SentinelOne AV Install

edullum
Contributor

Good Morning jamf Nation,

We are rolling out SentinelOne agent to Macs. I have the policy set, but I need some assistance with "pre-approving" the SentinelOne Agent kernel extension. The S1 setup guide gives a parameter to enter in the policy:

Kext Bundle ID: com.sentinelone.sentinel-kext

Developer ID: 4AYE5J54KN

I just don't know where to put the parameter. I tried copying and pasting it into Execute Command under Files and Processes, but that change doesn't 'approve' the agent. Based on the log file, it looks like it's trying to run the parameter, but then fails?27d7b5aa25c74755b48bbd2451e428e3

Any ideas?

51 REPLIES 51

jmonty
New Contributor II

I put the kernel extension in a configuration profile and deployed that first then deployed the software.

edullum
Contributor

Thanks! I think that is going to work!

rpayne
Contributor II

@jmonty I don't know why I didn't think of that.

RafalKukla
New Contributor II

Hey @edullum

We've got Configuration Profile to distribute SentinelOne pkg on Enrollment, and soon after we are running a script to activate.

Also, Inside Configuration Profile, scroll down to Approved Kernel Extensions And add as follow :

9c26bf8a067c45fdb59d9e132ff74171

It takes 2-3 minutes to activate but it works. A user doesn't have to click to approve Kernel Extension inside Security & Privacy.

Hope this helps.

edullum
Contributor

@rafalkukla Thank you. That's essentially what I did for our environment!

RafalKukla
New Contributor II

Great!

RafalKukla
New Contributor II

Morning @edullum ,
What script are you running to activate endpoints?

For some reason, after endpoint installation, some devices won't activate using script with the following error message:

Running script Activate SentinelOne...
Script exit code: 1
Script result: sudo: sentinelctl: command not found
Error running script: return code was 1.

But if you sudo jamf policy on the computer itself, there is no problem at all. - Script result: Agent secret injected with success.

Again, this is happening only on a small number of devices, most of them will install and activate without any issues.

Any help is much appreciated.

edullum
Contributor

b0c307e33d02426fbd026e8ae0d8a29a
@rafalkukla We don't send a script to activate the agent. We deploy a policy to install the SentinalOne.pkg from our Distribution Share Point. I obtained the pkg from the S1 portal under Settings>Updates>OS X. We then see the client pop up in the S1 portal under Network>Default group. We then move the machine to the correct static group depending on what school the machine belongs to. I've seen the S1 agent fail to install a bunch of times. The log file says that it could not mount the Distribution Share Point....I hate that..it happens a lot and it happens randomly. Like 1 out of 5 computer enrollments.

I created a Smart Computer Group with criteria to put computers that don't have the S1 agent installed. When those computers get online the policy to install the S1 agent to better manage it.

Attached is a screenshot of what our S1 configuration profile looks like.

RafalKukla
New Contributor II

Hi @edullum I think we might be using different SentinelOne platforms. My platform is MSP model, so I have to assign site ID to each endpoint otherwise it's not showing up in the dashboard and SentinelOne icon on Mac has X.

rlaskowski
New Contributor

Does this model have an equal setting in JAMF v9.101 or above? Or is this exclusive to JAMF Pro v10 and above?

RafalKukla
New Contributor II

Hey @rlaskowski

For devices with latest macOS High Sierra, if Jamf v9.x has Approved Kernel Extensions option in Configuration profiles (I can't remember if it has) you should be able to distribute SentinelOne silently. Otherwise, the end user would have to manually allow extension block.

Distributing and installing should work with v9.x

Hope this helps!

callumgroth
New Contributor II

@rafalkukla Were you able to get the sentinelctl token command to work? Having the same issue.

RafalKukla
New Contributor II

Hey @callumgroth Yes I found a workaround and works well. I thought the activation script was the easiest option, but at the end I had to create a new pkg and include license/site ID as a file in the same folder with the agent.

callumgroth
New Contributor II

Ah interesting! I ended up working out that when jamf runs the script as root it just didn't know what sentinelctl was, calling it explicitly from /usr/local/bin/sentinelctl works.

dugnl
Contributor

@callumgroth . thanks. I was having some issues getting that script pointing to the token to work within my setup package. added /usr/local/bin/sentinelctl and that solved my issue.

MarcosMunoz
New Contributor III

Could someone post the installation script for this product? Thanks.

awginger
Contributor

I have just created a package contain the SentinelOne pkg and the file containing the activation tokeny thing (files has to be called com.sentinelone.registration-token) which install to /var/tmp.

I install this package policy a policy and then in the same policy run usr/sbin/installer -pkg /var.tmp/Sentinel*.pkg -target /

In advance I had a configuration profile applying the kernel extension that @edullum posted above.

peterj
New Contributor II

awginger - it looks like this method worked for us

mmcginnis
New Contributor

SentinelOne does not appear as an installed application. How can I create a smart computer group to tell me if SentinelOne is installed? It does run in memory as SentinalAgent, but there is no option to check for a running process.

