Deploy SentinelOne on macOS devices using Hexnode UEM

What is SentinelOne?

SentinelOne is a cloud-based autonomous cybersecurity and endpoint security solution that provides top-notch anti-virus protection for Windows and Mac devices. It uses AI-powered prevention, detection, response and threat hunting across endpoints, containers and IoT devices.

Hexnode UEM allows you to remotely install and deploy the SentinelOne agent app to provide anti-virus protection to your macOS devices. The following sections give a detailed explanation of how to deploy SentinelOne to your macOS devices using Hexnode UEM.

License token script

The deployment of the SentinelOne agent requires the execution of a script to license the software. Hence, you need to execute the following script using Execute Custom Script or Live Terminal:

Create the SentinelOne DMG file

Using the Disk Utility application, create a DMG file for deploying the PKG file and the license token as a single package. Follow the steps below to create the DMG file:

1. Copy the SentinelOne PKG file and the license token into a single folder.
2. Open the Disk Utility app and click on File > New Image > Image from Folder.
3. Choose the folder that contains the PKG file and the licensing token script.
4. Give an appropriate name for the app and click on Save.

Add the SentinelOne DMG file to the app inventory

To add the SentinelOne DMG file to the app inventory, follow the steps given below:

1. Login to the Hexnode UEM console.
2. Navigate to the Apps tab and click on +Add Apps > Enterprise App.
3. Select macOS, enter the required app details and upload the DMG file.
4. Click on Add.

The SentinelOne DMG file has now been added to the app repository.

Configure the SentinelOne policy

Deploying SentinelOne Agent to your macOS devices requires you to configure Privacy Preferences, System Extensions, Notification Settings and 3rd party plugin content filtering. Kernel Extensions must be configured only if your Mac runs macOS 10.14 and below. The following sections give you a detailed explanation of how to configure the required settings.

Add the SentinelOne DMG file as a mandatory app

1. Login to the Hexnode UEM console.
2. Navigate to Policies > New Policy > New Blank Policy.
3. Select macOS > App Management > Required Apps.
4. Click on +Add > Add App. Next, search and select the SentinelOne DMG file and click on Done.
5. Once the app is added, click Configure next to the app under the Scripts column to add pre-install script, post-install script or audit script to customize app deployment based on the requirements.

Allow Full Disk Access using Privacy Preferences

You can either use the same policy or configure a new policy to allow full disk access for the required components of SentinelOne.

1. Under the macOS tab, navigate to Security > Privacy Preferences.
2. Click on +Add new preference.
3. Click on the dropdown beside All Files and select Allow.
4. Select Specify Bundle IDs/Path.

Full Disk Access needs to be given for the following components of SentinelOne:

Configure System Extensions (For Macs running macOS 10.15 and above)

To configure a System Extensions policy,

1. Navigate to macOS > Configurations > System Extensions.
2. Click Configure.
3. Enable User Override.
4. Enter the Team ID “4AYE5J54KN” and click on Add.

Configure Kernel Extensions (For Macs running macOS 10.14 and below)

You can use policies to configure Kernel Extensions from the Hexnode console.

1. Navigate to macOS > Configurations > Kernel Extensions.
2. Click Configure.
3. Enable User Override.
4. Enter the Team ID “4AYE5J54KN” and click on Add.

Deploy Custom Configuration

1. Under the macOS tab, navigate to Configurations > Deploy Custom Configuration.
2. Click Configure.
3. Click on Choose File and upload the mobileconfig file. You can either use the configuration profile displayed below or create your own custom configuration profile.
Custom Configuration profile for SentinelOne deployment

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>NotificationSettings</key> <array> <dict> <key>BundleIdentifier</key> <string>com.sentinelone.SentinelAgent</string> <key>CriticalAlertEnabled</key> <true/> </dict> </array> <key>PayloadDescription</key> <string>Configures notifications settings for apps</string> <key>PayloadDisplayName</key> <string>Notifications</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.26E82306-CDA4-4AF0-9714-0B8363D2A26F</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>26E82306-CDA4-4AF0-9714-0B8363D2A26F</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>PayloadDescription</key> <string>Configures Conference Room Display mode</string> <key>PayloadDisplayName</key> <string>Conference Room Display</string> <key>PayloadIdentifier</key> <string>com.apple.conferenceroomdisplay.B64EF9CA-0B32-43F9-82D7-5ABB51D1422B</string> <key>PayloadType</key> <string>com.apple.conferenceroomdisplay</string> <key>PayloadUUID</key> <string>B64EF9CA-0B32-43F9-82D7-5ABB51D1422B</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>FilterBrowsers</key> <false/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>Organization</key> <string>Hexnode Inc</string> <key>PayloadDescription</key> <string>Configures content filtering settings</string> <key>PayloadDisplayName</key> <string>SentinelOne</string> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.B456B4A3-5794-4C8E-99FA-9148C6458AEE</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>B456B4A3-5794-4C8E-99FA-9148C6458AEE</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.sentinelone.extensions-wrapper</string> <key>UserDefinedName</key> <string>SentinelOne</string> </dict> </array> <key>PayloadDisplayName</key> <string>SentinelOne Config</string> <key>PayloadIdentifier</key> <string>com.hexnode.sentinelone</string> <key>PayloadOrganization</key> <string>Hexnode</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>9B3EA38F-D1C7-4045-A745-AE3AA25ACCEE</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>NotificationSettings</key> <array> <dict> <key>BundleIdentifier</key> <string>com.sentinelone.SentinelAgent</string> <key>CriticalAlertEnabled</key> <true/> </dict> </array> <key>PayloadDescription</key> <string>Configures notifications settings for apps</string> <key>PayloadDisplayName</key> <string>Notifications</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.26E82306-CDA4-4AF0-9714-0B8363D2A26F</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>26E82306-CDA4-4AF0-9714-0B8363D2A26F</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>PayloadDescription</key> <string>Configures Conference Room Display mode</string> <key>PayloadDisplayName</key> <string>Conference Room Display</string> <key>PayloadIdentifier</key> <string>com.apple.conferenceroomdisplay.B64EF9CA-0B32-43F9-82D7-5ABB51D1422B</string> <key>PayloadType</key> <string>com.apple.conferenceroomdisplay</string> <key>PayloadUUID</key> <string>B64EF9CA-0B32-43F9-82D7-5ABB51D1422B</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>FilterBrowsers</key> <false/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>Organization</key> <string>Hexnode Inc</string> <key>PayloadDescription</key> <string>Configures content filtering settings</string> <key>PayloadDisplayName</key> <string>SentinelOne</string> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.B456B4A3-5794-4C8E-99FA-9148C6458AEE</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>B456B4A3-5794-4C8E-99FA-9148C6458AEE</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.sentinelone.extensions-wrapper</string> <key>UserDefinedName</key> <string>SentinelOne</string> </dict> </array> <key>PayloadDisplayName</key> <string>SentinelOne Config</string> <key>PayloadIdentifier</key> <string>com.hexnode.sentinelone</string> <key>PayloadOrganization</key> <string>Hexnode</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>9B3EA38F-D1C7-4045-A745-AE3AA25ACCEE</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

4. Click on OK.

Associate target device

1. Navigate to Policy Targets and select the Devices, Device Groups, Users, User Groups, or Domains you would like to associate the policy with.
2. Click on Save.

What happens at the device end?

The SentinelOne agent will get successfully installed on your endpoints and you will be able to manage and protect them using Hexnode UEM's endpoint security console.