Skip to main content

Good Morning jamf Nation,



We are rolling out SentinelOne agent to Macs. I have the policy set, but I need some assistance with "pre-approving" the SentinelOne Agent kernel extension. The S1 setup guide gives a parameter to enter in the policy:



Kext Bundle ID: com.sentinelone.sentinel-kext



Developer ID: 4AYE5J54KN



I just don't know where to put the parameter. I tried copying and pasting it into Execute Command under Files and Processes, but that change doesn't 'approve' the agent. Based on the log file, it looks like it's trying to run the parameter, but then fails?



Any ideas?

I put the kernel extension in a configuration profile and deployed that first then deployed the software.

Thanks! I think that is going to work!

@jmonty I don't know why I didn't think of that.

Hey @edullum



We've got Configuration Profile to distribute SentinelOne pkg on Enrollment, and soon after we are running a script to activate.



Also, Inside Configuration Profile, scroll down to Approved Kernel Extensions And add as follow :





It takes 2-3 minutes to activate but it works. A user doesn't have to click to approve Kernel Extension inside Security & Privacy.



Hope this helps.

@rafalkukla Thank you. That's essentially what I did for our environment!

Great!

Morning @edullum ,
What script are you running to activate endpoints?



For some reason, after endpoint installation, some devices won't activate using script with the following error message:



Running script Activate SentinelOne...

Script exit code: 1

Script result: sudo: sentinelctl: command not found

Error running script: return code was 1.


But if you sudo jamf policy on the computer itself, there is no problem at all. - Script result: Agent secret injected with success.



Again, this is happening only on a small number of devices, most of them will install and activate without any issues.



Any help is much appreciated.


@rafalkukla We don't send a script to activate the agent. We deploy a policy to install the SentinalOne.pkg from our Distribution Share Point. I obtained the pkg from the S1 portal under Settings>Updates>OS X. We then see the client pop up in the S1 portal under Network>Default group. We then move the machine to the correct static group depending on what school the machine belongs to. I've seen the S1 agent fail to install a bunch of times. The log file says that it could not mount the Distribution Share Point....I hate that..it happens a lot and it happens randomly. Like 1 out of 5 computer enrollments.



I created a Smart Computer Group with criteria to put computers that don't have the S1 agent installed. When those computers get online the policy to install the S1 agent to better manage it.



Attached is a screenshot of what our S1 configuration profile looks like.

Hi @edullum
I think we might be using different SentinelOne platforms. My platform is MSP model, so I have to assign site ID to each endpoint otherwise it's not showing up in the dashboard and SentinelOne icon on Mac has X.

Does this model have an equal setting in JAMF v9.101 or above? Or is this exclusive to JAMF Pro v10 and above?

Hey @rlaskowski



For devices with latest macOS High Sierra, if Jamf v9.x has Approved Kernel Extensions option in Configuration profiles (I can't remember if it has) you should be able to distribute SentinelOne silently. Otherwise, the end user would have to manually allow extension block.



Distributing and installing should work with v9.x



Hope this helps!

@rafalkukla Were you able to get the sentinelctl token command to work? Having the same issue.

Hey @callumgroth
Yes I found a workaround and works well. I thought the activation script was the easiest option, but at the end I had to create a new pkg and include license/site ID as a file in the same folder with the agent.

Ah interesting! I ended up working out that when jamf runs the script as root it just didn't know what sentinelctl was, calling it explicitly from /usr/local/bin/sentinelctl works.

@callumgroth . thanks. I was having some issues getting that script pointing to the token to work within my setup package. added /usr/local/bin/sentinelctl and that solved my issue.

Could someone post the installation script for this product? Thanks.

I have just created a package contain the SentinelOne pkg and the file containing the activation tokeny thing (files has to be called com.sentinelone.registration-token) which install to /var/tmp.



I install this package policy a policy and then in the same policy run usr/sbin/installer -pkg /var.tmp/Sentinel*.pkg -target /



In advance I had a configuration profile applying the kernel extension that @edullum posted above.

awginger - it looks like this method worked for us

SentinelOne does not appear as an installed application. How can I create a smart computer group to tell me if SentinelOne is installed? It does run in memory as SentinalAgent, but there is no option to check for a running process.


Like this...

@mmcginnis I am currently using an extension attribute as it tells me the version too, then the smart group uses the 'not installed' value.



#!/bin/bash



# Check to see if the SentinelOne agent is installed.

# If the agent is installed, report the agent

# version.



if [ -f "/usr/local/bin/sentinelctl" ] ; then 

    RESULT=$( /usr/local/bin/sentinelctl version | awk '{print $2 $3}' )

else

    RESULT="not installed"

fi



echo "<result>$RESULT</result>"

Anyone having issues with SentinelOne on 10.15 Catalina? Just upgraded a device and now it is telling me 'Kext not loaded' even though my configuration profile to apply the kernel extension has been applied to the device. Could it be to do with moving to System Extensions over Kernel Extensions?

@awginger I get the same results when I upgrade a machine to Catalina. I'm hoping SentinelOne releases a new client soon that uses the System Extension (I'm guessing this is the issue).



In the mean time, my policy to deploy SentinelOne has recently "broke". For the life of me I can't figure out what is causing the issue. It was working fine until a couple weeks ago. Installing the client manually works just fine but the policy fails every time with a "An error occurred while running scripts from the package "SentinelAgent_macos_v3_4_2728.pkg" error in the logs. I'm beating my head against a brick wall trying to figure out what would have changed in the last couple weeks to cause this (we're on Cloud and we did get upgraded to 10.15.1 recently).



Anyone else having issues with your policy installing SentinelOne?

@Neil_Kitt Was talking with SentinelOne on this one going back and forth. They found out that the new agent breaks when being installed via command line when there are spaces in the file path. When you cache the package in the 'Waiting Room' folder is where the command line install breaks. They said that a fix will be out soon. This would explain why installing the client manually works fine and through Jamf policy it breaks. Hope this helps.



Thanks!

We no longer use SentinelOne. We used to run the install and then inject the site ID after via a script. Worked well. Also, didn't need to build a new agent pkg upon new releases.

Reply


Terms & ConditionsCookie settings