Context
Deploying and EDR, or other security agents, is a very common usecase of Mobile Device Management solutions. This allows you to make sure that your security solutions are present on your entire fleet and properly securing your devices.
Steps
While the specifics will vary, the steps are always the same:
- Upload the software package & configure the deployment
- Create a policy & trigger the installation
- [Mac only, Optional] Add a Configuration Profile
Example with SentinelOne
Step 1: Uploading & configuring
- In Fleet, navigate to “Software” and click on the “Add Software” button
- [Recommended] Check the “self-service” box if you want users to be able to install this software from their menu bar icon on their device
- [Recommended] Choose to install the application automatically. If you don’t select this, you will have to write a policy with an app automation to deploy the application on targeted devices.
Mac
SELECT 1 FROM apps WHERE bundle_identifier = 'com.sentinelone.pkg.sentinel-agent';
Linux (deb package)
SELECT 1 FROM deb_packages WHERE name like "sentinelagent";
Windows
SELECT 1 FROM programs WHERE identifying_number = '{EA080DF7-C45B-4BAF-AAD7-16FB66D11F92}';
- Click on “Advanced options”
- In “Install script”, you can enter the following scripts:These scripts are provided as-is with no guarantee that they will work.
Mac
#!/bin/sh dir_path=$(dirname "$INSTALLER_PATH") echo "your_token_here" > "$dir_path/com.sentinelone.registration-token" installer -pkg "$INSTALLER_PATH" -target /Applications
Linux
#!/bin/sh apt-get install --assume-yes -f "$INSTALLER_PATH" /opt/sentinelone/bin/sentinelctl management token set your_token_here
Windows
$logFile = "${env:TEMP}/fleet-install-software.log" try { $installProcess = Start-Process msiexec.exe ` -ArgumentList "SITE_TOKEN=your_token_here /q /lv ${logFile} /i `"${env:INSTALLER_PATH}`"" ` -PassThru -Verb RunAs -Wait Get-Content $logFile -Tail 500 Exit $installProcess.ExitCode } catch { Write-Host "Error: $_" Exit 1 }
- In “Uninstall script”, you can enter the following scripts:These scripts are provided as-is with no guarantee that they will work.
Windows
$product_code = "{EA080DF7-C45B-4BAF-AAD7-16FB66D11F92}" # Fleet uninstalls app using product code that's extracted on upload msiexec /quiet /x $product_code Exit $LASTEXITCODE
Step 3: [Mac only] Add a Configuration Profile
Security softwares such as SentinelOne typically require additional permissions from the user to work correctly. You can streamline deployment by uploading a Configuration Profile to FleetDM to grant these permissions without user intervention.
For documentation on how to create the Configuration Profiles, please refer to the vendor documentation.
Below, you will find an example of a Configuration Profile for SentinelOne.
https://drive.google.com/open?id=189Z3U2OD8FT2QBFw0qkkvv876600cURo&usp=drive_fs