Jamf Nation Community

Thanks! I think that is going to work!

@jmonty I don't know why I didn't think of that.

Hey @edullum

We've got Configuration Profile to distribute SentinelOne pkg on Enrollment, and soon after we are running a script to activate.

Also, Inside Configuration Profile, scroll down to Approved Kernel Extensions And add as follow :

It takes 2-3 minutes to activate but it works. A user doesn't have to click to approve Kernel Extension inside Security & Privacy.

Hope this helps.

@rafalkukla Thank you. That's essentially what I did for our environment!

Great!

Morning @edullum ,
What script are you running to activate endpoints?

For some reason, after endpoint installation, some devices won't activate using script with the following error message:

Running script Activate SentinelOne...
Script exit code: 1
Script result: sudo: sentinelctl: command not found
Error running script: return code was 1.

But if you sudo jamf policy on the computer itself, there is no problem at all. - Script result: Agent secret injected with success.

Again, this is happening only on a small number of devices, most of them will install and activate without any issues.

Any help is much appreciated.

@rafalkukla We don't send a script to activate the agent. We deploy a policy to install the SentinalOne.pkg from our Distribution Share Point. I obtained the pkg from the S1 portal under Settings>Updates>OS X. We then see the client pop up in the S1 portal under Network>Default group. We then move the machine to the correct static group depending on what school the machine belongs to. I've seen the S1 agent fail to install a bunch of times. The log file says that it could not mount the Distribution Share Point....I hate that..it happens a lot and it happens randomly. Like 1 out of 5 computer enrollments.

I created a Smart Computer Group with criteria to put computers that don't have the S1 agent installed. When those computers get online the policy to install the S1 agent to better manage it.

Attached is a screenshot of what our S1 configuration profile looks like.

Hi @edullum I think we might be using different SentinelOne platforms. My platform is MSP model, so I have to assign site ID to each endpoint otherwise it's not showing up in the dashboard and SentinelOne icon on Mac has X.

Does this model have an equal setting in JAMF v9.101 or above? Or is this exclusive to JAMF Pro v10 and above?

Hey @rlaskowski

For devices with latest macOS High Sierra, if Jamf v9.x has Approved Kernel Extensions option in Configuration profiles (I can't remember if it has) you should be able to distribute SentinelOne silently. Otherwise, the end user would have to manually allow extension block.

Distributing and installing should work with v9.x

Hope this helps!

@rafalkukla Were you able to get the sentinelctl token command to work? Having the same issue.

Hey @callumgroth Yes I found a workaround and works well. I thought the activation script was the easiest option, but at the end I had to create a new pkg and include license/site ID as a file in the same folder with the agent.

Ah interesting! I ended up working out that when jamf runs the script as root it just didn't know what sentinelctl was, calling it explicitly from /usr/local/bin/sentinelctl works.

@callumgroth . thanks. I was having some issues getting that script pointing to the token to work within my setup package. added /usr/local/bin/sentinelctl and that solved my issue.

Could someone post the installation script for this product? Thanks.

I have just created a package contain the SentinelOne pkg and the file containing the activation tokeny thing (files has to be called com.sentinelone.registration-token) which install to /var/tmp.

I install this package policy a policy and then in the same policy run usr/sbin/installer -pkg /var.tmp/Sentinel*.pkg -target /

In advance I had a configuration profile applying the kernel extension that @edullum posted above.

awginger - it looks like this method worked for us

SentinelOne does not appear as an installed application. How can I create a smart computer group to tell me if SentinelOne is installed? It does run in memory as SentinalAgent, but there is no option to check for a running process.

Like this...

@mmcginnis I am currently using an extension attribute as it tells me the version too, then the smart group uses the 'not installed' value.

#!/bin/bash

# Check to see if the SentinelOne agent is installed.
# If the agent is installed, report the agent
# version.

if [ -f "/usr/local/bin/sentinelctl" ] ; then 
    RESULT=$( /usr/local/bin/sentinelctl version | awk '{print $2 $3}' )
else
    RESULT="not installed"
fi

echo "<result>$RESULT</result>"

Anyone having issues with SentinelOne on 10.15 Catalina? Just upgraded a device and now it is telling me 'Kext not loaded' even though my configuration profile to apply the kernel extension has been applied to the device. Could it be to do with moving to System Extensions over Kernel Extensions?

@awginger I get the same results when I upgrade a machine to Catalina. I'm hoping SentinelOne releases a new client soon that uses the System Extension (I'm guessing this is the issue).

In the mean time, my policy to deploy SentinelOne has recently "broke". For the life of me I can't figure out what is causing the issue. It was working fine until a couple weeks ago. Installing the client manually works just fine but the policy fails every time with a "An error occurred while running scripts from the package "SentinelAgent_macos_v3_4_2728.pkg" error in the logs. I'm beating my head against a brick wall trying to figure out what would have changed in the last couple weeks to cause this (we're on Cloud and we did get upgraded to 10.15.1 recently).

Anyone else having issues with your policy installing SentinelOne?

@Neil_Kitt Was talking with SentinelOne on this one going back and forth. They found out that the new agent breaks when being installed via command line when there are spaces in the file path. When you cache the package in the 'Waiting Room' folder is where the command line install breaks. They said that a fix will be out soon. This would explain why installing the client manually works fine and through Jamf policy it breaks. Hope this helps.

Thanks!

We no longer use SentinelOne. We used to run the install and then inject the site ID after via a script. Worked well. Also, didn't need to build a new agent pkg upon new releases.

@ESensenbrenner Will there be a new version of the client?

@ESensenbrenner I am experiencing the same thing. I can't get S1 version 3.0.4.2657 to install with a policy via Jamf cloud (10.15.1), but I have no problems installing it locally on the mac. There is first a Configuration Profile on the mac to approve the kernel extension. Then, I have a policy set to install the package via our network File Share Distribution Point (no spaces in file path). Package name also has no spaces. After the package is installed I run an Execute Command to set the registration token. However, I get an error message that the package failed to install and to contact the manufacturer, but only on some Macs not all. I've even downloaded a fresh pkg of the S1 agent and it's a no go.

So we are now using version 3.2.1.2800 which seems to be running fine on Catalina and I am still using the same command line as I was above.
I am interested in seeing the script you mentioned @rpayne to inject the site ID post install, please.
Next problem is that I am trying to update existing versions of the client to the latest we have (3.2.1.2800). Currently using the same install method but getting "The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)"

@edullum Have you tried my method? Package with the installer and token to somewhere like /var/tmp and then a command to run the installer? It automatically reads the registration token then as it is in the same folder as the installer.

@awginger I tried your method locally on a Mac running Catalina and it worked flawlessly. Now I'm going to put it into place with Jamf Pro and let you you what happens.

I give up. I keep getting this error message when I try to install the package via Jamf Remote or via custom policy trigger. I even gave the package 777 rights: installer: The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

Are you installing it on a device that already has SentinelOne?

@awginger Yes. But I've been able to upgrade an agent before that was already installed on a Mac.

@edullum Can you not pass the management of upgrades/updates to the SentinelOne console?

@awginger I can on some of the agents. There is an agent version of S1 that has a bug, where the S1 admin console cannot see the Mac. So the Macs that are on the buggy agent is a whole other process to get them updated.

Just seen this on one of customer's estate - They are using a simple one liner...

sudo sentinelctl upgrade-pkg /<file_location>/<package_name>.pkg

@awginger can you please share the script to install the SentinelOne.

@Santosh I'm not using a script, just the method I mentioned in the post above (here)