In my previous post, I walked you through deploying SentinelOne on Mac devices using Kandji. Now I’ll highlight the profiles that you’ll require for the devices to make sure everything is running smoothly.
Most of these profiles are directly from S1 documentation. The one I had the most difficulty finding was to allow all notifications so that is a custom one created by me using the iMazing Profile Editor. Let’s jump in!
Why Configuration Profiles Matter
Before installing SentinelOne, you need to deploy five essential configuration profiles to each Mac device:
- S1 - Service Management
- S1 - Full Disk Access
- S1 - Network Filtering
- S1 - Network Monitoring
- S1 - Notifications
These profiles grant SentinelOne the permissions it needs to monitor and protect your devices effectively. Skipping this step will most likely lead to issues down the road. For instance, if you don’t have the Network Filtering and Monitoring profiles installed prior to installing the SentinelOne PKG, you’ll most likely run into connectivity issues on the device.
Creating the Configuration Profiles
Below are the XML contents for each profile. You’ll need to save each one as a .mobileconfig file and upload it to Kandji. I recommend just copying and pasting the information into the TextEdit app on your Mac.
S1 - Service Management.mobileconfig
This profile manages components that run at startup, ensuring SentinelOne’s services are not removed.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1"><dict> <key>PayloadDescription</key> <string>Manage components that run at start up</string> <key>PayloadDisplayName</key> <string>S1 - Service Management</string> <key>PayloadIdentifier</key> <string>2B752EEE-3A7D-4995-94C2-41532A4479E4</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>8F211DB0-7065-4A0D-8738-7277C7CDD384</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.servicemanagement</string> <key>PayloadIdentifier</key> <string>com.apple.servicemanagement.E01FDD5D-6953-4F89-AE9C-98EC6AF31483</string> <key>PayloadUUID</key> <string>E01FDD5D-6953-4F89-AE9C-98EC6AF31483</string> <key>Rules</key> <array> <dict> <key>RuleType</key> <string>LabelPrefix</string> <key>RuleValue</key> <string>com.sentinelone.</string> <key>Comment</key> <string>Prevent removal of SentinelOne Launch Agents and Launch Daemons</string> </dict> <dict> <key>RuleType</key> <string>BundleIdentifierPrefix</string> <key>RuleValue</key> <string>com.sentinelone.</string> <key>Comment</key> <string>Prevent removal of SentinelOne Launch Agents and Launch Daemons</string> </dict> </array> </dict> </array></dict></plist>S1 - Full Disk Access.mobileconfig
This profile grants SentinelOne full disk access.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Privacy Preferences Policy Control</string> <key>PayloadIdentifier</key> <string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string> <key>PayloadOrganization</key> <string>Your Company</string> <key>PayloadType</key> <string>com.apple.TCC.configuration-profile-policy</string> <key>PayloadUUID</key> <string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string> <key>PayloadVersion</key> <integer>1</integer> <key>Services</key> <dict> <key>SystemPolicyAllFiles</key> <array> <!-- SentinelOne Daemon --> <dict> <key>Allowed</key> <integer>1</integer> <key>CodeRequirement</key> <string>anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] exists or certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = "4AYE5J54KN")</string> <key>Identifier</key> <string>com.sentinelone.sentineld</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <integer>0</integer> </dict> <!-- SentinelOne Helper --> <dict> <key>Allowed</key> <integer>1</integer> <key>CodeRequirement</key> <string>anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] exists or certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = "4AYE5J54KN")</string> <key>Identifier</key> <string>com.sentinelone.sentineld-helper</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <integer>0</integer> </dict> <!-- SentinelOne Shell --> <dict> <key>Allowed</key> <integer>1</integer> <key>CodeRequirement</key> <string>anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] exists or certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = "4AYE5J54KN")</string> <key>Identifier</key> <string>com.sentinelone.sentineld-shell</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <integer>0</integer> </dict> </array> </dict> </dict> </array> <key>PayloadDescription</key> <string>Provides access to all disk to SentinelOne processes</string> <key>PayloadDisplayName</key> <string>S1 - Full Disk Access</string> <key>PayloadIdentifier</key> <string>0F7D9FAD-1257-402C-A942-354723513881</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>5961E10D-A589-4A7E-9790-8F1C55511014</string> <key>PayloadVersion</key> <integer>1</integer></dict></plist>S1 - Network Filtering.mobileconfig
