Jamf Nation Community

Agree, we do all updating through the S1 console and haven’t had issues with that.

Hey ekarazhov, I had the same issue and worked with Sentinalone on it. I have the installer cache to the waiting room and run this script in the same policy.

#!/bin/sh

sudo echo "Site Token Goes Here" > /Library/Application Support/JAMF/Waiting Room/com.sentinelone.registration-token
sudo /usr/sbin/installer -pkg /Library/Application Support/JAMF/Waiting Room/SentinelAgent_macos_v3_6_1_2964.pkg -target /

I've screwed around with this for a bit and came up with this that seems to be consistently working.
I pkg up the sentinel one installer so it gets installed into /tmp/sentinelagent_macos_v_########.pkg
then install that, and run this script after.

This will install on computers that don't have sentinel one and upgrade on computers that do. My issue with updating through the console is that there always seem to be a few that i can't get to update. Jamf has been more consistent once I've gotten it to work.

EDIT: for the record this is a mishmash of like 3 different scripts from the macadmin #sentinelone slack channel.

#! /bin/bash

#I package up the S1 installer and put it install it to /tmp/
#Then i run this script after that pkg has been installed

PKG_NAME="$4"

## ex: SentinelAgent_macos_v3_0_4_2657.pkg
## ex: SentinelAgent_macos_v3_2_0_2671.pkg

INSTALL_PKG="/tmp/$PKG_NAME"
S1_BINARY="/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl"

if [ `id -u` != 0 ]; then
    /bin/echo "Error: You must run this command as root"
    exit 1
fi

if [[ "$PKG_NAME" == "" ]]; then 
    /bin/echo "Error: The parameter 'SentinelOne .pkg Name' is blank. Please specify a value." 
    exit 1 
fi

if [ ! -f "${INSTALL_PKG}" ]; then
    /bin/echo "Error: ${INSTALL_PKG} does not exist, exiting"
    exit 1
fi

cd /tmp/

## if sentinelctl exists Upgrade sentinel one
if [[ -f ${S1_BINARY} ]]; then
    echo "sentinel on computer. Upgrading sentinel"
    /usr/local/bin/sentinelctl upgrade-pkg ${INSTALL_PKG}
else
    #if not then install sentinel one
    ## create registration token
    cat > /tmp/com.sentinelone.registration-token << END
your registration token goes here==
END
chmod -R 777 "/tmp/com.sentinelone.registration-token"
    /bin/echo "sentinel not on computer, beginning sentinel install"
    /usr/sbin/installer -pkg ${INSTALL_PKG} -target /

    #clean up registration token
    sleep 10
    rm /tmp/com.sentinelone.registration-token

fi


#Clean up the installer
rm ${INSTALL_PKG}

exit 0

@ooshnoo I am not upgrading, this would be a new install.
@gforsyth For some reason our S1 admin decided to dump this on me. i'll ask him if he even tried to do that upgrade via console.
@John.McCarthy i'd have to try that method, thank you. @strayer so is this script does install if not installed, and does upgrade if the version is lower? Do you install .pkj file along with the site toke file?

@ekarazhov This script creates the site token file. You have to put your token into the script replacing the line your registration token goes here==
but yes installs if not installs. Upgrades if a lower version. This lets me use one policy for new computers and for upgrading computers with old versions.

just put the token file in the same folder as the S1 installer package. Wrap it in a DMG using Composer, then when install that dmg using policy and add the installer command under Files and Processes.

@strayer Thank you i will try it :)
@ooshnoo I was doing .pkg but i will try making a DMG file instead.
Thank you guys for you suggestions! :)

I had the same issue and @John.McCarthy suggestion to cache the pkg file and run the script worked for me. On all previous versions. I used to package the installer and run the command to apply the site token but as of SentinelAgent_macos_v3_6_1_2964 it no longer works. Thanks again John

@strayer Hi, i was wondering if you can take a look at my set up. I think i followed your instructions properly but when i run policy from the Self Service i get an error. my setup policy is like this.

in the same policy. and my script looks like this.

