing bulk updates of the Falcon Agent, click the “REVEAL TOKEN” button to obtain the maintenance token. This token can then be used by your software deployment tools which update the Falcon Agent.
Example Installation Commands
Below are some example install commands that can be used in combination with your software deployment tools. For a full listing of commands and scenarios, see the Deployment guide for Windows and Mac OS, these guides also cover Virtual Desktop Infrastructure (VDI) considerations in greater detail.
https://falcon.crowdstrike.com/support/documentation/23/falcon-sensor-for-windows-deployment-guide
https://falcon.crowdstrike.com/support/documentation/22/falcon-sensor-for-mac-deployment-guide
Windows
# Update the Falcon Agent WindowsSensor.exe /install /quiet /norestart CID=YOUR_CID MAINTENANCE_TOKEN=YOUR_REVEALED_TOKEN # Verify Installation Status sc query csagent # Uninstall the Falcon Agent CsUninstallTool.exe /quiet MAINTENANCE_TOKEN=YOUR_REVEALED_TOKEN
Mac OS
# Update the Falcon Agent sudo installer -pkg FalconSensorMacOS.pkg -target / --maintenance-token YOUR_REVEALED_TOKEN # Apply Customer ID sudo /Library/CS/falconctl license YOUR_CID # Verify Installation Status sysctl cs # Uninstall the Falcon Agent ### falcon_uninstall.py #!/usr/bin/env python from __future__ import print_function token = "YOUR_TOKEN" try: while True: print(token) except IOError: pass ./falcon_uninstall.py | sudo /Library/CS/falconctl uninstall --maintenance-token ./falcon_maintenance_token.py | sudo /Library/CS/falconctl unload --maintenance-token sudo installer -verboseR -package <installer .pkg> -target /
Conclusion
If you’re a customer or potential customer who’s internal process dictates that manual updates are required, you should now have a clearer understanding of how CrowdStrike’s manual updates configuration.