Installing and Upgrading S1 macOS Agents with MDM tools
SentinelOne officially tests the installation and management of the macOS Agent with Jamf and Workspace ONE only. Some links to other resources:
If you use a different Mobile Device Management (MDM) solution, make sure that the MDM solution supports these features:
Deployment of macOS .pkg.
Deployment of macOS system configuration profiles.
Deployment of admin-configured tool/script.
Important
macOS Ventura and later require a new profile - Service Management. This profile will prevent users from disabling the SentinelOne daemons.
From Agent version 22.2 the Network Extension is loaded by default in environments where SentinelOne Firewall is enabled. From Agent version 23.2.2 the Network Extension is loaded by default in all environments, regardless of the SentinelOne Firewall settings. If the Network Extension and Content Filter are not pre-authorized before upgrading to this Agent version, a notification will instruct users to authorize them. To prevent user-facing notifications, pre-authorize the Network Extension and Content Filter:
Create and deploy the Network Monitoring Extension Profile to pre-authorize the installation of the Network Extension.
Create and deploy a Network Filter Validation Profile.
Changes in macOS Sequoia 15
In macOS Sequoia 15, Apple introduced a new interface that allows users to view and manage all installed System Extensions, including Network Extensions, and provides additional controls over these features.
To view and manage Network Extensions in Sequoia, go to System Settings > General > Login Items & Extensions > Network Extensions and enable access via the system dialog that appears.
Important
As an administrator, you may wish to prevent users from disabling extensions through System Settings. macOS Sequoia 15 supports a new
NonRemovableFromUISystemExtensionsoption for thecom.apple.system-extension-policypayload to provide control. By specifying the SentinelOne Network Monitoring extension within the payload, users can view its details but cannot modify its state.
As neither macOS Ventura 13 or macOS 14 Sonoma recognize the
NonRemovableFromUISystemExtensionsoption, administrators should create a separate profile, specific to macOS Sequoia 15 and later, to manage theNonRemovableFromUISystemExtensionsoption. This way, users who upgrade to macOS Sequoia 15 will automatically get the new profile and the restriction will be properly enforced.You can find a sample profile for macOS Sequoia 15 with the
NonRemovableFromUISystemExtensionsoption in the Attachments of this guide.
macOS Sequoia 15 also introduced a new NonRemovableSystemExtensions option, which prevents explicitly-named extensions in the payload from being removed (while allowing all other extensions to be removed).
Important
NonRemovableSystemExtensions works opposite to the existing RemoveableSystemExtensions option. A valid configuration profile can use NonRemovableSystemExtensions or RemoveableSystemExtensions, but not both.
Requirements and Documentation
Before you install or upgrade the Agent, see the System Requirements for supported macOS versions and other prerequisites.
Full Disk Access Policy
Grant Full Disk Access to these SentinelOne components:
com.sentinelone.sentineld
Identifier:
com.sentinelone.sentineldIdentifier Type: Bundle ID
Code Requirements:
anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
com.sentinelone.sentineld-helper
Identifier:
com.sentinelone.sentineld-helperIdentifier Type: Bundle ID
Code Requirements:
anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
For Agents 21.5 and lower, grant Full Disk Access to com.sentinelone.sentinel-shell.
Identifier: com.sentinelone.sentinel-shell
Identifier Type: Bundle ID
Code Requirements:
anchor apple generic and identifier "com.sentinelone.sentinel-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
For Agents 21.7 and later, grant Full Disk Access to com.sentinelone.sentineld-shell.
Identifier: com.sentinelone.sentineld-shell
Identifier Type: Bundle ID
Code Requirements:
anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN")
Privacy Control Configuration Profile
Use the Privacy Control Configuration profile to grant the Full Disk Access permissions.
The instructions here show the steps in JAMF. Use a similar procedure in other MDM tools.
To Upload a New Configuration Profile:
Copy the following text into a text editor and replace Your Company with your company's name, then save it as a mobileconfig file:
Note:
SentinelOne - TCC - Bluetooth.mobileconfigincludes theBluetoothAlwayspayload which is only supported on macOS 14 and later.SentinelOne - TCC - Bluetooth.mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Privacy Preferences Policy Control</string>
<key>PayloadIdentifier</key>
<string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string>
<key>PayloadOrganization</key>
<string>Your Company</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>236FFBB3-159D-4A5F-B146-AAA7BBA11FF0</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentineld</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentineld-helper</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentineld-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentineld-shell</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>BluetoothAlways</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.sentinelone.sentinel-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>Identifier</key>
<string>com.sentinelone.sentinel-helper</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Provides access to all disk to Sentinel One processes</string>
<key>PayloadDisplayName</key>
<string>SentinelOne - Privacy Control</string>
<key>PayloadIdentifier</key>
<string>0F7D9FAD-1257-402C-A942-354723513881</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5961E10D-A589-4A7E-9790-8F1C55511014</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Click Computers > Configuration Profiles.
Click Upload.
Select the mobileconfig file you created and click Upload.
Click Scope.
Select Targets and set the devices to receive the configuration profile.
Click Save.
Network Monitoring Extension Policy
The SentinelOne Agent Network Extension is used for Deep Visibility™ IP networks events, Firewall Control, and Network Quarantine capabilities.
