This article will take you through the steps to deploy SentinelOne macOS agent to your enrolled Jamf School devices.
Pre requisite:
- Download & Install iMazing Profile Editor –> Used for profile creation that can’t be done in Jamf School.
- Download & Install Composer (As a Jamf Customer go to account.jamf.com -> Products -> Add-Ons) –> Used to build package with post install script to deploy S1 Agent.
- Admin access to Jamf School console.
- macOs device with Sequoia 15+ enrolled into Jamf School.
- Admin Access to SentinelOne console.
- Perform the steps below with a macOs is recommended.
Agent deployment preparation.
Jamf School being a bit different to Jamf Pro we will need to use composer package tool to prepare the Sentinelone agent deployment.
Go to the SentinelOne Console then Agent Management, select the latest macOs package and then download it. While you are on this page please copy the site token where you want your device to deployed in SentineOne console.
Open search and go to \tmp folder. Past the SentinelOne Agent Package here.
Now open a terminal and past this command line:
sudo echo “your site token” > /tmp/com.sentinelone.registration-token
Then enter. This will create the enrolment file for SentinelOne agent. You should then see as per below the token file and the agent.
Now go to Composer 11.12.xx Application. Click new from the windows and then select User Environment then Dashboard and click next.
Rename your source for record to for example SentinelOne Jamf School Agent.
Now drag the two files over as per below screen shot.
Then go to Scripts and right click and select shell postinstall script.
Add this command as per screenshot. (make sure the package name match with this command or edit below as per yours)
sudo /usr/sbin/installer -pkg /tmp/Sentinel-Release-24-4-1-7830_macos_v24_4_1_7830.pkg -target /
You can now build the package and save it for later.
Go now to your Jamf School Console then go to Apps –> Inventory –> + Add App –> Add In House macOS Package.
At this stage you are ready to deploy the package. However we want to deploy the profile that has all the permissions and settings granted first so the user that not get any prompt and the installation is silent. So we will come back later here when ready to deploy.
Profile configuration and deployement
In order to build the different permissions we will use iMazing and Jamf School together.
Open iMazing and in General provide a name to your profile. Please note Identifier and UUID are automatically generated.
Ok now look for the payload Restrictions. You can use the top right search bar for that. Click on the tick to get a blue dot as per below.
As per below Look for the Notifications Payload and Configure the notifications settings for the SentinelOne Agent. You can change to your preferences.
Now look for the Privacy Preferences Policy Control Payload. Then we will add the lines as per below and I will provide the Code requirement in the same order below to add to the Code Requirement Section. Make sure you tick 1 for Allowed.
com.sentinelone.sentineld
anchor apple generic and identifier “com.sentinelone.sentineld” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = “4AYE5J54KN”)
com.sentinelone.sentineld-helper
anchor apple generic and identifier “com.sentinelone.sentineld-helper” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = “4AYE5J54KN”)
com.sentinelone.sentineld-shell
anchor apple generic and identifier “com.sentinelone.sentineld-shell” and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = “4AYE5J54KN”)
You can now “save as” your file.
Now it’s time to upload the profile to the Jamf School console. Go to Jamf School then Profiles –> Overview –> Create Profile –> Upload a Custom Profile. Add your profile just created. Click next and give it a profile name like S1TCC iMazing for example. No time filter and then Finished.
We will deploy it a bit later as we still have some network profile to configure.
For the next 2 remaining profiles we will download them from SentinelOne Community platform as per link below or you can create the file profile from the code provided. The extension is filename.mobileconfig
Network Filter Validation Profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.sentinelone.network-monitoring</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.sentinelone.network-monitoring" and anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadDisplayName</key>
<string>Web Content Filter Payload</string>
<key>PayloadIdentifier</key>
<string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.sentinelone.extensions-wrapper</string>
<key>UserDefinedName</key>
<string>SentinelOne Extensions</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Authorizes SentinelOne Network Filter automatic validation.</string>
<key>PayloadDisplayName</key>
<string>SentinelOne - Network Filter Validation</string>
<key>PayloadIdentifier</key>
<string>7889BE15-9387-4CDD-B2D7-D57B65EDA1E5</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2C480E0F-AA21-420F-8BC8-0E1AC975BC51</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Network Monitoring Extension Profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>4AYE5J54KN</key>
<array>
<string>com.sentinelone.network-monitoring</string>
</array>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadIdentifier</key>
<string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string>
<key>PayloadOrganization</key>
<string>Gete.Net Consulting</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Enables automatic loading of SentinelOne System Extension.</string>
<key>PayloadDisplayName</key>
<string>SentinelOne - Network Monitoring Extension</string>
<key>PayloadIdentifier</key>
<string>C957C35F-004C-4CF4-B075-9CAE5739081B</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>67BEF468-52BF-4DC9-96E2-2CCF1FEA127E</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
It’s time now to upload both file to Jamf as a Custom profile.
For both files one by one go to Profiles –> Create Custom Profile –> Drag your file in and then click next –> Give a it a name –> No time filter and click Finish.
You should now have these 3 profile files as per below.
Now it’s time to deploy them to you device and we will do this before we install the agent so it is fully silent when the agent then get deployed.
Select the 3 profiles and Edit Scope and select the group of devices you want to deploy and then save.
If any error you will be able to troubleshoot from the Jamf console.
It is now time to dpeloy the SentinelOne Agent to your devices silently. Go to Apps –> Inventory –> Click on the SentinelOne App –> add the scope and change to Automatic Installation.
Your device has now SentinelOne deployed with device control on.
Also as per the profile end user cannot turnoff bluetooth and permissions are being granted automatically.
Credits to Daniel MacLaughlin and his incredible talent for the help on getting this done!
please share the sentinel one upgrade guide if possible,currently facing some signature error during the upgrade from version 23 to 24.