This profile authorizes automatic validation of SentinelOne network filtering.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>PayloadContent</key> <array> <dict> <key>FilterDataProviderBundleIdentifier</key> <string>com.sentinelone.network-monitoring</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.sentinelone.network-monitoring" and anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] exists or certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = "4AYE5J54KN")</string> <key>FilterGrade</key> <string>firewall</string> <key>FilterPackets</key> <false/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>PayloadDisplayName</key> <string>Web Content Filter Payload</string> <key>PayloadIdentifier</key> <string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.sentinelone.extensions-wrapper</string> <key>UserDefinedName</key> <string>SentinelOne Extensions</string> </dict> </array> <key>PayloadDescription</key> <string>Authorizes SentinelOne Network Filter automatic validation.</string> <key>PayloadDisplayName</key> <string>S1 - Network Filtering</string> <key>PayloadIdentifier</key> <string>7889BE15-9387-4CDD-B2D7-D57B65EDA1E5</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>2C480E0F-AA21-420F-8BC8-0E1AC975BC51</string> <key>PayloadVersion</key> <integer>1</integer></dict></plist>S1 - Network Monitoring.mobileconfig
This profile enables automatic loading of SentinelOne’s system extension for network monitoring.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>PayloadContent</key> <array> <dict> <key>AllowUserOverrides</key> <true/> <key>AllowedSystemExtensions</key> <dict> <key>4AYE5J54KN</key> <array> <string>com.sentinelone.network-monitoring</string> </array> </dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>System Extensions</string> <key>PayloadIdentifier</key> <string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadType</key> <string>com.apple.system-extension-policy</string> <key>PayloadUUID</key> <string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>Enables automatic loading of SentinelOne System Extension.</string> <key>PayloadDisplayName</key> <string>S1 - Network Monitoring</string> <key>PayloadIdentifier</key> <string>C957C35F-004C-4CF4-B075-9CAE5739081B</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>67BEF468-52BF-4DC9-96E2-2CCF1FEA127E</string> <key>PayloadVersion</key> <integer>1</integer></dict></plist>S1 - Notifications.mobileconfig
Lastly, this profile forces acceptance of all notifications from the SentinelOne agent.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>PayloadDisplayName</key> <string>S1 - Notifications</string> <key>PayloadDescription</key> <string>Forces notifications for SentinelOne Agent</string> <key>PayloadIdentifier</key> <string>S1-Notification-Profile.AC0826C1-CBE8-4FD1-9FD3-2E8963CEF670</string> <key>PayloadOrganization</key> <string>Sentinel Labs, Inc.</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>4C1C0E79-8E7F-4443-8245-89C10A615E6D</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>TargetDeviceType</key> <integer>5</integer> <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>Notifications</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.406D4B22-BE3A-4361-8C7B-B8ECE25BC8D6</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>2EA2BDB3-83CE-40DB-B3DF-33BD0094F0DF</string> <key>PayloadVersion</key> <integer>1</integer> <key>NotificationSettings</key> <array> <dict> <key>AlertType</key> <integer>1</integer> <key>BadgesEnabled</key> <true/> <key>BundleIdentifier</key> <string>com.sentinelone.SentinelAgent</string> <key>CriticalAlertEnabled</key> <true/> <key>GroupingType</key> <integer>0</integer> <key>NotificationsEnabled</key> <true/> <key>ShowInCarPlay</key> <false/> <key>ShowInLockScreen</key> <true/> <key>ShowInNotificationCenter</key> <true/> <key>SoundsEnabled</key> <true/> </dict> </array> </dict> </array></dict></plist>Uploading Profiles to Kandji
Here’s how to get these profiles into Kandji:
- Create the .mobileconfig Files:
-Copy each XML content into a plain text editor like TextEdit on your Mac.
- Save the file with the exact name provided, ending with
.mobileconfig(e.g.,S1 - Service Management.mobileconfig).
- Save the file with the exact name provided, ending with
- Upload to Kandji:
- Log in to your Kandji dashboard.
- Navigate to Library > Add New > Configuration Profile.
- Upload each
.mobileconfigfile.
- Assign Profiles to Devices:
- Add the profiles to the relevant Blueprints or Assignment Maps.
- Ensure these profiles are deployed before installing SentinelOne.
Important Notes
- Profiles Must Be Installed First: The audit script from my previous post checks for these profiles. If they’re not installed, the SentinelOne installation won’t proceed.
- Reboot Required: After installing SentinelOne and the profiles, it’s highly recommended that users restart their Macs. If you don’t do this you’ll most likely run into an error in the S1 dashboard that shows that S1 isn’t fully installed.
- All-In-One Script: There’s a combined script on GitHub from Kandji, but it’s a little outdated and Kandji no longer has it publicly available. I haven’t tested it but if you’d rather have a single profile handle this you can give it a try. I personally recommend using the profiles and scripts provided here for the most reliable results.
Wrapping Up
I hope I was able to help you out a little on getting S1 properly deployed for your Mac fleet. As always, if you have suggestions or improvements, feel free to share them. Collaboration is key in our field, and together we can find better ways to manage our Mac environments.
Make sure you Subscribe to my Substack to get the latest updates from me.