Home Tips & Tricks Deploying SentinelOne using VMware Workspace ONE UEM for MacOS

Deploying SentinelOne using VMware Workspace ONE UEM for MacOS

by Lakindu Jayasena
3.2K views 12 min read
SentinelOne Deployment using Workspace ONE UEM

Workspace ONE UEM is a sophisticated all-in-one solution that manages and centrally controls the elements of an organization’s IT workloads like compliance management, applications deployments, OS patch management, endpoint security, and various other automation tasks on end-user devices. In modern IT organizations, this UEM (Unified Endpoint Management) solution helps us to reduce costs, increase productivity, and deliver a great employee experience with this UEM tool.

In this article, I’m going to show you how to easily deploy SentinelOne Endpoint Security Platform for MacOS devices using this VMware Workspace ONE UEM.

Brief About SentinelOne

Comprehensive and feature-rich enterprise security platform that provides threat detection, hunting, and AI-assisted prevention features to protect IT operations and end-user devices.

Prerequisites for Deploying SentinelOne for MacOS

Get the Site or Group Token

During Agent installation, you must add Agents to a Site with the Site Token or to a Group with a Group Token. Therefore first you need to log in to the SentinelOne console and find the token.

At the top left of the Console, select your site. Then from the left side menu, select the “Sentinels” and then select the Site Info. From the Site Token section copy and note down the site token.

Get the SentinelOne Site Token

Similarly, if you are required to get the Group token, Select the required group from the left side and then click the Group Info section.

Creating a Configuration Profile

Before installing the SentinelOne agent on macOS, it’s essential to set up specific prerequisites to ensure proper access permissions. This entails creating a new profile to deploy the necessary permissions for SentinelOne before installation.

From the WorkspaceOne UEM console, navigate to Resources > Profiles & Baselines > Profiles. Then Click Add and add a new Profile.

Workspace One UEM Add Profile

Select “Apple macOS” from the Add Profile window and then select “Device Profile“.

WorkspaceONE Add Profile

Provide a name for the profile, such as “SentinelOne Settings”. You have the flexibility to choose any name you prefer.

Configure Privacy Preferences Payload

Find and select the Privacy Preferences and click ADD to configure it. Then add the following 3 apps according to the following settings.

com.sentinelone.sentineld

  • Identifier: com.sentinelone.sentineld
  • Identifier Type: Bundle ID
  • Code Requirement:
anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
  • System Policy All Files: Allow
SentinelOne Privacy Preferences Payload for WorkspaceONE UEM

Similarly, configure the other two applications within the Privacy Preferences Payload section of the same profile.

com.sentinelone.sentineld-helper

  • Identifier: com.sentinelone.sentineld-helper
  • Identifier Type: Bundle ID
  • Code Requirement:
anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
  • System Policy All Files: Allow

com.sentinelone.sentineld-shell

  • dentifier: com.sentinelone.sentineld-shell
  • Identifier Type: Bundle ID
  • Code Requirement:
anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN")
  • System Policy All Files: Allow

Configure Content Filter Payload

The SentinelOne Agent Network Extension is used for Deep Visibility of IP network events and Firewall Control. Grant access to this policy for Firewall Control and Deep Visibility network events features:

In the same profile, select the “Content Filter” and configure the settings as below.

  • Filter Type: Select Plugin
  • Filter Name: SentinelOne Agent Network Extension
  • Identifier: com.sentinelone.extensions-wrapper
  • Select: Filter WebKit Traffic and Filter Socket Traffic
  • Key: com.sentinelone.network-monitoring
  • Value:
anchor apple generic and identifier "com.sentinelone.network-monitoring" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN")
  • Filter Network Packets: Turn Off
SentinelOne Content Filter Payload for WorkspaceONE UEM

Configure System Extensions Payload

In the same profile, select “System Extensions” and configure the settings as below.

  • Team Identifier: 4AYE5J54KN
  • Bundle Identifier: com.sentinelone.network-monitoring
SentinelOne System Extensions Payload for WorkspaceONE UEM

Once you configure all the above payloads you are ready to Publish the Profile. Select the required smart group and Click Save and Publish to proceed.

Deploying SentinelOne Agent as a Managed Application

Once you are ready with the above prerequisites, now it is time to deploy the SentinelOne Agent using WorkspaceOne UEM as a managed application.

