Skip to main content
All CollectionsOnboarding & OffboardingSoftware installation
Install/Uninstall SentinelOne Agent (macOS & Windows)
Install/Uninstall SentinelOne Agent (macOS & Windows)
Updated over 2 weeks ago

This guide walks you through installing and uninstalling SentinelOne on macOS and Windows devices managed by Swif. Follow the steps below to ensure correct installation, notification permissions (macOS), and validation (Windows).


1. macOS Installation

1.1 Create & Deploy a Notification Policy

For macOS, SentinelOne requires notification permission to display system alerts. You can add this as a custom “Notification Policy” profile in Swif by uploading the raw payload below in .mobileconfig or XML format:

<array>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.sentinelone.SentinelAgent</string>
<key>CriticalAlertEnabled</key>
<true/>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
  1. In Swif > Device Management > Policies, click Create Custom Policy.

  2. Name it (e.g., “SentinelOne Notifications”).

  3. Paste the above XML snippet as the payload content, or upload it as .mobileconfig if you already have it as a file.

  4. Assign this policy to your macOS device group(s) so the policy gets installed on each Mac.

Note: You may also need other macOS configuration profiles for Full Disk Access, Network Filtering, and Service Management (Ventura+). The Notification policy here is specifically for allowing SentinelOne’s alerts.

1.2 Add the SentinelOne PKG to Swif

  1. Obtain the SentinelOne macOS .pkg installer from your SentinelOne console.

  2. In Swif > Applications, Add Application.

  3. Upload the .pkg file. Fill in the details such as name (“SentinelOne for Mac”), version, tags, etc.

  4. Save and assign to the macOS device group(s) so the package deploys automatically.

1.3 (Optional) Set the Site Token via Post-Install Command

Many macOS SentinelOne PKG files let you embed your Site Token. If not, you can provide it post-install with a script:

  1. In the Applications detail (when adding or editing your SentinelOne package in Swif), find the Post-Install Command Script field.

  2. Add this script (substituting your token):

    sudo /usr/local/bin/sentinelctl set registration-token -- "<YOUR_SITE_TOKEN>"
  3. Save your changes. After Swif installs the PKG, it will automatically run this post-install script to register the Mac.


2. Windows Installation

2.1 Prepare or Use a Prebuilt Installer

  1. Download the SentinelOne Windows .msi or .exe from your SentinelOne console.

  2. In Swif > Applications, Add Application and Upload the file.

  3. If you have a Site Token to embed for registration, you can add silent install arguments. For example:

    • For MSI:

      -t <YOUR_SITE_TOKEN> /q /norestart

      or sometimes

      SITE_TOKEN=<YOUR_SITE_TOKEN> /q /norestart
    • For EXE:

      -t <YOUR_SITE_TOKEN> -q

    Different installer versions may vary, so check your SentinelOne documentation.

Note, that different installer versions may vary, so check your SentinelOne documentation.

Important: If you’re running Windows in a VM on Apple Silicon (M1, M2, or M4), make sure to use the ARM64 binary. Using x64.exe on an ARM-based VM can lead to an error such as:

Failed to access Sentinel Agent registry key [Win32 Error: The system cannot find the file specified.] Running Sentinel Installer The uninstallation completed successfully but the new installation failed. Reboot the endpoint and try to install the new Agent again.

Switching to an ARM64-based installer resolves this issue.

2.2 Multiple Installer Arguments (Silent Install)

Swif allows multiple arguments: type each one in the Installer Arguments field and press Enter to add them. For example:

  1. -t

  2. <YOUR_SITE_TOKEN>

  3. -q

When the installation runs, Swif will automatically handle the silent, tokenized setup.

2.3 Adding Windows Validation Rules

After the installation, you can set Validation Rules so Swif confirms that SentinelOne is present. For example, a File Existence rule:

  • Rule Type: File Exists

  • Path: C:\Program Files\SentinelOne\<some_sentinelone_file>.exe

  • (Or) C:\Program Files\SentinelOne\SentinelAgent\SentinelAgent.exe

If the file is found after installation, Swif marks the installation as successful. If it’s not there, Swif flags an error. You can add other rules (like checking a registry key) if needed.


3. Troubleshooting & Logs

If SentinelOne fails to install or register:

  1. Check Swif Install Logs: Swif’s dashboard may display an error under the device’s software installation status.

  2. Check Local Device Logs for deeper insight:

    • Windows:

      C:\ProgramData\gorilla\gorilla.log
    • macOS:

      /Library/Managed Installs/Logs/ManagedSoftwareUpdate.log

    Look for relevant error messages about permission issues, missing tokens, or script failures.


4. Uninstalling SentinelOne

By design, SentinelOne is tamper-resistant. Uninstalling requires either:

  1. Uninstall from SentinelOne Console: Issue an uninstall command from within the SentinelOne portal for that device.

  2. Use the SentinelOne Passphrase/Token:

    • macOS:

      sudo /usr/local/bin/sentinelctl uninstall --passphrase <UNINSTALL_TOKEN>
    • Windows:

      sentinel_cleanup_tool.exe --uninstall --token <UNINSTALL_TOKEN>

Without the correct token or a console-initiated uninstall, you cannot remove SentinelOne. Always retrieve the token from your SentinelOne portal before attempting an uninstall via Swif.


Summary

  1. macOS: Deploy the Notification Policy (and any other required profiles), then install the .pkg via Swif. Use a Post-Install script to set the site token if needed.

  2. Windows: Upload the .msi or .exe, specify silent arguments (token + quiet flags), and optionally configure Validation Rules to confirm a successful install.

  3. Troubleshoot with Swif device logs and local OS logs if something fails.

  4. Uninstall from the SentinelOne portal or using the uninstall passphrase from your SentinelOne console.

Following these steps will ensure SentinelOne is properly installed, registered with your site token, able to display notifications (macOS), and validated (Windows). If you have any questions, contact support!

Did this answer your question?