Neil_Kitt
New Contributor III

a1abfce85d78464a8110b7a4a777ec13
Like this...

awginger
Contributor

@mmcginnis I am currently using an extension attribute as it tells me the version too, then the smart group uses the 'not installed' value.

#!/bin/bash

# Check to see if the SentinelOne agent is installed.
# If the agent is installed, report the agent
# version.

if [ -f "/usr/local/bin/sentinelctl" ] ; then 
    RESULT=$( /usr/local/bin/sentinelctl version | awk '{print $2 $3}' )
else
    RESULT="not installed"
fi

echo "<result>$RESULT</result>"

awginger
Contributor

Anyone having issues with SentinelOne on 10.15 Catalina? Just upgraded a device and now it is telling me 'Kext not loaded' even though my configuration profile to apply the kernel extension has been applied to the device. Could it be to do with moving to System Extensions over Kernel Extensions?

Neil_Kitt
New Contributor III

@awginger I get the same results when I upgrade a machine to Catalina. I'm hoping SentinelOne releases a new client soon that uses the System Extension (I'm guessing this is the issue).

In the mean time, my policy to deploy SentinelOne has recently "broke". For the life of me I can't figure out what is causing the issue. It was working fine until a couple weeks ago. Installing the client manually works just fine but the policy fails every time with a "An error occurred while running scripts from the package "SentinelAgent_macos_v3_4_2728.pkg" error in the logs. I'm beating my head against a brick wall trying to figure out what would have changed in the last couple weeks to cause this (we're on Cloud and we did get upgraded to 10.15.1 recently).

Anyone else having issues with your policy installing SentinelOne?

ESensenbrenner
New Contributor

@Neil_Kitt Was talking with SentinelOne on this one going back and forth. They found out that the new agent breaks when being installed via command line when there are spaces in the file path. When you cache the package in the 'Waiting Room' folder is where the command line install breaks. They said that a fix will be out soon. This would explain why installing the client manually works fine and through Jamf policy it breaks. Hope this helps.

Thanks!

rpayne
Contributor II

We no longer use SentinelOne. We used to run the install and then inject the site ID after via a script. Worked well. Also, didn't need to build a new agent pkg upon new releases.

ericsliu0
New Contributor

@ESensenbrenner Will there be a new version of the client?

edullum
Contributor

@ESensenbrenner I am experiencing the same thing. I can't get S1 version 3.0.4.2657 to install with a policy via Jamf cloud (10.15.1), but I have no problems installing it locally on the mac. There is first a Configuration Profile on the mac to approve the kernel extension. Then, I have a policy set to install the package via our network File Share Distribution Point (no spaces in file path). Package name also has no spaces. After the package is installed I run an Execute Command to set the registration token. However, I get an error message that the package failed to install and to contact the manufacturer, but only on some Macs not all. I've even downloaded a fresh pkg of the S1 agent and it's a no go.

awginger
Contributor

So we are now using version 3.2.1.2800 which seems to be running fine on Catalina and I am still using the same command line as I was above.
I am interested in seeing the script you mentioned @rpayne to inject the site ID post install, please.
Next problem is that I am trying to update existing versions of the client to the latest we have (3.2.1.2800). Currently using the same install method but getting "The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)"

awginger
Contributor

@edullum Have you tried my method? Package with the installer and token to somewhere like /var/tmp and then a command to run the installer? It automatically reads the registration token then as it is in the same folder as the installer.

edullum
Contributor

@awginger I tried your method locally on a Mac running Catalina and it worked flawlessly. Now I'm going to put it into place with Jamf Pro and let you you what happens.

edullum
Contributor

I give up. I keep getting this error message when I try to install the package via Jamf Remote or via custom policy trigger. I even gave the package 777 rights: installer: The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

awginger
Contributor

Are you installing it on a device that already has SentinelOne?

edullum
Contributor

@awginger Yes. But I've been able to upgrade an agent before that was already installed on a Mac.

awginger
Contributor

@edullum Can you not pass the management of upgrades/updates to the SentinelOne console?

edullum
Contributor

@awginger I can on some of the agents. There is an agent version of S1 that has a bug, where the S1 admin console cannot see the Mac. So the Macs that are on the buggy agent is a whole other process to get them updated.

awginger
Contributor

Just seen this on one of customer's estate - They are using a simple one liner...

sudo sentinelctl upgrade-pkg /<file_location>/<package_name>.pkg

Santosh
New Contributor III

@awginger can you please share the script to install the SentinelOne.

awginger
Contributor

@Santosh I'm not using a script, just the method I mentioned in the post above (here)

AMJAD
New Contributor

Hi Awginger, can you please share the steps to use this method , thank !