#! /bin/bash

#I package up the S1 installer and put it install it to /tmp/
#Then i run this script after that pkg has been installed

PKG_NAME="$S1_Install_Updrade v3_6_1_2964"

## ex: SentinelAgent_macos_v3_0_4_2657.pkg
## ex: SentinelAgent_macos_v3_2_0_2671.pkg

INSTALL_PKG="/tmp/$PKG_NAME"
S1_BINARY="/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl"

if [ `id -u` != 0 ]; then
    /bin/echo "Error: You must run this command as root"
    exit 1
fi

if [[ "$PKG_NAME" == "" ]]; then 
    /bin/echo "Error: The parameter 'SentinelOne .pkg Name' is blank. Please specify a value." 
    exit 1 
fi

if [ ! -f "${INSTALL_PKG}" ]; then
    /bin/echo "Error: ${INSTALL_PKG} does not exist, exiting"
    exit 1
fi

cd /tmp/

## if sentinelctl exists Upgrade sentinel one
if [[ -f ${S1_BINARY} ]]; then
    echo "sentinel on computer. Upgrading sentinel"
    /usr/local/bin/sentinelctl upgrade-pkg ${INSTALL_PKG}
else
    #if not then install sentinel one
    ## create registration token
    cat > /tmp/com.sentinelone.registration-token << END
your registration token goes here==
END
chmod -R 777 "/tmp/com.sentinelone.registration-token"
    /bin/echo "sentinel not on computer, beginning sentinel install"
    /usr/sbin/installer -pkg ${INSTALL_PKG} -target /

    #clean up registration token
    sleep 10
    rm /tmp/com.sentinelone.registration-token

fi


#Clean up the installer
rm ${INSTALL_PKG}

exit 0

@ekarazhov To clarify the == after the site token was part of my site token that I didn't delete when I posted the script. So if that's not in your site token then delete that part.
I made the PKG_NAME="$4" so that the variable could be given to it by the Jamf Policy (see attached image)

if you are going to define the PKG_NAME variable in the script then remove the $
Also the PKG_NAME is the name of the actual sentinelone installer not the package that contains the sentinelone installer that you upload to JAMF. So unless you renamed the package it should match what I have as that is the one downloaded from the sentinelone console.
my installer goes into /private/tmp/ (i attached a screen shot of my composer package as well)
Hope that helps.

EDIT: ALSO SUPER IMPORTANT THING! YOU CANNOT HAVE A / IN THE NAME OF A SCRIPT! It looks like your script is name install/upgrade a script named that will fail 100% regardless of what is in the script. See https://www.jamf.com/jamf-nation/discussions/33905/til-having-a-in-a-script-name-causes-it-not-to-ru...

@strayer I'll try it, thank you. silly question. i don't have access to S1 console so i can't really see what version of S1 is on a mac. is there any way i can glean that info directly on a mac itself?

@ekarazhov Don't know where this one was sourced from. But we have an extension attribute that reports the SentinelOne Version.

if [ -f "/usr/local/bin/sentinelctl" ] ; then 
    RESULT=$( /usr/local/bin/sentinelctl version | awk '{print $2 $3}' )
else
    RESULT="not installed"
fi

echo "<result>$RESULT</result>"``

@strayer

#!/bin/bash

# Check to see if the SentinelOne agent is installed.
# If the agent is installed, report the agent
# version.

if [ -f "/usr/local/bin/sentinelctl" ] ; then 
    RESULT=$( /usr/local/bin/sentinelctl version | awk '{print $2 $3}' )
else
    RESULT="not installed"
fi

echo "<result>$RESULT</result>"

Found this code by accident after i read your post, lol
Now i am going to have to figure out what is extension attribute and how to configure it in jamf.. :) if you have any suggestions i am all ears. i am a bit new to jamf, so still learning.

Neither the old method of adding the site token in a files/process or copying the site token into a com file directly into a folder worked for me for sentinelone 4.1.1.3099 Using John.McCarthy's idea did work. Mojave and Catalina. For new installs only. I always uninstall via the Sentinelone console which thankfully I also have access.

@strayer Thanks for the script. It works perfectly well.

But I've another concern to everyone that I would like to install the SentinelOne from share drive or cloud storage.

I assume, pkg location can be changed, but I don't know what will be the script for that. Kindly help on it. Thanks.

@strayer Thanks for the script and it worked well.

However, I've concern that I would like to install the sentinelOne to be installed from cloud storage or shared drive.

Kindly help on the same. Thanks.

@tauruskarthick I have an updated version of the script on my github
https://github.com/theadamcraig/jamf-scripts/blob/master/sentineone_postinstall.sh

the install directory is in like 33 of the script and you can make it whatever you want. If it's a shared drive the user will have to have it mounted first.
The new version of the script will check both the install directory and the jamf waiting room and use the installer where it finds it.

@strayer I'd like to use your updated script to upgrade our old SentinelOne clients but the postinstall script fails with install.log displaying ./postinstall: Error: /tmp// does not exist, exiting
I've checked and my directory containing the installer and reg file are both in /tmp so I'm not sure where the issue is.

@heavymeta80 That's odd. Curious why there is an extra slash there. Are you providing the .pkg name as variable $4?

I've honestly stopped re-packaging things and putting them in /tmp I just cache the installer so it installs right from the waiting room.

I ran into the same issue. I found in the policy that I had my packages set as install when it needed to be set as "Cache".  The script completes the download for me