Posted on 07-12-2018 08:46 AM
Good Morning jamf Nation,
We are rolling out SentinelOne agent to Macs. I have the policy set, but I need some assistance with "pre-approving" the SentinelOne Agent kernel extension. The S1 setup guide gives a parameter to enter in the policy:
Kext Bundle ID: com.sentinelone.sentinel-kext
Developer ID: 4AYE5J54KN
I just don't know where to put the parameter. I tried copying and pasting it into Execute Command under Files and Processes, but that change doesn't 'approve' the agent. Based on the log file, it looks like it's trying to run the parameter, but then fails?
Any ideas?
Posted on 07-12-2018 09:44 AM
I put the kernel extension in a configuration profile and deployed that first then deployed the software.
Posted on 07-12-2018 10:49 AM
Thanks! I think that is going to work!
Posted on 07-13-2018 07:52 AM
@jmonty I don't know why I didn't think of that.
Posted on 08-09-2018 12:53 PM
Hey @edullum
We've got Configuration Profile to distribute SentinelOne pkg on Enrollment, and soon after we are running a script to activate.
Also, Inside Configuration Profile, scroll down to Approved Kernel Extensions And add as follow :
It takes 2-3 minutes to activate but it works. A user doesn't have to click to approve Kernel Extension inside Security & Privacy.
Hope this helps.
Posted on 08-09-2018 12:54 PM
@rafalkukla Thank you. That's essentially what I did for our environment!
Posted on 08-09-2018 12:56 PM
Great!
Posted on 08-10-2018 01:34 AM
Morning @edullum ,
What script are you running to activate endpoints?
For some reason, after endpoint installation, some devices won't activate using script with the following error message:
Running script Activate SentinelOne...
Script exit code: 1
Script result: sudo: sentinelctl: command not found
Error running script: return code was 1.
But if you sudo jamf policy on the computer itself, there is no problem at all. - Script result: Agent secret injected with success.
Again, this is happening only on a small number of devices, most of them will install and activate without any issues.
Any help is much appreciated.
Posted on 08-10-2018 05:18 AM
@rafalkukla We don't send a script to activate the agent. We deploy a policy to install the SentinalOne.pkg from our Distribution Share Point. I obtained the pkg from the S1 portal under Settings>Updates>OS X. We then see the client pop up in the S1 portal under Network>Default group. We then move the machine to the correct static group depending on what school the machine belongs to. I've seen the S1 agent fail to install a bunch of times. The log file says that it could not mount the Distribution Share Point....I hate that..it happens a lot and it happens randomly. Like 1 out of 5 computer enrollments.
I created a Smart Computer Group with criteria to put computers that don't have the S1 agent installed. When those computers get online the policy to install the S1 agent to better manage it.
Attached is a screenshot of what our S1 configuration profile looks like.
Posted on 08-10-2018 06:00 AM
Hi @edullum I think we might be using different SentinelOne platforms. My platform is MSP model, so I have to assign site ID to each endpoint otherwise it's not showing up in the dashboard and SentinelOne icon on Mac has X.
Posted on 08-21-2018 12:52 PM
Does this model have an equal setting in JAMF v9.101 or above? Or is this exclusive to JAMF Pro v10 and above?
Posted on 08-22-2018 03:22 AM
Hey @rlaskowski
For devices with latest macOS High Sierra, if Jamf v9.x has Approved Kernel Extensions option in Configuration profiles (I can't remember if it has) you should be able to distribute SentinelOne silently. Otherwise, the end user would have to manually allow extension block.
Distributing and installing should work with v9.x
Hope this helps!
Posted on 09-25-2018 04:25 PM
@rafalkukla Were you able to get the sentinelctl token command to work? Having the same issue.
Posted on 09-26-2018 02:17 AM
Hey @callumgroth Yes I found a workaround and works well. I thought the activation script was the easiest option, but at the end I had to create a new pkg and include license/site ID as a file in the same folder with the agent.
Posted on 09-26-2018 12:56 PM
Ah interesting! I ended up working out that when jamf runs the script as root it just didn't know what sentinelctl was, calling it explicitly from /usr/local/bin/sentinelctl works.
Posted on 03-11-2019 02:27 PM
@callumgroth . thanks. I was having some issues getting that script pointing to the token to work within my setup package. added /usr/local/bin/sentinelctl and that solved my issue.
Posted on 08-07-2019 02:02 PM
Could someone post the installation script for this product? Thanks.
Posted on 09-27-2019 08:23 AM
I have just created a package contain the SentinelOne pkg and the file containing the activation tokeny thing (files has to be called com.sentinelone.registration-token) which install to /var/tmp.
I install this package policy a policy and then in the same policy run usr/sbin/installer -pkg /var.tmp/Sentinel*.pkg -target /
In advance I had a configuration profile applying the kernel extension that @edullum posted above.
Posted on 10-02-2019 01:51 PM
awginger - it looks like this method worked for us
Posted on 10-03-2019 11:24 AM
SentinelOne does not appear as an installed application. How can I create a smart computer group to tell me if SentinelOne is installed? It does run in memory as SentinalAgent, but there is no option to check for a running process.
