04-25-2022 03:55 AM - edited 04-25-2022 06:17 AM
Here are two install scripts to install SentinelOne Agent with token on Mac and Linux. Run once a day or so. If installed it will exit installer. Mac version can also be used as a PostInstall script in an empty .pkg if you want to utilize Software Management instead.
We use dropbox to store downloads but if you do remember to change download link to ?dl=1 instead of ?dl=0
Mac Script:
#!/bin/bash
sentinelToken="YOUR SENTINELONE TOKEN GOES HERE"
downloadLink="YOUR DOWNLOAD LINK GOES HERE"
pkgName="NAME OF YOUR INSTALLER PKG.pkg"
#You can put the installer on dropbox or where you prefer.
if [ -d /Applications/SentinelOne/ ];
then
echo "Already Installed"
exit 0
else
#Download Agent
curl -L -o /tmp/$pkgName $downloadLink
#Set Token
echo $sentinelToken > /tmp/com.sentinelone.registration-token
#Install Agent
/usr/sbin/installer -pkg /tmp/$pkgName -target /
fi
Linux:
#!/bin/bash
sentinelToken="YOUR SENTINELONE TOKEN GOES HERE"
downloadLink="YOUR DOWNLOAD LINK GOES HERE"
pkgName="NAME OF YOUR INSTALLER PKG.deb"
#You can put the installer on dropbox or where you prefer.
if [ -d "/opt/sentinelone/" ];
then
echo "Already Installed"
exit 0
else
cd /tmp
#Download Agent
curl -L -o $pkgName $downloadLink
#Install Agent
chmod +x $pkgName
dpkg -i $pkgName
#Set Token
/opt/sentinelone/bin/sentinelctl management token set $sentinelToken
#Start Agent
/opt/sentinelone/bin/sentinelctl control start
fi
04-25-2022 09:09 AM - edited 04-26-2022 04:19 AM
Btw you also need a custom PPPC profile for Macs.
Here is the XML for Agent version 21.7 and Later
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Privacy Preferences Policy Control</string>
<key>PayloadIdentifier</key>
<string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string>
<key>PayloadOrganization</key>
<string>Your Company</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentineld</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentineld-helper</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentineld-shell</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Provides access to all disk to Sentinel One processes</string>
<key>PayloadDisplayName</key>
<string>SentinelOne - Privacy Control</string>
<key>PayloadIdentifier</key>
<string>0F7D9FAD-1257-402C-A942-354723513881</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5961E10D-A589-4A7E-9790-8F1C55511014</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
06-30-2022 05:02 PM
can you share instractions how to use it from jupcmloud
07-06-2022 02:06 PM
Yes this would be very helpful if possible.
07-09-2022 11:20 AM
09-01-2022 12:40 AM
Hello.
Can you please share how to use this with NinjaOne?
Also, how would one script to allow extensions (security and privacy)?
Thank you!
09-01-2022 09:21 AM
Hi @akamoneybags !
You need to use the MDM Policies to allow System Extensions and grant them Privacy Preferences Policy Control settings. Fortunately, we have policies for both now!
Check out the Create a Mac Application Privacy Preferences Policy article in our knowledge base for more on how to do that, or the Create a Mac System Extension Policy article.
11-11-2022 09:50 AM
What if you already have a customer configuration profile, will creating one for sentinelone stop the other from working?
11-11-2022 03:13 PM
When you say "customer configuration profile" what do you mean?
11-15-2022 04:49 PM
What I mean is a custom MDM configuration profile. I have one that I created to push out to MACs already, is it ok to apply two custom config profiles?
11-15-2022 06:21 PM
Not a great idea to supply two profiles for the same tool.
06-21-2022 11:28 AM
Works perfect, thanks @Fulgubbe !
08-10-2022 08:37 AM
Is there something for Macs the above solutions do not work with macs
08-10-2022 08:41 AM
@Franco It works perfectly for me. Can you elaborate on what's not working?
08-10-2022 09:14 AM
The first script does nothing it does not download or install it.
Give no error and no successful message it just has window with its command.
yes the user is admin and yes I spoke to support
The best I can do was create my own custom script
there 2 caveats with my script 1 I need the users password this makes it unscalable and 2nd it will not give it full disk access
Also I can not seem to find very much on how to do this with Windows.
We have about 20% windows
My expectations are that I use a command or policy or both and it works on Mac and iPC I understand it has be one for each but I should be able to run it 1000 times without any user interference or need any thing from them.
08-10-2022 09:38 AM
You need to apply the XML policy to your mac hosts as Tom explains. Then the scripts have three variable at the top that need to be modified. Then run it as root from a command. You don't need to enter any passwords to set full disk access.
It works similarly for Linux, without the need for the XML policy. I don't have windows hosts, so you will have to investigate using a Powershell script for that.
08-10-2022 09:41 AM
I did and it not working
08-10-2022 09:47 AM
As @jeff-codecov mentioned, you need two things to deliver Sentinel One to Macs successfully:
If you supply your own installer, its package name, and licensing info in the command, that command is idempotent (meaning, its results are always the same, no matter the installed state of S1) and can be run as a repeating command.
08-10-2022 09:49 AM - edited 08-10-2022 09:49 AM
I do not know what tell you but yes to all nothing it does not work
08-10-2022 09:55 AM
Sometimes it's helpful to share what you're inputting into the variables in the first three lines of the supplied command. You can sanitize the values by changing the domain to example.com or changing the last digits of the key to XXXXX.
For the Macs that you're installing this on, are you seeing the necessary Full Disk Access profile in the System Preferences > Profiles preference pane?
