Deploy SentinelOne with Primo & Fleet

Learn how to deploy SentinelOne effectively using Primo & Fleet, including essential steps for software upload, policy creation, and configuration, along with important scripts and warnings regarding their use.

2 min read

Context

Deploying and EDR, or other security agents, is a very common usecase of Mobile Device Management solutions. This allows you to make sure that your security solutions are present on your entire fleet and properly securing your devices.

Steps

While the specifics will vary, the steps are always the same:

  1. Upload the software package & configure the deployment
  1. Create a policy & trigger the installation
  1. [Mac only, Optional] Add a Configuration Profile

Example with SentinelOne

Step 1: Uploading & configuring

  1. In Fleet, navigate to “Software” and click on the “Add Software” button
  1. [Recommended] Check the “self-service” box if you want users to be able to install this software from their menu bar icon on their device
  1. [Recommended] Choose to install the application automatically. If you don’t select this, you will have to write a policy with an app automation to deploy the application on targeted devices.
    Mac
    SELECT 1 FROM apps WHERE bundle_identifier = 'com.sentinelone.pkg.sentinel-agent';
    Linux (deb package)
    SELECT 1 FROM deb_packages WHERE name like "sentinelagent";
    Windows
    SELECT 1 FROM programs WHERE identifying_number = '{EA080DF7-C45B-4BAF-AAD7-16FB66D11F92}';
  1. Click on “Advanced options”
  1. In “Install script”, you can enter the following scripts:
    ⚠️
    These scripts are provided as-is with no guarantee that they will work.
    Mac
    #!/bin/sh
dir_path=$(dirname "$INSTALLER_PATH")
echo "your_token_here" > "$dir_path/com.sentinelone.registration-token"
installer -pkg "$INSTALLER_PATH" -target /Applications
    Linux
    #!/bin/sh

apt-get install --assume-yes -f "$INSTALLER_PATH"
/opt/sentinelone/bin/sentinelctl management token set your_token_here
    Windows
    $logFile = "${env:TEMP}/fleet-install-software.log"

try {

$installProcess = Start-Process msiexec.exe `
  -ArgumentList "SITE_TOKEN=your_token_here /q /lv ${logFile} /i `"${env:INSTALLER_PATH}`"" `
  -PassThru -Verb RunAs -Wait
Get-Content $logFile -Tail 500

Exit $installProcess.ExitCode

} catch {
  Write-Host "Error: $_"
  Exit 1
}
  1. In “Uninstall script”, you can enter the following scripts:
    ⚠️
    These scripts are provided as-is with no guarantee that they will work.
    Windows
    $product_code = "{EA080DF7-C45B-4BAF-AAD7-16FB66D11F92}"

# Fleet uninstalls app using product code that's extracted on upload
msiexec /quiet /x $product_code
Exit $LASTEXITCODE

Step 3: [Mac only] Add a Configuration Profile

Security softwares such as SentinelOne typically require additional permissions from the user to work correctly. You can streamline deployment by uploading a Configuration Profile to FleetDM to grant these permissions without user intervention.

For documentation on how to create the Configuration Profiles, please refer to the vendor documentation.

Below, you will find an example of a Configuration Profile for SentinelOne.

⚠️
This Configuration Profile is provided as-is, as of November 2024, with no guarantee that it will work. Up-to-date instructions from SentinelOne are available for customers here: https://euce1-110-nfr.sentinelone.net/docs/en/installing-and-upgrading-macos-agents-with-mdm-tools.html
SentinelOne_Permissions.mobileconfig 8.2 kB

https://drive.google.com/open?id=189Z3U2OD8FT2QBFw0qkkvv876600cURo&usp=drive_fs

Related articles
Did this answer your question?

    Step into the future of IT