This article is based on SentinelOne community documentation last updated on Jan 16 2025.
β
Installing the macOS Agent
Make sure you have all the requirements before you start the installation.
To install the macOS Agent
Get the Site Token.
Install the Agent using the command line or the Installation Wizard.
Authorize Full Disk Access and Network Extension (this must be done locally or via MDM/RMM.
π‘Note
β
Due to Apple's macOS system changes:
On Sonoma, Device Control for Bluetooth devices is supported from Agent version 23.3+.
On Ventura, Device Control Bluetooth Low Energy (BLE) rules are not supported.
Get the Site Token
Get the Site token that registers the Agent with a Site. This can be found in Security Controls > Endpoint Security > SentinelOne > Managed > Deploy > View Site Token.
Installing the Agent
To install the Agent on one macOS endpoint with Command Line:
Download the latest macOS installer package.
Security Controls > Endpoint Security > SentinelOne > Managed > Deploy
Best Practice: Download the file to the local endpoint.
Save the Site Token in a plain text file in a folder named /tmp with the Installer package. Name the Token file:
com.sentinelone.registration-token
. Change the ownership of the file to root withsudo chown root
.Run the installer:
$ sudo /usr/sbin/installer -pkg Download path/tmp/SentinelXXXX.pkg -target /
Example:
$ sudo /usr/sbin/installer -pkg Desktop/tmp/SentinelXXXX.pkg -target /
Complete the installation.
If the SentinelOne icon shows "Needs user attention" or the message "Authorize SentinelOne components in System Preferences". Authorize Full Disk Access and Network Extension permissions for the SentinelOne Agent in the System Preferences.
To install the Agent on one macOS endpoint with Installation Wizard:
Download the latest macOS installer package.
Security Controls > Endpoint Security > SentinelOne > Managed > Deploy
Best Practice: Download the file to the local endpoint.
Give the Token string to the user (for example, send a message or email with the Token string).
Run the installation package and enter the Token string when prompted in the installation wizard.
Complete the installation.
If the SentinelOne icon shows "Needs user attention" or the message "Authorize SentinelOne components in System Preferences". Authorize Full Disk Access and Network Extension permissions for the SentinelOne Agent in the System Preferences.
Authorizing Full Disk Access
The macOS makes sure that applications are installed in a secure way. It limits installation only to applications that are approved by Apple and the user. This change does not let applications access specified paths (such as Documents, Downloads, and Desktop) without user consent.
If the SentinelOne icon shows "Needs user attention" or these messages "Authorize Full-Disk-Access to SentinelOne in System Preferences", "Authorize SentinelOne components in System Preferences". Approve Full Disk Access for SentinelOne Apps in the System Settings.
Important: This is done only once on an endpoint. If already done on the endpoint, do not repeat it when the Agent is updated. If you do not complete this prerequisite step, the macOS Agent will not have full visibility to all files from all users.
Authorize Full Disk Access to these processes:
sentineld
sentineld_helper
sentineld_shell
To Authorize Full Disk Access with MDM:
To grant full disk access in Jamf, see Installing and Upgrading macOS Agents with Jamf.
π‘Note: In some cases, if the Agent does not appear after authorizing Full Disk Access, enable Allow Notifications for SentinelOne in the System Settings.
To Authorize Full Disk Access on a local computer:
On the local computer, open System Settings.
Click Privacy & Security, and select the Full Disk Access tab.
Click the + button.
Press and hold Command+Shift+G at the same time to open the Go to the folder menu.
Enter the path:
/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/
Double click your destination folder..
Select the SentinelOne applications, and click Open:
sentineld.app
sentineld_helper.app
sentineld_shell.app
Optional: Drag and drop the SentinelOne applications to the Full Disk Access list.
Open a Finder window.
Navigate to
/Library/Sentinel
.Right-click the sentinel-agent.bundle file, and click Show Package Contents.
Navigate to the
/Contents/MacOS/
folder.Select the required SentinelOne applications, and drag the applications to the Full Disk Access list.
Close System Settings.
Authorizing the Network Extension
If the SentinelOne icon shows "Needs user attention" or these messages "Authorize SentinelOne Network Extension in System Preferences", "Authorize SentinelOne components in System Preferences" you must approve the network extension for SentinelOne in System Settings.
Do this only one time on every macOS endpoint. If you already approved it, there is no need to repeat it when the SentinelOne App is updated. If you do not complete this prerequisite step, your mac will not be fully protected.
If you use Mobile Device Management (MDM) solution to manage your Endpoints, see:
Installing and Upgrading macOS Kextless Agents with Jamf
Installing and Upgrading macOS Kextless Agents with MDM tools
To approve the network extension for macOS Sequoia 15:
Open System Settings > General > Login Items & Extensions.
Scroll down to Network Extensions and click the info button to the right.
Enable SentinelOne Extensions.
If a prompt appears asking to allow SentinelOne Extensions to filter network content. Click Allow.
To approve the network extension:
If you see the System Extension Blocked message, click Open System Settings.
Note: If you click OK, the window closes. To approve the SentinelOne Network Extension later, open System Settings > Privacy & Security > Security.
At System software from application "SentinelOne Extensions" was blocked from loading, click Allow.
In the window that opens, click Allow.
Upgrading macOS Agents with a Local Upgrade
To upgrade macOS Agents locally:
Download the new macOS Agent version PKG.
Open the Terminal application.
Run:
sudo sentinelctl upgrade-pkg PKG_pathname
π‘ Note: Upgrading the macOS Agent does not work with double-clicking the installer PKG.
Troubleshooting
If you experience an issue with the installation or upgrade procedure of the Agent, please share the logs with SentinelOne support.
If there is an installed Agent on the endpoint, share the Agent log.
See Fetching Agent and Endpoint Logs.
If there is no Agent installed on the endpoint, share, the
install.log
.To Collect install.log:
Open Terminal.
Enter:
cp /var/log/install.log ~/Desktop
If you try to upgrade the macOS Agent by double-clicking, the installer PKG will fail, and an error message will appear in the Agent logs: An unexpected error occurred while moving files to the final destination.