Deploying SentinelOne for Mac via Kandji

We all know that the internet is a wonderful place and for the most part, there is a guide for everything. BUT, sometimes we’ll find ourselves in a unique position with no clear direction or outdated material and honestly, it can be very frustrating. I found myself in this exact position when my org decided to adopt SentinelOne as our EDR solution and I was tasked with deploying it to all of our Macs. After some trial and error, I developed a method that streamlines the process. Hopefully this guide makes your admin life a bit easier.

Prerequisites

Before we dive in, make sure you have the following:

• SentinelOne Site Token: This can be found in your SentinelOne dashboard under the Sentinel tab, then Site Info.

• Five Required Profiles: These need to be added to each device before installing SentinelOne. We’ll cover how to verify their installation using an audit script. To make sure you have this done properly, jump over to my Profiles Guide first before continuing here!

Overview

We’ll be using Kandji’s Custom App Library item to deploy SentinelOne. The process involves:

1. Creating your scripts: An audit script, a pre-install script (optional), and a post-install script.

2. Setting up the Custom App in Kandji: Configuring the installation details and uploading your packaged files.

3. Ensuring profiles are installed: Verifying that the necessary profiles are in place before deployment.

Step 1: Create the Audit Script

The audit script checks if the required profiles are installed on the device. If they aren’t, the script exits, preventing the installation from proceeding. This ensures that SentinelOne doesn’t get installed without the necessary profiles, which could cause issues like loss of internet connectivity.

Here’s the audit script:

1
#!/bin/bash
2

3
# Array of required profiles
4
REQUIRED_PROFILES=(
5
    "S1 - Full Disk Access"
6
    "S1 - Network Filtering"
7
    "S1 - Network Monitoring"
8
    "S1 - Notifications"
9
    "S1 - Service Management"
10
)
11

12
# Function to check if a profile is installed
13
check_profile_installed() {
14
    local profile_name=$1
15
    profiles_list=$(profiles -C -v | awk -F: '/attribute: name/{print $NF}')
16

17
    if echo "$profiles_list" | grep -F -q "$profile_name"; then
18
        return 0
19
    else
20
        return 1
21
    fi
22
}
23

24
# Check each required profile
25
for profile in "${REQUIRED_PROFILES[@]}"; do
26
    if ! check_profile_installed "$profile"; then
27
        echo "Error: $profile is not installed."
28
        exit 0
29
    fi
30
done
31

32
echo "All required profiles are installed. Proceeding to check for SentinelOne..."
33

34
# Check if SentinelOne is installed
35
if [ -d "/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app" ]; then
36
    echo "SentinelOne is installed."
37
    exit 0
38
else
39
    echo "SentinelOne is not installed. Starting install process."
40
    exit 1
41
fi

What This Script Does:

• Checks for the presence of the five required profiles.
• If any profiles are missing, it exits without proceeding.
• If all profiles are present, it checks if SentinelOne is already installed.
  • If installed, it exits.
  • If not installed, it exits with a status that triggers the installation.

Step 2: Create the Pre-Install Script

The pre-install script can contain an optional portion to uninstall any existing EDR or antivirus software before installing SentinelOne. In my case, I used it to remove Avast Business Antivirus and prepare the installation directory. If you don’t need to remove any other AV, just remove everything prior to # Create the director…

Example pre-install script:

1
#!/bin/bash
2

3
# Function to uninstall a program
4
uninstall_program() {
5
    local program_name=$1
6
    local uninstall_script=$2
7

8
    if [ -f "$uninstall_script" ]; then
9
        echo "$program_name found. Attempting to uninstall..."
10

11
        if "$uninstall_script"; then
12
            echo "$program_name uninstalled successfully."
13
        else
14
            echo "Error: Failed to uninstall $program_name."
15
            exit 1
16
        fi
17
    else
18
        echo "$program_name not found. Skipping uninstallation."
19
    fi
20
}
21

22
# Uninstall Avast Business Agent
23
uninstall_program "Avast Business Agent" "/Applications/AvastBusinessAgent.app/Contents/Backend/hub/uninstall.sh"
24

25
# Uninstall Avast Antivirus
26
uninstall_program "Avast Antivirus" "/Applications/Avast.app/Contents/Backend/hub/uninstall.sh"
27

28
# Create the directory /tmp/sentinel_install/
29
echo "Creating directory /tmp/sentinel_install/..."
30
if mkdir -p /tmp/sentinel_install/; then
31
    echo "Directory /tmp/sentinel_install/ created successfully."
32
else
33
    echo "Error: Failed to create directory /tmp/sentinel_install/."
34
    exit 1
35
fi
36

37
echo "Script completed successfully."