08-10-2022 10:02 AM - edited 08-10-2022 10:04 AM
I can not do that security reasons why do you tell what to go there
sentinelToken="YOUR SENTINELONE TOKEN GOES HERE" downloadLink="YOUR DOWNLOAD LINK GOES HERE" pkgName="NAME OF YOUR INSTALLER PKG.deb"
I can say
sentenel token is the sentinel token
downlink is our server where sentinelone file to download
pkg name Is the name of sentineone pkg
08-10-2022 10:10 AM
sentinelToken should be self-explanatory. It's the token to assign a new install to your device.
downloadLink is a publicly-accessible URL that contains your Sentinel One installer. A sample would be https://www.example.com/mypackages/installers/sentinelone/sentinelone.deb or https://www.example.com/mypackages/installers/sentinelone/sentinelone.pkg
pkgName would be sentinelone.deb or sentinelone.pkg
08-10-2022 10:12 AM - edited 08-10-2022 10:12 AM
Ok let me try that
08-10-2022 10:18 AM
Nope did not work
08-10-2022 10:19 AM
Can you share the command results, at least?
08-10-2022 10:23 AM
same as above nothing
08-10-2022 11:02 AM - edited 08-10-2022 11:03 AM
are you stump? I still need a solution
08-10-2022 11:07 AM
I've added some output to the script that should be captured by our Commands tools in the Admin Portal. Try including the right items in the variables and then running this command. You should be able to paste the output from the Admin Portal as a response?
#!/bin/bash
sentinelToken="YOUR SENTINELONE TOKEN GOES HERE"
downloadLink="YOUR DOWNLOAD LINK GOES HERE"
pkgName="NAME OF YOUR INSTALLER PKG.deb"
#You can put the installer on dropbox or where you prefer.
echo "Beginning Loop to Check for S1 and Install if not present"
if [ -d "/opt/sentinelone/" ];
then
echo "Already Installed"
exit 0
else
cd /tmp
#Download Agent
curl -L -o $pkgName $downloadLink
echo "Installer Downloaded"
#Install Agent
chmod +x $pkgName
echo "Changing Permissions on Downloaded Package"
dpkg -i $pkgName
echo "Installed Package"
#Set Token
echo "Setting Sentinel One Token"
/opt/sentinelone/bin/sentinelctl management token set $sentinelToken
echo "Token Set"
#Start Agent
echo "Starting Sentinel One Process"
/opt/sentinelone/bin/sentinelctl control start
fi
echo "Loop Complete"
08-10-2022 11:10 AM
that does not work period ok I need working solution.
I assuming it not for jumpcloud to have unsolve issue and this is unsolve.
08-10-2022 11:18 AM
Hi Franco, admin here. The team is doing what they can to help you, but without more information from you, they can only help so much. If you refuse to answer some of the questions, exactly how are they to help you further? We need you to work with us here.
And people are doing this outside of their normal duties, as volunteers (this isn't their actual day job), so I'm asking you to be kind in your responses to the people who are just trying to help you. Even though you're frustrated, they aren't the ones causing the problems you're having at the moment.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
08-10-2022 11:23 AM - edited 08-10-2022 11:27 AM
I gave them answer I told everthing I can no give them security info.
You have look my end if I ask you to give me your information you will not right?
Anything even close to the real information may cause a security issue
I gave him everything else
08-10-2022 11:21 AM
Totally hear that you need a working solution, but it's hard for me to understand where you're getting stuck right now. Our Command results will include everything fed back out to standard out, which will include the echo lines I added to the Command. If nothing's running, there's a bigger problem here. 😞
08-10-2022 11:25 AM
I told you it does not wok I enter that script put the token / pub server and file Yes I include the xml as policy and when I run that command it the result is just a window it does not say succesful it does not say fail it just has the script in the above window with nothing under it.
When look at the test computer it never install the package
08-10-2022 11:37 AM
I manage to get error I delete the bash and policy and when I recreate the policy I get
Unable to save Policy!
failed to insert policy into policy database (org= xxxxxx): failed to prepare policy: prepare failed: profile was not in plist format
08-10-2022 11:46 AM - edited 08-10-2022 11:48 AM
I started over delete both command and policy. Recreated both and this time it does say successful but it did not install SentinelOne on my test client
08-10-2022 11:52 AM - edited 08-10-2022 12:00 PM
found this when I scroll down sorry I did not included above
zsh:31: no such file or directory: /opt/sentinelone/bin/sentinelctl
update also saw this error
command not found: dpkg
08-10-2022 11:58 AM
Can you include the whole command output?
08-10-2022 12:07 PM
sorry not sure what you are asking
I can not give you the entire windows but it goes pass downloading then states
command not found: dpkg. and twice zsh:31: no such file or directory: /opt/sentinelone/bin/sentinelctl
and that where it ends
08-10-2022 12:20 PM
Is it possible in this one you're trying to run the Linux script which uses deb and dpkg to install the app on macOS?
08-10-2022 12:39 PM - edited 08-10-2022 12:43 PM
I delete it and ensure copy mac script and now I get error and the following
#!/bin/bash sentinelToken=“token number” open downloadLink="https://servername.com” pkgName="Sentinel-Release-22-2-3-6268_macos.pkg" #You can put the installer on dropbox or where you prefer. if [ -d /Applications/SentinelOne/ ]; then echo "Already Installed" exit 0 else #Download Agent curl -L -o /tmp/$pkgName $downloadLink #Set Token echo $sentinelToken > /tmp/com.sentinelone.registration-token #Install Agent /usr/sbin/installer -pkg /tmp/$pkgName -target / fi
fyi it does not exist on that mac
forgot to include these errors
curl: (23) Failure writing output to destination
zsh:19: permission denied: /tmp/com.sentinelone.registration-token
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.