The Ultimate SentinelOne Deployment Guide for Kandji

Working in IT and Security is ever-evolving. You are always being introduced to new problems, daunting projects, and emerging threats. Fortunately, at times you come across a way to simplify your life.

In my previous SentinelOne posts (Here and Here), I walked you through how to use Kandji to deploy SentinelOne and a few profiles. It was an easy enough process but after a recent chat with a fellow IT Guru (thanks Campbell) I was able to make the process a little easier to manage and maintain.

So, are you ready to make SentinelOne deployments and upkeep fade into the background in your already busy life? Me too, let’s jump in!

What changed?

The major changes to the process are as follows:

Removed the pre and post install scripts.
Changed Install process from Zip File to Package Installer.
Moved the SentinelOne Site/Group Token into a custom profile.

Step 1: Creating and Uploading the Configuration Profiles

Before installing SentinelOne, you need to deploy six essential configuration profiles to each Mac device:

S1 - Service Management
S1 - Full Disk Access
S1 - Network Filtering
S1 - Network Monitoring
S1 - Notifications
S1 - Token

These profiles grant SentinelOne the permissions it needs to monitor and protect your devices effectively. Skipping this step will most likely lead to issues down the road. For instance, if you don’t have the Network Filtering and Monitoring profiles installed prior to installing the SentinelOne PKG, you’ll most likely run into connectivity issues on the device and/or annoying pop-ups.

Below are the XML contents for each profile. Each one can be found on GitHub where all you’ll need to do is download them and make a minor change for the Token profile prior to uplodading into Kandji. If you prefer the manual path, just copy and paste these into a text document, save them as a .mobileconfig and upload them.

1. S1 - Service Management.mobileconfig

Grab on GitHub

This profile manages components that run at startup, ensuring SentinelOne’s services are not removed.

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
  <key>PayloadContent</key>
6
  <array>
7
    <dict>
8
      <key>PayloadIdentifier</key>
9
      <string>com.apple.servicemanagement.E01FDD5D-6953-4F89-AE9C-98EC6AF31483</string>
10
      <key>PayloadType</key>
11
      <string>com.apple.servicemanagement</string>
12
      <key>PayloadUUID</key>
13
      <string>E01FDD5D-6953-4F89-AE9C-98EC6AF31483</string>
14
      <key>Rules</key>
15
      <array>
16
        <dict>
17
          <key>Comment</key>
18
          <string>Prevent removal of SentinelOne Launch Agents and Launch Daemons</string>
19
          <key>RuleType</key>
20
          <string>LabelPrefix</string>
21
          <key>RuleValue</key>
22
          <string>com.sentinelone.</string>
23
        </dict>
24
        <dict>
25
          <key>Comment</key>
26
          <string>Prevent removal of SentinelOne Launch Agents and Launch Daemons</string>
27
          <key>RuleType</key>
28
          <string>BundleIdentifierPrefix</string>
29
          <key>RuleValue</key>
30
          <string>com.sentinelone.</string>
31
        </dict>
32
      </array>
33
    </dict>
34
  </array>
35
  <key>PayloadDescription</key>
36
  <string>Manage components that run at start up</string>
37
  <key>PayloadDisplayName</key>
38
  <string>S1 - Service Management</string>
39
  <key>PayloadIdentifier</key>
40
  <string>com.kandji.profile.custom.171d06c6-d781-4756-9371-fbd5f91b23e5</string>
41
  <key>PayloadOrganization</key>
42
  <string>Sentinel Labs, Inc.</string>
43
  <key>PayloadRemovalDisallowed</key>
44
  <true/>
45
  <key>PayloadScope</key>
46
  <string>System</string>
47
  <key>PayloadType</key>
48
  <string>Configuration</string>
49
  <key>PayloadUUID</key>
50
  <string>998ba1a8-d0f9-5b57-bb75-967dc12f9799</string>
51
  <key>PayloadVersion</key>
52
  <integer>1</integer>
53
</dict>
54
</plist>

2. S1 - Full Disk Access.mobileconfig

Grab on GitHub

This profile grants SentinelOne full disk access.