Grant access to this policy for Firewall Control and Network Quarantine capabilities and for Deep Visibility™ network event features:
Display Name: SentinelOne Network Monitoring Extension
System Extension Types: Allowed System Extensions
Team Identifier:
4AYE5J54KNAllowed System Extensions:
com.sentinelone.network-monitoring
Creating a Network Monitoring Extension Profile
Use the Network Monitoring Extension profile to pre-authorize the installation of the Network Extension.
The instructions here show the steps in Jamf. Use a similar procedure in other MDM tools.
To Upload a New Configuration Profile:
Download the Network Monitoring Extension mobileconfig file.
Click Computers > Configuration Profiles.
Click Upload.
Click Choose File.
Select the Network Monitoring Extension mobileconfig file you downloaded, and click Upload.
Alternatively, copy this text, save it as a mobileconfig file, then upload it:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>4AYE5J54KN</key>
<array>
<string>com.sentinelone.network-monitoring</string>
</array>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadIdentifier</key>
<string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string>
<key>PayloadOrganization</key>
<string>Gete.Net Consulting</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>1BDD5153-6C81-4E0F-B409-1C321FF5E251</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Enables automatic loading of SentinelOne System Extension.</string>
<key>PayloadDisplayName</key>
<string>SentinelOne - Network Monitoring Extension</string>
<key>PayloadIdentifier</key>
<string>C957C35F-004C-4CF4-B075-9CAE5739081B</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>67BEF468-52BF-4DC9-96E2-2CCF1FEA127E</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Optional: Create a Removable System Extension to pre-authorize the removal of the Network Monitoring Extension when the Agent is uninstalled.
Note
Supported on macOS Monterey and later.
By default, if you use the Removable System Extension mobileconfig file, end users cannot approve unspecified system extensions. End users may experience unwanted behavior if they cannot approve unspecified system extensions.
To let end users approve unspecified system extensions, click Edit and enable Allow users to approve system extensions after you upload the mobileconfig file.
To create a Removable System Extension, download the Removable System Extension mobileconfig file and redo steps 2 through 5 to upload it.
Alternatively, copy this text, save it as a mobileconfig file, then upload it:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>B8F1F9C1-AE66-4939-BEFD-8BB6F597E279</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadIdentifier</key>
<string>B8F1F9C1-AE66-4939-BEFD-8BB6F597E279</string>
<key>PayloadDisplayName</key>
<string>SentinelOne Removable System Extension</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>2B453873-A72A-4389-908A-9BF11B98790F</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadIdentifier</key>
<string>2B453873-A72A-4389-908A-9BF11B98790F</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>AllowUserOverrides</key>
<false/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>4AYE5J54KN</string>
</array>
<key>RemovableSystemExtensions</key>
<dict>
<key>4AYE5J54KN</key>
<array>
<string>com.sentinelone.network-monitoring</string>
</array>
</dict>
</dict>
</array>
</dict>
</plist>
Click Scope.
Select Targets and set the devices to receive the configuration profile.
Click Save.
Network Filter Validation Policy
Use the Network Filter Validation policy to pre-authorize the usage of the SentinelOne Network Filter by the Network Monitoring Extension.
Grant access to this policy for Firewall Control and Deep Visibility™ network events features:
Filter Type:
PluginPlugin bundle identifier:
com.sentinelone.extensions-wrapperFilter data provider bundle identifier:
com.sentinelone.network-monitoringFilter data provider designated requirement:
anchor apple generic and identifier "com.sentinelone.network-monitoring" and (certificate leaf[field.1.2.840.113635.100.6.1.9] or certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "4AYE5J54KN")
Filter sockets:
true
Creating a Network Filter Validation Profile
Use the Network Filter Validation profile to pre-authorize the usage of the SentinelOne Network Filter by the Network Monitoring Extension.
The instructions here show the steps in JAMF. Use a similar procedure in other MDM tools.
To Upload a New Configuration Profile:
Click Computers > Configuration Profiles.
Click Upload.
Click Choose File.
Select the Network Filter Validation mobileconfig file you downloaded, and click Upload.
Alternatively, copy this text, save it as a mobileconfig file, and upload it:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.sentinelone.network-monitoring</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.sentinelone.network-monitoring" and anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadDisplayName</key>
<string>Web Content Filter Payload</string>
<key>PayloadIdentifier</key>
<string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>14DDD990-E2D8-4DD1-8CC6-72FEFB5F252B</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.sentinelone.extensions-wrapper</string>
<key>UserDefinedName</key>
<string>SentinelOne Extensions</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Authorizes SentinelOne Network Filter automatic validation.</string>
<key>PayloadDisplayName</key>
<string>SentinelOne - Network Filter Validation</string>
<key>PayloadIdentifier</key>
<string>7889BE15-9387-4CDD-B2D7-D57B65EDA1E5</string>
<key>PayloadOrganization</key>
<string>Sentinel Labs, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2C480E0F-AA21-420F-8BC8-0E1AC975BC51</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Click Scope.
Select Targets and set the devices to receive the configuration profile.
Click Save.
Notification Settings
Use these parameters to configure the Notification settings and to allow the Agent to show system native notifications:
Payload Type: com.apple.notificationsettings
Bundle Identifier: com.sentinelone.SentinelAgent