Gather Metadata on SentinelOne Installer

First, we need to gather some metadata about the installer file which we are going to deploy. For that, you need to download and install the Workspace ONE Admin Assistant for macOS to generate metadata on the installer.

Open the Workspace ONE Admin Assistant app, and drag and drop your SentinelOne Agent installation file.

Workspace ONE Admin Assistant

Once the parsing is done, you can reveal it in the Finder.

Parsing Installer using Workspace ONE Admin Assistant

As you can see the metadata file with file extension .plist. That file contains details allowing Workspace ONE to determine if the managed application is installed and if the installed application is the correct version.

Additionally if required, you can open that file in any text editor and do some additional modifications to the metadata (PLIST) file before deployment. 

Reveal Parsing Output

Create and Configure Application Deployment on UEM Console

In the Workspace ONE UEM admin console, navigate to Resources > Apps > Native > Add Application File.

Create and Application on Workspace ONE UEM

In the Add Application window, upload the SentinelOne agent installer file and click Continue.

Upload Installer to Workspace ONE UEM

Next, upload the .plist file which we generated by the Workspace ONE Admin Assistant tool, and click Continue.

Upload Metadata of Installer to Workspace ONE UEM

Now you can see Application Details and if required you can modify it accordingly.

Modify Installer Details

Add an icon for the Application.

Add Installer Icon

Add Pre-Install and Post-Install Scripts.

Pre-Install Script

This script is designed to provide the SentinelOne registration token during the installation phase. It should be named “com.sentinelone.registration-token” and must be placed alongside the installation file. Also, ensure to substitute “<SentinelOneSiteToken>” with the token you recorded in the initial step.

#!/bin/bash
echo "<SentinelOneSiteTokenHere>" > /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Cache/com.sentinelone.registration-token

Post-Install Script

This script will remove the SentinelOne Registration token once the installation is done.

#!/bin/bash
rm -rf /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Cache/com.sentinelone.registration-token
Configure Installation Scripts

Note: If required, you can add the uninstallation script at the bottom of the same screen. In this case, I’m only focusing on the installation part only.

In the Deployment tab, you can set if you have any Blocking Applications and Restart Actions.

Configure Deployment Options

Once you are done with the above settings, you can click save and publish and it will prompt you to configure distribution.

  • Assignment Groups – An assignment group you want to deploy this app.
  • App Delivery Method – Here you can select automatically deploy or make it available in the app catalog.
Create a Distribution

Once you save the distribution creation, you will see as below.

List all Assignments

Review the assignment Preview and click Publish.

Review Assignments

Confirming SentinelOne Agent Installation

You use the Workspace ONE UEM Admin Console to confirm that the sensor was installed as a managed application on assigned devices.

Confirming SentinelOne Agent Installation from Workspace ONE UEM Apps

Confirm Agent is Installed as a Managed Application.

Confirming SentinelOne Agent Installation as managed app on the device.

Troubleshooting Logs

Open a Terminal from the endpoint device and enter the following command to check the application deployment logs.

tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

Conclusion

This article provided steps on how to easily deploy of SentinelOne Endpoint Security Platform for MacOS devices as a managed application with Workspace ONE UEM.

Procedures included:

  • Configuring prerequisites
  • Deploying the SentinelOne Agent on macOS using Workspace ONE UEM
  • Validating the installation

Related Articles

4 comments

Avatar photo
jason lee December 2, 2022 - 5:26 AM

I tried to deploy to the latest sentinelone 22.3.x version that can support macOS 13.0 ventura through workspace one, but it failed.
Is there a case of distributing sentinel to ventura’s OS device through workspaceone?

Reply
Admin Avatar
Lakindu Jayasena December 4, 2022 - 11:04 AM

Did you get an error when deploying it (in the error log file ManagedSoftwareUpdate.log)?

Reply
Avatar photo
jason lee January 5, 2023 - 1:52 AM

Even if S1 deploys to the Ventura version, the deployment fails on the macOS device. Are there any cases like this?

Reply
Avatar photo
Gary February 21, 2023 - 4:54 PM

An issue I ran into doing this deployment is AirWatch more specifically Munki will incorrectly parse hyphens in the package name and plist (data in plist also). So rename the package, plist, and the associated names of these items in the plist itself.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.