This article is specifically about deploying SentinelOne via Smart Software. If your account includes the SentinelOne integration (part of the Security Suite), SentinelOne will be deployed automatically. Read more about the SentinelOne integration.
Requirements
- SentinelOne Agent .pkg file
- Registration Token
Table of Contents
Device Settings required for Automated Deployment
SentinelOne requires the following Device Settings for a silent installation: PPPC (for Full Disk Access), Network Monitoring Extension (System Extensions), Network Filter Validation (Web Content Filter), Notifications, and Service Management.
These can be configured manually or uploaded and deployed as Custom Profiles using the .mobileconfig files provided at the end of this article. Note that a Custom Profile for Notifications is not provided - this must be configured manually.
Note: Device Settings must be installed prior to the Smart Software item for permissions to be properly set. This will occur automatically when the items are added to a policy (due to their default Installation Priority). Ensure Device Settings are deployed first when installing on individual devices via GoLive.
PPPC for Full Disk Access
For more information about creating a PPPC Payload, refer to: Creating a PPPC Payload for Full Disk Access (FDA)
Select Access to All Protected and System Administration Files and enter the following information:
| Identifier | Identifier Type | Code Requirement |
|---|---|---|
| com.sentinelone.sentineld | Bundle ID | anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
| com.sentinelone.sentineld-helper | Bundle ID | anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
| com.sentinelone.sentineld-shell | Bundle ID | anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
Network Monitoring Extension (System Extensions)
For more information about creating a System Extensions payload, refer to: Allow System Extensions with Addigy MDM
| Key | Value |
|---|---|
| Allow User Overrides | True |
| Allowed System Extensions |
Team ID: 4AYE5J54KN Bundle ID: com.sentinelone.network-monitoring |
Network Filter Validation (Web Content Filter)
| Key | Value |
|---|---|
| Filter Type | Plug-In |
| User Defined Name | SentinelOne Extensions |
| Plugin Bundle ID | com.sentinelone.extensions-wrapper |
| Filter Socket Traffic |
Bundle Identifier: com.sentinelone.network-monitoring Designated Requirement: identifier "com.sentinelone.network-monitoring" and anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") |
| Filter Network Packets | False |
| Filter Grade | Firewall |
Notifications
- Select 'Add a Bundle ID'
- Enter Bundle ID: com.sentinelOne.SentinelAgent
- Select 'Add'
- Select 'Settings' and configure the following:
| Include | Settings |
|---|---|
| Enable Notifications | True |
| Show in Lock Screen | True |
| Show in Notification Center | True |
| Allow Sounds | True |
| Allow Badging | True |
| Critical Alerts | True |
| Alert Style When Unlocked | Banner |
Service Management
Note: For macOS Ventura 13.0+ only.
| Rule Type | Rule Value | Team Identifier | Comment |
|---|---|---|---|
| LabelPrefix | com.sentinelone. | 4AYE5J54KN | Prevent removal of SentinelOne Launch Agents and Launch Daemons |
| BundleIdentifierPrefix | com.sentinelone. | 4AYE5J54KN | Prevent removal of SentinelOne Launch Agents and Launch Daemons |
Creating the Smart Software item for SentinelOne
Note: The instructions below are for a single license of SentinelOne. MSPs that need to deploy SentinelOne to multiple tenants with different registration tokens, should consider the Variables feature to streamline the process.
- Create a new Smart Software item via Catalog > Smart Software > New. Give it a name and a version number.
- Within in the Smart Software creation window, click Select File(s) and proceed to upload and select your SentinelOne pkg installer.
-
Paste the command below into the Installation Command section. Then, replace TOKEN_HERE with your SentinelOne registration token.
echo "TOKEN_HERE" > "com.sentinelone.registration-token"
The above command will create a unique token file that SentinelOne's installer (pkg) requires to be present within the same directory during installation. This token file is what is responsible for licensing the app.
- Next, click the 'Add' button next to the Filename (under 'Install Command') to automatically generate the installation command for the pkg file.
Your complete Installation Command should look like the following:
-
Add a Condition for Install to your Smart Software item. Select the condition "If file does not exist" and enter the path to SentinelOne:
/Applications/SentinelOne/SentinelOne Extensions.app
Finally, save your new Smart Software item and assign it to your desired policies for deployment (don't forget to ensure Device Settings have been assigned to the same policies as well)!