This article serves as a guide to install SentinelOne via Addigy's Smart Software.
Note: SentinelOne requires a registration token that is unique per organization.
Table of Contents
Creating the Smart Software
- Create a new Smart Software item in the Catalog. Give it a name and version.
-
Paste the below command into the Installation >Installation Command section of the Smart Software creation window. Then, replace "TOKEN_HERE" with the token for the specific client, which is provided by SentinelOne.
echo "TOKEN_HERE" > "com.sentinelone.registration-token"
If you're planning on deploying this software with different licenses depending on the device location, we recommend using variables to streamline this process.
Note: This command will create the token in the Smart Software's specific directory located in /Library/Addigy/ansible/packages/*your smart software name*/
The above command will create a unique token file that SentinelOne's installer (pkg) requires to be present within the same directory during installation. This token file is what is responsible for licensing the app. - Now we just need to upload and select the installer. While in the Smart Software creation window, click Select File(s) and proceed to upload and select your SentinelOne installer.
- Once the pkg has been uploaded, the Add button will appear next to the package name. Click this button to have the installation script automatically added to the Installation Command section of the Smart Software. In the Installation Command, make sure that it is below the token creation command that we configured in step 2.
- Next, create an applicable Condition Script. A good baseline option is the If file does not exists option. If the directory entered does not exist, then the installation instructions will be executed.
Configuring the MDM Profiles
SentinelOne requires the following MDM profiles: PPPC (for Full Disk Access), System Extensions, Web Content Filter, Notifications, and Service Management.
Full Disk Access
To build a PPPC payload for Full Disk Access, see our article about creating a Full Disk Access payload. The table below contains known binaries for SentinelOne:
| Name | Bundle ID | Signature/Code Requirement |
|---|---|---|
| com.sentinelone.sentineld-helper | com.sentinelone.sentineld-helper | anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
| com.sentinelone.sentineld-shell | com.sentinelone.sentineld-shell | anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
| com.sentinelone.sentineld | com.sentinelone.sentineld | anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
| com.sentinelone.sentinel-shell | com.sentinelone.sentinel-shell |
anchor apple generic and identifier "com.sentinelone.sentinel-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
System Extensions
| Key | Value |
|---|---|
| Display Name | SentinelOne Network Monitoring Extension |
| System Extension Types | Allowed System Extensions |
| Team Identifier | 4AYE5J54KN |
| Allowed System Extensions | com.sentinelone.network-monitoring |
Web Content Filter
Note: Filter Socket Traffic must be Enabled to provide the Filter Data Provider Bundle Identifier and Designated Requirement.
| Key | Value |
|---|---|
| Filter Type | Plugin |
| Plugin Bundle Identifier | com.sentinelone.extensions-wrapper |
|
Filter Data Provider Bundle Identifier |
com.sentinelone.network-monitoring |
| Filter Data Provider Designated Requirement | anchor apple generic and identifier "com.sentinelone.network-monitoring" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN") |
| Filter Sockets | true |
Notifications
| Payload Type | Bundle Identifier |
|---|---|
| com.apple.notificationsettings | com.sentinelone.SentinelAgent |
Service Management
| Type | Value | Comment |
|---|---|---|
| LabelPrefix | com.sentinelone. | Prevent removal of SentinelOne Launch Agents and Launch Daemons |
| BundleIdentifierPrefix | com.sentinelone. | Prevent removal of SentinelOne Launch Agents and Launch Daemons |
You should be all set to deploy SentinelOne after creating the Smart Software, MDM Profiles, and adding these items to your policy.