Deploying SentinelOne using VMware Workspace ONE UEM for MacOS

Workspace ONE UEM is a sophisticated all-in-one solution that manages and centrally controls the elements of an organization’s IT workloads like compliance management, applications deployments, OS patch management, endpoint security, and various other automation tasks on end-user devices. In modern IT organizations, this UEM (Unified Endpoint Management) solution help us to reduce costs, increase productivity, and deliver a great employee experience with this UEM tool.

In this article, I’m going to show you how easily deploy SentinelOne Endpoint Security Platform for MacOS devices using this VMware Workspace ONE UEM.

Brief About SentinelOne

Comprehensive and feature-rich enterprise security platform that provides threat detection, hunting, and AI-assisted prevention features to protect IT operations and end-user devices.

macOS Prerequisites for Deploying SentinelOne

Prior to deploying the SentinelOne agent for macOS, you must configure a few prerequisites for macOS. These prerequisites ensure that the SentinelOne agent has appropriate access permissions granted prior to installation. Therefore required to add a new profile to deploy the SentinelOne permissions.

From the WorkspaceOne UEM console, navigate to Devices > Profiles & Resources > Profiles. Then Click Add and add a new Profile. Select “Apple macOS” from the Add Profile window.

Select Device Profile.

Configure the General Profile Settings

Configure Privacy Preferences Payload

Find and select the Privacy Preferences from the left side pane and click Configure to configure it by adding the following applications.

This payload grants the macOS SentinelOne agent full disk access. Therefore to operate at full functionality on an endpoint, the following apps must have full disk access on the endpoint.

Fill out the hilited details based on the following app details.

Scroll down a little bit and select Allow for the “System Policy All Files“.

Likewise, repeat the same process for the below apps to configure and grant full disk access.

com.sentinelone.sentineld

• Identifier: com.sentinelone.sentineld
• Identifier Type: Bundle ID
• Code Requirements:

anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")

com.sentinelone.sentineld-helper

• Identifier: com.sentinelone.sentineld-helper
• Identifier Type: Bundle ID
• Code Requirements:

anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")

com.sentinelone.sentineld-shell / com.sentinelone.sentinel-shell

anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN")

anchor apple generic and identifier "com.sentinelone.sentinel-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")

Review the Privacy Preferences

Ensure that all three Privacy Preferences have been added as shown below screenshot.

Configure Content Filter Payload

The SentinelOne Agent Network Extension is used for Deep Visibility of IP network events and Firewall Control. Grant access to this policy for Firewall Control and Deep Visibility network events features:

• Filter Type: Plugin
• Plugin bundle identifier: com.sentinelone.extensions-wrapper
• Filter data provider bundle identifier: com.sentinelone.network-monitoring
• Filter sockets: true
• Filter data provider designated requirement:

anchor apple generic and identifier "com.sentinelone.network-monitoring" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN")

In the same profile, select the “Content Filter” from the left side and configure the settings as below.

Once you configure all the above payloads you are ready to Publish the Profile Click Save and Publish to proceed.

Deploying SentinelOne Agent as a Managed Application

Once you are ready with the above prerequisites, now it is time to deploy the SentinelOne Agent using WorkspaceOne UEM as a managed application.

Gather Metadata on SentinelOne Installer

First, we need to gather some metadata about the installer file which we are going to deploy. For that, you need to download and install the Workspace ONE Admin Assistant for macOS to generate metadata on the installer.

Open the Workspace ONE Admin Assistant app, and drag and drop your SentinelOne Agent installation file.

Once the parsing is done, you can reveal it in the Finder.

As you can see the metadata file with file extension .plist. That file contains details allowing Workspace ONE to determine if the managed application is installed and if the installed application is the correct version.

Additionally if required, you can open that file in any text editor and do some additional modifications to the metadata (PLIST) file before deployment. 

Create and Configure Application Deployment on UEM Console

In the Workspace ONE UEM admin console, navigate to Resources > Apps > Native > Add Application File.

In the Add Application window, upload the SentinelOne agent installer file and click Continue.

Next, upload the .plist file which we generated by the Workspace ONE Admin Assistant tool, and click Continue.

Now you can see Application Details and if required you can modify it accordingly.

Add an icon for the Application.

Add Pre-Install and Post-Install Scripts.

Pre-Install Script

The purpose of this script is to give the SentinelOne registration token during the installation process. The name of the file should be the same as “com.sentinelone.registration-token” and required to place with the installation file. Also, make sure to replace the <SentinelOneSiteTokenHere> with the token provided by SentinelOne.

#!/bin/bash
echo "<SentinelOneSiteTokenHere>" > /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Cache/com.sentinelone.registration-token

Post-Install Script

This script will remove the SentinelOne Registration token once the installation is done.

#!/bin/bash
rm -rf /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Cache/com.sentinelone.registration-token

Note: If required, you can add the uninstallation script at the bottom of the same screen. In this case, I’m only focusing installation part only.

In the Deployment tab, you can set if you have any Blocking Applications and Restart Actions.

Once you are done with the above settings, you can click save and publish and it will prompt you to configure distribution.

• Assignment Groups – An assignment group you want to deploy this app.
• App Delivery Method – Here you can select automatically deploy or make it available in the app catalog.

Once you save the distribution creation, you will see as below.

Review the assignment Preview and click Publish.

Confirming SentinelOne Agent Installation

You use the Workspace ONE UEM Admin Console to confirm that the sensor was installed as a managed application on assigned devices.

Confirm Agent is Installed as a Managed Application.

Troubleshooting Logs

Open a Terminal from the endpoint device and enter the following command to check the application deployment logs.

tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

Conclusion

This article provided steps on how to easily deploy of SentinelOne Endpoint Security Platform for MacOS devices as a managed application with Workspace ONE UEM.

Procedures included:

• Configuring prerequisites
• Deploying the SentinelOne Agent on macOS using Workspace ONE UEM
• Validating the installation