Context
Deploying and EDR, or other security agents, is a very common usecase of Mobile Device Management solutions. This allows you to make sure that your security solutions are present on your entire fleet and properly securing your devices.
Steps
While the specifics will vary, the steps are always the same:
- Upload the software package & configure the deployment
- Create a policy & trigger the installation
- [Mac only, Optional] Add a Configuration Profile
Example with SentinelOne
Step 1: Uploading & configuring
- In Fleet, navigate to “Software” and click on the “Add Software” button
- [Recommended] Check the “self-service” box if you want users to be able to install this software from their menu bar icon on their device
- Click on “Advanced options”
- In “Install script”, you can enter the following scripts:These scripts are provided as-is with no guarantee that they will work.
Mac
#!/bin/sh dir_path=$(dirname "$INSTALLER_PATH") echo "your_token_here" > "$dir_path/com.sentinelone.registration-token" installer -pkg "$INSTALLER_PATH" -target /Applications
Linux
#!/bin/sh dir_path=$(dirname "$INSTALLER_PATH") echo "your_token_here" > "$dir_path/com.sentinelone.registration-token" dnf install --assumeyes "$INSTALLER_PATH"
Windows
Under construction
Step 2: Policy & auto-install
- In FleetDM, navigate to Policies
- Select “All teams” and switch to “No team”
- Create a policy (N.B. You will have to create one policy per OS you want to deploy on)For policies, you can target a number of things: whether the app is present on the device, whether it is running, etc. Refer to the OSQuery documentation for more details & configuration. The examples below are built on “software presence”.
Mac
SELECT 1 FROM apps WHERE bundle_identifier = 'com.sentinelone.sentineld';
Linux
SELECT 1 FROM rpm_packages WHERE name = 'sentinel-agent';
Windows
SELECT 1 FROM programs WHERE name LIKE '%SentinelOne%';
For other tools, replace the bundle identifier or the program name with the appropriate value.
- Save the policy. Examples below:
- Title: “[<OS Type>] SentinelOne is present”
- Description: “The laptop is correctly protected by the SentinelAgent security software, making it less vulnerable to malware, unauthorized access, and data breaches.”
- Resolve (this appears to employees in case of policy failure): “Nothing to do on your end 👌”
- Select the relevant OS in the picker
- Go back to the “No team” policy list and click on “Manage automation > Install software”
- Check the policy you just created and set it to install the software you uploaded earlier
Step 3: [Mac only] Add a Configuration Profile
Security softwares such as SentinelOne typically require additional permissions from the user to work correctly. You can streamline deployment by uploading a Configuration Profile to FleetDM to grant these permissions without user intervention.
For documentation on how to create the Configuration Profiles, please refer to the vendor documentation.
Below, you will find an example of a Configuration Profile for SentinelOne.