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
  <key>PayloadContent</key>
6
  <array>
7
    <dict>
8
      <key>PayloadDescription</key>
9
      <string></string>
10
      <key>PayloadDisplayName</key>
11
      <string>Privacy Preferences Policy Control</string>
12
      <key>PayloadIdentifier</key>
13
      <string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string>
14
      <key>PayloadOrganization</key>
15
      <string>Your Company</string>
16
      <key>PayloadType</key>
17
      <string>com.apple.TCC.configuration-profile-policy</string>
18
      <key>PayloadUUID</key>
19
      <string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string>
20
      <key>PayloadVersion</key>
21
      <integer>1</integer>
22
      <key>Services</key>
23
      <dict>
24
        <key>SystemPolicyAllFiles</key>
25
        <array>
26
          <dict>
27
            <key>Allowed</key>
28
            <integer>1</integer>
29
            <key>CodeRequirement</key>
30
            <string>anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
31
            <key>Identifier</key>
32
            <string>com.sentinelone.sentineld</string>
33
            <key>IdentifierType</key>
34
            <string>bundleID</string>
35
            <key>StaticCode</key>
36
            <integer>0</integer>
37
          </dict>
38
          <dict>
39
            <key>Allowed</key>
40
            <integer>1</integer>
41
            <key>CodeRequirement</key>
42
            <string>anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
43
            <key>Identifier</key>
44
            <string>com.sentinelone.sentineld-helper</string>
45
            <key>IdentifierType</key>
46
            <string>bundleID</string>
47
            <key>StaticCode</key>
48
            <integer>0</integer>
49
          </dict>
50
          <dict>
51
            <key>Allowed</key>
52
            <integer>1</integer>
53
            <key>CodeRequirement</key>
54
            <string>anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
55
            <key>Identifier</key>
56
            <string>com.sentinelone.sentineld-shell</string>
57
            <key>IdentifierType</key>
58
            <string>bundleID</string>
59
            <key>StaticCode</key>
60
            <integer>0</integer>
61
          </dict>
62
        </array>
63
      </dict>
64
    </dict>
65
  </array>
66
  <key>PayloadDescription</key>
67
  <string>Provides access to all disk to Sentinel One processes</string>
68
  <key>PayloadDisplayName</key>
69
  <string>S1 - Full Disk Access</string>
70
  <key>PayloadIdentifier</key>
71
  <string>com.kandji.profile.custom.c8e2c703-2228-4b77-a251-b488b4e36104</string>
72
  <key>PayloadOrganization</key>
73
  <string>Sentinel Labs, Inc.</string>
74
  <key>PayloadRemovalDisallowed</key>
75
  <true/>
76
  <key>PayloadScope</key>
77
  <string>System</string>
78
  <key>PayloadType</key>
79
  <string>Configuration</string>
80
  <key>PayloadUUID</key>
81
  <string>d7da0976-c4e7-5a82-8c3e-c3853cb51a85</string>
82
  <key>PayloadVersion</key>
83
  <integer>1</integer>
84
</dict>
85
</plist>

3. S1 - Network Filtering.mobileconfig

Grab on GitHub

This profile authorizes automatic validation of SentinelOne network filtering.

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
  <key>PayloadContent</key>
6
  <array>
7
    <dict>
8
      <key>FilterDataProviderBundleIdentifier</key>
9
      <string>com.sentinelone.network-monitoring</string>
10
      <key>FilterDataProviderDesignatedRequirement</key>
11
      <string>identifier "com.sentinelone.network-monitoring" and anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
12
      <key>FilterGrade</key>
13
      <string>firewall</string>
14
      <key>FilterPackets</key>
15
      <false/>
16
      <key>FilterSockets</key>
17
      <true/>
18
      <key>FilterType</key>
19
      <string>Plugin</string>
20
      <key>PayloadDisplayName</key>
21
      <string>Web Content Filter Payload</string>
22
      <key>PayloadIdentifier</key>
23
      <string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string>
24
      <key>PayloadOrganization</key>
25
      <string>JAMF Software</string>
26
      <key>PayloadType</key>
27
      <string>com.apple.webcontent-filter</string>
28
      <key>PayloadUUID</key>
29
      <string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string>
30
      <key>PayloadVersion</key>
31
      <integer>1</integer>
32
      <key>PluginBundleID</key>
33
      <string>com.sentinelone.extensions-wrapper</string>
34
      <key>UserDefinedName</key>
35
      <string>SentinelOne Extensions</string>
36
    </dict>
37
  </array>
38
  <key>PayloadDescription</key>
39
  <string>Authorizes SentinelOne Network Filter automatic validation.</string>
40
  <key>PayloadDisplayName</key>
41
  <string>S1 - Network Filtering</string>
42
  <key>PayloadIdentifier</key>
43
  <string>com.kandji.profile.custom.b2733b15-44c2-41e0-a958-08dc2086b1d4</string>
44
  <key>PayloadOrganization</key>
45
  <string>Sentinel Labs, Inc.</string>
46
  <key>PayloadRemovalDisallowed</key>
47
  <true/>
48
  <key>PayloadScope</key>
49
  <string>System</string>
50
  <key>PayloadType</key>
51
  <string>Configuration</string>
52
  <key>PayloadUUID</key>
53
  <string>c44d89ec-1790-5c05-a407-590166aeeb68</string>
54
  <key>PayloadVersion</key>
55
  <integer>1</integer>
56
</dict>
57
</plist>

