Home Tips & Tricks Deploying SentinelOne using VMware Workspace ONE UEM for MacOS

Deploying SentinelOne using VMware Workspace ONE UEM for MacOS

by Lakindu Jayasena
159 views 12 min read
SentinelOne Deployment using Workspace ONE UEM

Workspace ONE UEM is a sophisticated all-in-one solution that manages and centrally controls the elements of an organization’s IT workloads like compliance management, applications deployments, OS patch management, endpoint security, and various other automation tasks on end-user devices. In modern IT organizations, this UEM (Unified Endpoint Management) solution help us to reduce costs, increase productivity, and deliver a great employee experience with this UEM tool.

In this article, I’m going to show you how easily deploy SentinelOne Endpoint Security Platform for MacOS devices using this VMware Workspace ONE UEM.

Brief About SentinelOne

Comprehensive and feature-rich enterprise security platform that provides threat detection, hunting, and AI-assisted prevention features to protect IT operations and end-user devices.


macOS Prerequisites for Deploying SentinelOne

Prior to deploying the SentinelOne agent for macOS, you must configure a few prerequisites for macOS. These prerequisites ensure that the SentinelOne agent has appropriate access permissions granted prior to installation. Therefore required to add a new profile to deploy the SentinelOne permissions.

From the WorkspaceOne UEM console, navigate to Devices > Profiles & Resources > Profiles. Then Click the Add and add a new Profile. Select “Apple macOS” from the Add Profile window.

WorkspaceONE Add Profile

Select Device Profile.

Select Context Window

Configure the General Profile Settings

WorkspaceONE Profile General Settings

Configure Privacy Preferences Payload

Find and select the Privacy Preferences from the left side pane and click Configure to configure it by adding the following applications.

Add Privacy Preferences Payload

This payload grants the macOS SentinelOne agent full disk access. Therefore to operate at full functionality on an endpoint, the following apps must have full disk access on the endpoint.

Fill out the hilited details based on the following app details.

Fill out App Details for Privacy Preferences

Scroll down a little bit and select Allow for the “System Policy All Files“.

Allow System Policy All Files

Likewise, repeat the same process for the below apps to configure and grant full disk access.

com.sentinelone.sentineld

  • Identifier: com.sentinelone.sentineld
  • Identifier Type: Bundle ID
  • Code Requirements:
 anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") 

com.sentinelone.sentineld-helper

  • Identifier: com.sentinelone.sentineld-helper
  • Identifier Type: Bundle ID
  • Code Requirements:
 anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") 

com.sentinelone.sentineld-shell / com.sentinelone.sentinel-shell

  • Identifier: com.sentinelone.sentineld-shell
  • Identifier Type: Bundle ID
  • Code Requirements:
 anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN") 
  • Identifier: com.sentinelone.sentinel-shell
  • Identifier Type: Bundle ID
  • Code Requirements:
 anchor apple generic and identifier "com.sentinelone.sentinel-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN") 

Review the Privacy Preferences

Ensure that all three Privacy Preferences have been added as shown below screenshot.

Review the Privacy Preferences Payload

Configure Content Filter Payload

The SentinelOne Agent Network Extension is used for Deep Visibility IP networks events, and Firewall Control. Grant access to this policy for Firewall Control and Deep Visibility network events features:

  • Filter Type: Plugin
  • Plugin bundle identifier: com.sentinelone.extensions-wrapper
  • Filter data provider bundle identifier: com.sentinelone.network-monitoring
  • Filter sockets: true
  • Filter data provider designated requirement:
 anchor apple generic and identifier "com.sentinelone.network-monitoring" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN") 

In the same profile, select the “Content Filter” from the left side and configure the settings as below.

Configure Content Filter
Configure Content Filter

Once you configure all the above payloads you are ready to Publish the Profile Click Save and Publish to proceed.

Deploying SentinelOne Agent as a Managed Application

Once you are ready with the above prerequisites, now it is time to deploy the SentinelOne Agent using WorkspaceOne UEM as a managed application.

Gather Metadata on SentinelOne Installer

First, we need to gather some metadata about the installer file which we are going to deploy. For that, you need to download and install the Workspace ONE Admin Assistant for macOS to generate metadata on the installer.

Open the Workspace ONE Admin Assistant app, and drag and drop your SentinelOne Agent installation file.

Workspace ONE Admin Assistant

Once the parsing is done, you can reveal it in the Finder.

Parsing Installer using Workspace ONE Admin Assistant

As you can see the metadata file with file extension .plist. That file contains details allowing Workspace ONE to determine if the managed application is installed and if the installed application is the correct version.

Additionally if required, you can open that file in any text editor and do some additional modifications to the metadata (PLIST) file before deployment. 

Reveal Parsing Output

Create and Configure Application Deployment on UEM Console

In the Workspace ONE UEM admin console, navigate to Resources > Apps > Native > Add Application File.

Create and Application on Workspace ONE UEM

In the Add Application window, upload the SentinelOne agent installer file and click Continue.

Upload Installer to Workspace ONE UEM

Next, upload the .plist file which we generated by the Workspace ONE Admin Assistant tool, and click Continue.

Upload Metadata of Installer to Workspace ONE UEM

Now you can see Application Details and if required you can modify it accordingly.

Modify Installer Details

Add icon for Application.

Add Installer Icon

Add Pre-Install and Post-Install Scripts.

Pre-Install Script

The purpose of this script is to give the SentinelOne registration token during the installation process. The name of the file should be the same as “com.sentinelone.registration-token” and required to place with the installation file. Also, make sure to replace the <SentinelOneSiteTokenHere> with the token provided by SentinelOne.

 #!/bin/bash echo "<SentinelOneSiteTokenHere>" > /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Cache/com.sentinelone.registration-token 

Post-Install Script

This script will remove the SentinelOne Registration token once the installation is done.

 #!/bin/bash rm -rf /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Cache/com.sentinelone.registration-token 
Configure Installation Scripts

Note: If required, you can add the uninstallation script at the bottom of the same screen. In this case, I’m only focusing installation part only.

In the Deployment tab, you can set if you have any Blocking Applications and Restart Actions.

Configure Deployment Options

Once you are done with the above settings, you can click save and publish and it will prompt you to configure distribution.

  • Assignment Groups – An assignment group you want to deploy this app.
  • App Delivery Method – Here you can select automatically deploy or make it available in the app catalog.
Create a Distribution

Once you save the distribution creation, you will see as below.

List all Assignments

Review the assignment Preview and click Publish.

Review Assignments

Confirming SentinelOne Agent Installation

You use the Workspace ONE UEM Admin Console to confirm that the sensor was installed as a managed application on assigned devices.

Confirming SentinelOne Agent Installation from Workspace ONE UEM Apps

Confirm Agent Installed as a Managed Application.

Confirming SentinelOne Agent Installation as managed app on the device.

Troubleshooting Logs

Open a Terminal from the endpoint device and enter the following command to check the application deployment logs.

 tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log 

Conclusion

This article provided steps on how to easily deployment of SentinelOne Endpoint Security Platform for MacOS devices as a managed application with Workspace ONE UEM.

Procedures included:

  • Configuring prerequisites
  • Deploying the SentinelOne Agent on macOS using Workspace ONE UEM
  • Validating the installation

Related Articles

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.