Skip to main content

How to Install SentinelOne with Jamf Now

Updated over 2 weeks ago

Description

Deploying and installing SentinelOne using Jamf Now involves a four-step process:

  1. Build and upload a macOS package containing the registration token plist for app validation.

  2. Upload the SentinelOne installation package provided by SentinelOne.

  3. Create and upload a Privacy Preferences Policy Control (PPPC) custom profile using iMazing to grant the necessary SentinelOne application permissions.

  4. Assign both packages to the necessary Blueprints.


Deploying and Installing SentinelOne

Requirements

  • Jamf Now

  • Apple Developer Account (to sign packages with)

  • SentinelOne package (provided by SentinelOne)

  • SentinelOne registration site token string (provided by SentinelOne)

  • iMazing (to create PPPC custom profiles)

Building and uploading package with registration token plist using Composer

  1. In Composer, start with an empty package. This may require you to use the Convert to Source button on an existing package. Just make sure you delete all existing configurations and scripts from the package once it is a source to all.

  2. In Composer, click File > Add Shell Script > postinstall.

  3. Delete the prefilled script and replace it with the following:

    #!/bin/bash

    # Replace the TOKEN_STRING_HERE text below with your SentinelOne Registartion Site token string
    token_string="TOKEN_STRING_HERE"

    # Create a plist file with the token string in the appropriate format
    sudo bash -c "cat > /Library/Managed\ Preferences/com.sentinelone.registration-token.plist <<EOF
    <?xml version=\"1.0\" encoding=\"UTF-8\"?>
    <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
    <plist version=\"1.0\">
    <dict>
    <key>S1InstallRegistrationToken</key>
    <string>$token_string</string>
    </dict>
    </plist>
    EOF"

    # Set the appropriate permissions on the plist file
    sudo chmod 644 /Library/Managed\ Preferences/com.sentinelone.registration-token.plist

    This photo shows the above script replaced with the new, necessary script in Composer.

  4. Replace the TOKEN_STRING_HERE text with the registration site token string provided by SentinelOne for your account.

  5. Click out of the script window in Composer and choose to save changes via the Save button.

  6. Under Composer > Settings, ensure the Sign with checkbox is enabled with a valid Developer ID Installer Certificate selected.

  7. Click Build as PKG in Composer to build and sign the package. Learn more about building and signing packages here.

  8. Upload the registration token plist package into Jamf Now.


Creating and uploading Privacy Preferences Policy Control (PPPC) profiles

Use iMazing to create the SentinelOne PPPC profile to allow for all SentinelOne apps to have access to SystemPolicyAllFiles.

  1. Open iMazing Profile Editor and create a new profile.

  2. Click +Add Configuration Profile for the Privacy Preferences Policy Control.

  3. Under SystemPolicyAllFiles, click the + button to add the three following configurations.

    1. Identifier = com.sentinelone.sentineld-shell
      Identifier Type = Bundle ID
      Code requirement = anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      Allowed = 1

    2. Identifier = com.sentinelone.sentineld-helper
      Identifier Type = Bundle ID
      Code requirement = anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      Allowed = 1

    3. Identifier = com.sentinelone.sentineld
      Identifier Type = Bundle ID
      Code requirement = anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      Allowed = 1

  4. Name the profile under the General tab in iMazing.

  5. Go to File > Save As and save it to your computer.

  6. Upload the profile to all Blueprints where you plan to deploy SentinelOne.


Uploading and Deploying SentinelOne installer package

  1. Follow the steps on Deploying Mac Packages to upload the package you have from the vendor.

  2. Assign both packages to the necessary Blueprints.

  3. The SentinelOne package installation status can be observed under the Mac Apps tab of each individual Mac in Jamf Now.


Did this answer your question?