4. S1 - Network Monitoring.mobileconfig

Grab on GitHub

This profile enables automatic loading of SentinelOne’s system extension for network monitoring.

NOTE: It is possible to replace this profile within Kandji by using a System Extension versus a custom profile.

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
  <key>PayloadContent</key>
6
  <array>
7
    <dict>
8
      <key>AllowUserOverrides</key>
9
      <true/>
10
      <key>AllowedSystemExtensions</key>
11
      <dict>
12
        <key>4AYE5J54KN</key>
13
        <array>
14
          <string>com.sentinelone.network-monitoring</string>
15
        </array>
16
      </dict>
17
      <key>PayloadDescription</key>
18
      <string></string>
19
      <key>PayloadDisplayName</key>
20
      <string>System Extensions</string>
21
      <key>PayloadIdentifier</key>
22
      <string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string>
23
      <key>PayloadOrganization</key>
24
      <string>Gete.Net Consulting</string>
25
      <key>PayloadType</key>
26
      <string>com.apple.system-extension-policy</string>
27
      <key>PayloadUUID</key>
28
      <string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string>
29
      <key>PayloadVersion</key>
30
      <integer>1</integer>
31
    </dict>
32
  </array>
33
  <key>PayloadDescription</key>
34
  <string>Enables automatic loading of SentinelOne System Extension.</string>
35
  <key>PayloadDisplayName</key>
36
  <string>S1 - Network Monitoring</string>
37
  <key>PayloadIdentifier</key>
38
  <string>com.kandji.profile.custom.91444b37-8d15-46e9-a689-a52d526671c9</string>
39
  <key>PayloadOrganization</key>
40
  <string>Sentinel Labs, Inc.</string>
41
  <key>PayloadRemovalDisallowed</key>
42
  <true/>
43
  <key>PayloadScope</key>
44
  <string>System</string>
45
  <key>PayloadType</key>
46
  <string>Configuration</string>
47
  <key>PayloadUUID</key>
48
  <string>e392826e-b758-5e39-959a-ed4f813ab1d9</string>
49
  <key>PayloadVersion</key>
50
  <integer>1</integer>
51
</dict>
52
</plist>

5. S1 - Notifications.mobileconfig

Grab on GitHub

Lastly, this profile forces acceptance of all notifications from the SentinelOne agent.