Posted on 10-04-2019 11:55 AM
Like this...
Posted on 10-09-2019 05:37 AM
@mmcginnis I am currently using an extension attribute as it tells me the version too, then the smart group uses the 'not installed' value.
#!/bin/bash
# Check to see if the SentinelOne agent is installed.
# If the agent is installed, report the agent
# version.
if [ -f "/usr/local/bin/sentinelctl" ] ; then
RESULT=$( /usr/local/bin/sentinelctl version | awk '{print $2 $3}' )
else
RESULT="not installed"
fi
echo "<result>$RESULT</result>"
Posted on 10-09-2019 05:39 AM
Anyone having issues with SentinelOne on 10.15 Catalina? Just upgraded a device and now it is telling me 'Kext not loaded' even though my configuration profile to apply the kernel extension has been applied to the device. Could it be to do with moving to System Extensions over Kernel Extensions?
Posted on 10-09-2019 09:55 AM
@awginger I get the same results when I upgrade a machine to Catalina. I'm hoping SentinelOne releases a new client soon that uses the System Extension (I'm guessing this is the issue).
In the mean time, my policy to deploy SentinelOne has recently "broke". For the life of me I can't figure out what is causing the issue. It was working fine until a couple weeks ago. Installing the client manually works just fine but the policy fails every time with a "An error occurred while running scripts from the package "SentinelAgent_macos_v3_4_2728.pkg" error in the logs. I'm beating my head against a brick wall trying to figure out what would have changed in the last couple weeks to cause this (we're on Cloud and we did get upgraded to 10.15.1 recently).
Anyone else having issues with your policy installing SentinelOne?
Posted on 10-09-2019 01:02 PM
@Neil_Kitt Was talking with SentinelOne on this one going back and forth. They found out that the new agent breaks when being installed via command line when there are spaces in the file path. When you cache the package in the 'Waiting Room' folder is where the command line install breaks. They said that a fix will be out soon. This would explain why installing the client manually works fine and through Jamf policy it breaks. Hope this helps.
Thanks!
Posted on 10-11-2019 07:51 AM
We no longer use SentinelOne. We used to run the install and then inject the site ID after via a script. Worked well. Also, didn't need to build a new agent pkg upon new releases.
Posted on 10-11-2019 12:02 PM
@ESensenbrenner Will there be a new version of the client?
Posted on 10-16-2019 07:15 AM
@ESensenbrenner I am experiencing the same thing. I can't get S1 version 3.0.4.2657 to install with a policy via Jamf cloud (10.15.1), but I have no problems installing it locally on the mac. There is first a Configuration Profile on the mac to approve the kernel extension. Then, I have a policy set to install the package via our network File Share Distribution Point (no spaces in file path). Package name also has no spaces. After the package is installed I run an Execute Command to set the registration token. However, I get an error message that the package failed to install and to contact the manufacturer, but only on some Macs not all. I've even downloaded a fresh pkg of the S1 agent and it's a no go.
Posted on 10-23-2019 04:00 AM
So we are now using version 3.2.1.2800 which seems to be running fine on Catalina and I am still using the same command line as I was above.
I am interested in seeing the script you mentioned @rpayne to inject the site ID post install, please.
Next problem is that I am trying to update existing versions of the client to the latest we have (3.2.1.2800). Currently using the same install method but getting "The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)"
Posted on 10-23-2019 04:02 AM
@edullum Have you tried my method? Package with the installer and token to somewhere like /var/tmp and then a command to run the installer? It automatically reads the registration token then as it is in the same folder as the installer.
Posted on 10-23-2019 05:20 AM
@awginger I tried your method locally on a Mac running Catalina and it worked flawlessly. Now I'm going to put it into place with Jamf Pro and let you you what happens.
Posted on 10-23-2019 09:29 AM
I give up. I keep getting this error message when I try to install the package via Jamf Remote or via custom policy trigger. I even gave the package 777 rights: installer: The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)
Posted on 10-23-2019 02:28 PM
Are you installing it on a device that already has SentinelOne?
Posted on 10-24-2019 04:45 AM
@awginger Yes. But I've been able to upgrade an agent before that was already installed on a Mac.
Posted on 10-24-2019 09:35 AM
@edullum Can you not pass the management of upgrades/updates to the SentinelOne console?
Posted on 10-24-2019 09:55 AM
@awginger I can on some of the agents. There is an agent version of S1 that has a bug, where the S1 admin console cannot see the Mac. So the Macs that are on the buggy agent is a whole other process to get them updated.
Posted on 10-29-2019 07:01 AM
Just seen this on one of customer's estate - They are using a simple one liner...
sudo sentinelctl upgrade-pkg /<file_location>/<package_name>.pkg
Posted on 11-04-2019 08:39 AM
@awginger can you please share the script to install the SentinelOne.
Posted on 11-05-2019 07:18 AM
Posted on 07-15-2022 02:51 PM
Hi Awginger, can you please share the steps to use this method , thank !