#!/usr/bin/env bash TOKEN="_TOKEN_" API_URL="https://api.foo/sensor/bootstrap" function main() { echo "Installing profile..." profilePath=$(getProfile) openInstallProfile "${profilePath}" waitForInstall quitSystemPrefs rm "${profilePath}" echo "Retrieving sensor boostrap..." sensorData=$(getSensorBootstrapInfo) echo "Installing sensor..." installSensor ${sensorData} echo "Loading sensor..." loadSensor } function loadSensor() { sudo /Applications/Falcon.app/Contents/Resources/falconctl load } function installSensor() { local cid="$1" local token="$2" if [ -z "$cid" ] || [ -z "$token" ]; then echo "cid/token not detected, exiting" exit 1 fi sensorPath=$(mktemp) curl -q -O "${sensorPath}" -H "x-auth-token: ${TOKEN}" "${API_URL}/installer" sudo installer -verboseR -pkg "${sensorPath}" -target / if [ ! -f /Applications/Falcon.app/Contents/Resources/falconctl ]; then echo "falconctl not detected, exiting" exit 1 fi rm "${sensorPath}" sudo /Applications/Falcon.app/Contents/Resources/falconctl provisioning-token "${token}" sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${cid}" } function getSensorBootstrapInfo() { jsonResponse=$(curl -q -H "x-auth-token: ${TOKEN}" "${API_URL}/data") CID=$(echo "${jsonResponse}" | jq .cid) INSTALL_TOKEN=$(echo "${jsonResponse}" | jq .install_token) echo "${CID}" "${INSTALL_TOKEN}" } function openInstallProfile() { local token="$1" open /System/Library/PreferencePanes/Profiles.prefPane "${token}" } function waitForInstall() { osascript -e 'display dialog "Did you install the profile in System Preferences>Profiles?\nIf so, we can start installing the sensor for you." buttons {"Yes"}' } function quitSystemPrefs() { osascript -e 'tell application "System Preferences" Quit end tell' } function getProfile() { tmpFile=$(mktemp) mv "${tmpFile}" "${tmpFile}.mobileconfig" tmpFile="${tmpFile}.mobileconfig" cat < "${tmpFile}" PayloadUUID 863BE372-D1FA-4082-85B2-3B8FE63797C5 PayloadIdentifier 863BE372-D1FA-4082-85B2-3B8FE63797C5 PayloadType Configuration PayloadOrganization IRON Security PayloadDisplayName IRON Sensor Permissions PayloadDescription Kernel Extensions, System Extensions, and Privacy Preferences for the IRON sensor. PayloadVersion 1 PayloadEnabled PayloadRemovalDisallowed PayloadScope System PayloadContent FilterBrowsers FilterDataProviderBundleIdentifier com.crowdstrike.falcon.Agent FilterDataProviderDesignatedRequirement identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446" FilterPacketProviderBundleIdentifier com.crowdstrike.falcon.Agent FilterPacketProviderDesignatedRequirement identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446" FilterGrade inspector FilterPackets FilterSockets FilterType Plugin Organization CrowdStrike Inc. PayloadDisplayName Web Content Filter PayloadIdentifier 2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8 PayloadType com.apple.webcontent-filter PayloadUUID 2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8 PayloadVersion 1 PluginBundleID com.crowdstrike.falcon.App UserDefinedName Falcon PayloadUUID 20258B06-5866-4424-8893-A3AF1AFAAEDC PayloadIdentifier 20258B06-5866-4424-8893-A3AF1AFAAEDC PayloadType com.apple.system-extension-policy PayloadOrganization CrowdStrike Inc. PayloadDisplayName System Extensions PayloadDescription Configures System Extensions Policy settings AllowUserOverrides AllowedSystemExtensions X9E956P446 com.crowdstrike.falcon.Agent AllowedSystemExtensionTypes X9E956P446 EndpointSecurityExtension NetworkExtension PayloadUUID E45B5986-74A6-4B6A-A4CA-E179516A7F52 PayloadIdentifier E45B5986-74A6-4B6A-A4CA-E179516A7F52 PayloadType com.apple.system-extensions.admin PayloadOrganization CrowdStrike Inc. PayloadDisplayName App System Extension Control PayloadDescription Controls the system extension loading/unloading AllowedTeamIdentifiers X9E956P446 PayloadUUID 5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE PayloadIdentifier 5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE PayloadType com.apple.syspolicy.kernel-extension-policy PayloadOrganization CrowdStrike Inc. PayloadDisplayName Kernel Extensions PayloadDescription Configures Kernel Extension Policy settings AllowedTeamIdentifiers X9E956P446 PayloadUUID 9A10BE5D-5E46-4C22-89C9-20597A04B616 PayloadIdentifier 9A10BE5D-5E46-4C22-89C9-20597A04B616 PayloadType com.apple.TCC.configuration-profile-policy PayloadOrganization CrowdStrike Inc. PayloadDisplayName Privacy Preferences PayloadDescription Configures Privacy Preferences Policy Control settings Services SystemPolicyAllFiles Allowed CodeRequirement identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 Comment Identifier com.crowdstrike.falcon.Agent IdentifierType bundleID StaticCode Allowed CodeRequirement identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446 Comment Identifier com.crowdstrike.falcon.App IdentifierType bundleID StaticCode EOF echo "${tmpFile}" } main