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
  <key>PayloadContent</key>
6
  <array>
7
    <dict>
8
      <key>NotificationSettings</key>
9
      <array>
10
        <dict>
11
          <key>AlertType</key>
12
          <integer>1</integer>
13
          <key>BadgesEnabled</key>
14
          <true/>
15
          <key>BundleIdentifier</key>
16
          <string>com.sentinelone.SentinelAgent</string>
17
          <key>CriticalAlertEnabled</key>
18
          <true/>
19
          <key>GroupingType</key>
20
          <integer>0</integer>
21
          <key>NotificationsEnabled</key>
22
          <true/>
23
          <key>ShowInCarPlay</key>
24
          <false/>
25
          <key>ShowInLockScreen</key>
26
          <true/>
27
          <key>ShowInNotificationCenter</key>
28
          <true/>
29
          <key>SoundsEnabled</key>
30
          <true/>
31
        </dict>
32
      </array>
33
      <key>PayloadDisplayName</key>
34
      <string>Notifications</string>
35
      <key>PayloadIdentifier</key>
36
      <string>com.apple.notificationsettings.406D4B22-BE3A-4361-8C7B-B8ECE25BC8D6</string>
37
      <key>PayloadType</key>
38
      <string>com.apple.notificationsettings</string>
39
      <key>PayloadUUID</key>
40
      <string>2EA2BDB3-83CE-40DB-B3DF-33BD0094F0DF</string>
41
      <key>PayloadVersion</key>
42
      <integer>1</integer>
43
    </dict>
44
  </array>
45
  <key>PayloadDescription</key>
46
  <string>Forces notifications for SentinelOne Agent</string>
47
  <key>PayloadDisplayName</key>
48
  <string>S1 - Notifications</string>
49
  <key>PayloadEnabled</key>
50
  <true/>
51
  <key>PayloadIdentifier</key>
52
  <string>com.kandji.profile.custom.26783496-95e2-48d9-949b-d71a37181592</string>
53
  <key>PayloadOrganization</key>
54
  <string>Sentinel Labs, Inc.</string>
55
  <key>PayloadScope</key>
56
  <string>System</string>
57
  <key>PayloadType</key>
58
  <string>Configuration</string>
59
  <key>PayloadUUID</key>
60
  <string>cbcf5c85-c136-5cbd-b69a-2ce35ffd00d3</string>
61
  <key>PayloadVersion</key>
62
  <integer>1</integer>
63
  <key>TargetDeviceType</key>
64
  <integer>5</integer>
65
</dict>
66
</plist>

6. S1 - Token.mobileconfig

Grab on GitHub

Lastly, this profile forces acceptance of all notifications from the SentinelOne agent.

NOTE: You need to replace the string “SITE OR GROUP TOKEN HERE” in the xml to get this to work properly. You can get your Site or Group Token from the SentinelOne admin console.

Something to be mindful of with this method over the old method: This will make the Site or Group token viewable in plain text if someone were to open the profile in the System Settings app. Some may see this as a security risk. If you do, just refer back to my previous guides to inject the Token using a Pre-Install script that you can delete after the installation is complete. I plan on creating a method to encrypt the profile to prevent this but that is a ways off.

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
<plist version="1.0">
4
<dict>
5
        <key>PayloadContent</key>
6
        <array>
7
                <dict>
8
                        <key>PayloadType</key>
9
                        <string>com.sentinelone.registration-token</string>
10
                        <key>PayloadIdentifier</key>
11
                        <string>1908502B-DFFE-43A8-ABEC-E0830251CB67</string>
12
                        <key>PayloadUUID</key>
13
                        <string>1908502B-DFFE-43A8-ABEC-E0830251CBF5</string>
14
                        <key>S1InstallRegistrationToken</key>
15
                        <string>SITE OR GROUP TOKEN HERE</string>
16
                </dict>
17
        </array>
18
        <key>PayloadDescription</key>
19
        <string>SentinelOne agent registration token</string>
20
        <key>PayloadDisplayName</key>
21
        <string>S1 - Token</string>
22
        <key>PayloadIdentifier</key>
23
        <string>CF822211-476A-47D6-BA6F-0A3333804A49</string>
24
        <key>PayloadOrganization</key>
25
        <string>SentinelOne</string>
26
        <key>PayloadRemovalDisallowed</key>
27
        <true/>
28
        <key>PayloadScope</key>
29
        <string>System</string>
30
        <key>PayloadType</key>
31
        <string>Configuration</string>
32
        <key>PayloadUUID</key>
33
        <string>1908502B-DFFE-43A8-ABEC-E0830251CB53</string>
34
        <key>PayloadVersion</key>
35
        <integer>1</integer>
36
</dict>
37
</plist>

Uploading Profiles to Kandji

Here’s how to get these profiles into Kandji:

Upload to Kandji:
- Log in to your Kandji dashboard.
- Navigate to Library > Add New > Configuration Profile.
- Create and Upload each .mobileconfig file separately.
Assign Profiles to Devices:
- Add the profiles to the relevant Blueprints or Assignment Maps.
- Ensure these profiles are deployed before installing SentinelOne.

Important Notes about Profiles

Profiles Must Be Installed First: The audit script below will verify these profiles are properly installed. If they’re not installed, the SentinelOne installation won’t proceed.
All-In-One Profile: There’s a combined profile on GitHub from Kandji, but it’s a little outdated and Kandji no longer has it publicly available. I haven’t tested it personally but I’ve received feedback it has worked for others. If you’d rather have a single profile handle this you can give it a try. I personally recommend using the profiles and scripts provided here for the most reliable results.

