BackDeploy Falcon Sensor using script
5 minOverview
In addition to direct downloads, our platform provides a streamlined way to deploy the sensor across multiple endpoints using your organization’s Remote Monitoring and Management (RMM) or Mobile Device Management (MDM) tools.
This method is designed for IT and security teams that want to automate deployment at scale, ensuring consistent installation and reducing manual effort. Instead of downloading the binary on each device, you can:
- Use a deployment script tailored for RMM/MDM tools.
- Pass an access token at runtime to securely authenticate each installation.
Both the access token and the Falcon cloud region can be found in the Rotate dashboard.
Deploying with Microsoft
You can specify a Falcon access token when performing a batch install across multiple machines. This prevents the need to call the token endpoint repeatedly.
If using an access token to authenticate, you must also provide FALCON_CLOUD.
.\falcon_windows_install.ps1 -FalconCloud us-2 -FalconAccessToken <string>
Troubleshooting
To assist in troubleshooting the installation scripts, you can use the Verbose parameter to enable detailed logging.
.\falcon_windows_install.ps1 -Verbose -FalconCloud us-2 -FalconAccessToken <string>
Note: This will display additional logs in the console as well as in the log file.
Deploying with Linux
The provided Bash script installs the Falcon Sensor through the Falcon APIs on a Linux endpoint. By default, this script will install, register the sensor, and start the service.
- To perform only the installation without registration or service start, set the
FALCON_INSTALL_ONLYenvironment variable. - Consult the script’s Environment Variables documentation for more configuration options.
When performing batch installs across multiple machines, specify a Falcon access token to avoid repeatedly calling the token endpoint. You must also provide FALCON_CLOUD.
export FALCON_ACCESS_TOKEN="XXXXXXXX"
export FALCON_CLOUD="us-1"
bash falcon-linux-install.sh
Troubleshooting
For additional visibility during troubleshooting, run the script with bash -x:
bash -x falcon-linux-install.sh
Frequently Asked Questions
Can the sensor run without an internet connection?
No, the sensor requires an internet connection to run. The sensor needs to be connected to the internet in order to perform checks, receive policy updates, and report results. Without an internet connection, the sensor cannot function properly.
How often do tasks run?
The sensor performs checks at regular intervals to maintain up-to-date system security. Tasks typically run anywhere from once every few minutes to once per day, depending on configuration settings and requirements. Tasks follow a schedule for prompt issue detection and can also be triggered manually or by specific events like system reboots or policy updates.
What is Endpoint Security?
Endpoint security refers to the protection of individual devices (endpoints) such as computers, laptops, and servers from cybersecurity threats. It involves security measures like antivirus software, firewalls, encryption, and monitoring tools to detect vulnerabilities and prevent attacks. The sensor helps enforce endpoint security by checking for misconfigurations, inactive security software, and other risks that could compromise the system.
Which operating systems are supported?
The Rotate Sensor supports Windows and macOS operating systems.
What’s the difference between Unauthorized, Paused, Deactivated and Uninstalled?
- Unauthorized - The sensor is not logged in using the company’s SSO. This potentially could affect identifying the user of the sensor. The “Disconnect” button will unauthorize the sensor’s logged user.
- Paused - The sensor is temporarily halted but can be easily resumed. This state is often used for maintenance or troubleshooting purposes.
- Deactivated - The sensor is not running and not collecting data. This should be used when a device is no longer relevant, but might be in the future. The sensor will still be installed on the user’s device.
- Uninstalled - The sensor will be removed from the user’s device. This should be used when a device is no longer relevant and never will. This is irreversible.