What This Script Does:

• Uninstalls specified programs if they are found.
• Prepares the /tmp/sentinel_install/ directory for the installation files.

Step 3: Create the Post-Install Script

The post-install script handles the actual installation of SentinelOne and cleans up afterwards.

1
#!/bin/bash
2

3
# Define the registration token
4
SITE_TOKEN="YOUR_SITE_TOKEN_HERE"
5

6
# Create the registration token file
7
echo "$SITE_TOKEN" > /tmp/sentinel_install/com.sentinelone.registration-token
8
if [ $? -ne 0 ]; then
9
    echo "Error: Failed to create registration token file."
10
    exit 1
11
fi
12

13
# Install the SentinelOne package
14
/usr/sbin/installer -pkg /tmp/sentinel_install/sentinel-installer.pkg -target /
15
if [ $? -ne 0 ]; then
16
    echo "Error: Failed to install the SentinelOne package."
17
    exit 1
18
fi
19

20
# Remove the temporary installation directory
21
rm -rf /tmp/sentinel_install
22
if [ $? -ne 0 ]; then
23
    echo "Error: Failed to remove temporary installation directory."
24
    exit 1
25
fi
26

27
echo "Script completed successfully."

What This Script Does:

• Inserts your Site Token into the com.sentinelone.registration-token file.
• Runs the SentinelOne installer package.
• Cleans up temporary files to ensure security (since the Site Token is sensitive information).

Note: Replace YOUR_SITE_TOKEN_HERE with your actual Site Token, and ensure the file paths match your zip file’s structure.

Step 4: Prepare the ZIP File

Your ZIP file should contain:

• sentinel-installer.pkg (the SentinelOne installer package you’ve downloaded from the SentinelOne dashboard, renamed to simplify the script).

• An empty text file named com.sentinelone.registration-token (the post-install script will populate this).

Compress these two items together and name it accordingly.

Step 5: Set Up the Custom App in Kandji

Now, let’s configure the Custom App in Kandji.

1. Create a New Library Item:
   • Go to your Kandji dashboard and add a new Custom App library item.
   • Select Audit and Enforce for the installation method.
2. Configure the Audit Script using the Script from Step 1.
3. Configure Installation Details:
   • Deployment Type: Uncheck Self Service to deploy silently.
   • Installation Type: Select ZIP File.
   • Unzip Location: Set to /tmp/sentinel_install/ or your chosen directory. (Remember, if you change the unzip location you need to update your file paths within the script).
   • Pre-Install Script: If you’re uninstalling other software, include the pre-install script from Step 2.
   • Upload ZIP File: Upload the ZIP file you prepared in Step 4.
4. Post-Install Script:
   • Add the Post-Install Script from Step 3.
   • Double-check that the Site Token and file paths are correct.

Step 6: Ensure Profiles Are Installed

Before deploying the app to your devices, make sure the five required profiles are installed. These profiles handle necessary permissions for SentinelOne to function properly.

Required Profiles:

1. S1 - Full Disk Access
2. S1 - Network Filtering
3. S1 - Network Monitoring
4. S1 - Notifications
5. S1 - Service Management

You can create these profiles in Kandji and assign them to your devices. The audit script will verify their presence before allowing the installation to proceed.

Step 7: Deployment

With everything set up:

• Test the Deployment: Before rolling it out company-wide, test on a few devices to ensure everything works smoothly.
• Assign to Blueprints: Once confirmed, add the Custom App and profiles to your desired Blueprints or Assignment Maps in Kandji.

Final Thoughts

I developed this method because I couldn’t find a reliable guide that covered all the nuances of deploying SentinelOne with Kandji. By sharing my scripts and process, I hope to save you time and headaches.

Feedback Welcome!

If you have suggestions to improve these scripts or the deployment process, I’d love to hear them. Collaboration makes us all better at what we do.

Stay Tuned…

I’m working on my next post which will provide you all with the specific Profiles for you to edit and deploy or you can try deploying this one from GitHub but I haven’t used it and not sure if it will properly work. Sentinel-One-Combined-Profile.mobileconfig

If you decide to use the combined profile, make sure you update the audit script to only look for a single Profile versus 5 separate Profiles.

Check out my post about the S1 Profiles here

Happy deploying!

If you found this guide helpful or have questions, don’t hesitate to reach out. Managing a Mac environment can be challenging, but with the right tools and shared knowledge, we can make it a smoother experience for everyone.

Make sure you Subscribe to my Substack to get the latest updates from me.