Step 2: Adding SentinelOne as a Custom App

We’ll be using Kandji’s Custom App Library item to deploy SentinelOne. The process involves:

Creating your audit script: Ensures that all the profiles are properly installed prior to installing SentinelOne.
Setting up the Custom App in Kandji: Configuring the installation details and uploading your packaged file.
Add Custom app to your Assignment Maps or Blueprints.

1. Audit Script

The audit script checks if the required profiles are installed on the device. If they aren’t, the script exits, preventing the installation from proceeding. This ensures that SentinelOne doesn’t get installed without the necessary profiles, which could cause issues like loss of internet connectivity.

Grab on GitHub

1
#!/bin/bash
2

3
# Array of required profiles
4
REQUIRED_PROFILES=(
5
    "S1 - Full Disk Access"
6
    "S1 - Network Filtering"
7
    "S1 - Network Monitoring"
8
    "S1 - Notifications"
9
    "S1 - Service Management"
10
    "S1 - Token"
11
)
12

13
# Function to check if a profile is installed
14
check_profile_installed() {
15
    local profile_name=$1
16
    profiles_list=$(profiles -C -v | awk -F: '/attribute: name/{print $NF}')
17

18
    if echo "$profiles_list" | grep -F -q "$profile_name"; then
19
        return 0
20
    else
21
        return 1
22
    fi
23
}
24

25
# Check each required profile
26
for profile in "${REQUIRED_PROFILES[@]}"; do
27
    if ! check_profile_installed "$profile"; then
28
        echo "Error: $profile is not installed."
29
        exit 0
30
    fi
31
done
32

33
echo "All required profiles are installed. Proceeding to check for SentinelOne..."
34

35
# Check if SentinelOne is installed
36
if [ -d "/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/SentinelAgent.app" ]; then
37
    echo "SentinelOne is installed."
38
    exit 0
39
else
40
    echo "SentinelOne is not installed. Starting install process."
41
    exit 1
42
fi

What This Script Does:

Checks for the presence of the six required profiles.
If any profiles are missing, it exits without proceeding.
If all profiles are present, it checks if SentinelOne is already installed.
- If installed, it exits.
- If not installed, it triggers the installation.

2. Set Up the Custom App in Kandji

Let’s configure the Custom App in Kandji.

Create a New Library Item:
- Go to your Kandji dashboard and add a new Custom App library item.
- Select Audit and Enforce for the installation method.
Add the Audit Script from Step 1.
Configure Installation Details:
- Deployment Type: Uncheck Self Service to deploy silently.
- Installation Type: Select Installer Package.
- Upload Latest SentinelOne pkg File: You can find the latest package inside the SentinelOne management console. Go to Endpoints > Packages > and grab the latest macOS version.
- Optional: Select Restart after successful install if you’d like to make sure everything is installed properly and reporting back to SentinelOne.

3. Deploying your Custom App

With everything set up:

Test the Deployment: Before rolling it out company-wide, test on a few devices to ensure everything works smoothly. There should be no pop-ups for your end-users.
Assign to your Assignment Maps or Blueprints: Once confirmed, add the Custom App and profiles to your desired Assignment Maps or Blueprints in Kandji.
Final Tip: For Assignment Maps, I personally have most profiles installed in the first action “For All devices on this Blueprint” and then I have anotehr step that installs the Custom App. This gives me the flexibility to deploy a custom app to different departments and put them into Groups within SentinelOne using the Group Token versus Site Token. So my Engineers, who have specific exclusion rules in SentinelOne, have their own Custom App with a custom Profile for the token.

Final Thoughts

I developed this method because there didn’t seem to be a reliable guide that covered all the nuances of deploying SentinelOne with Kandji. By sharing my scripts and process, I hope to save you time and headaches.

Feedback Welcome!

If you have suggestions to improve these scripts or the deployment process, I’d love to hear them. Collaboration makes us all better at what we do.

Happy deploying!

If you found this guide helpful or have questions, don’t hesitate to reach out. Managing a Mac environment can be challenging, but with the right tools and shared knowledge, we can make it a smoother experience for everyone.

Thanks for reading (not) Your IT Guru! Make sure you Subscribe to my Substack to get the latest updates from me.