SentinelOne is a next-generation endpoint protection platform that safeguards devices against malware and other threats. Installing SentinelOne on Swif-managed devices requires a valid SentinelOne subscription and access to the SentinelOne management console (to download installers and obtain your Site Token). The Site Token is a unique identifier that registers the agent to your SentinelOne console site. Below we outline the steps for deploying SentinelOne on macOS and Windows devices using Swif, to ensure all necessary configurations (custom packages, policies, and scripts) are applied.
To install SentinelOne, there are three required steps for the macOS package and two for the Windows package:
macOS
Deploy Configuration Profiles – macOS requires several security profiles to be pushed before or alongside the agent to pre-authorize SentinelOne system extensions and permissions. This prevents end-users from being prompted to allow these permissions manually (Installing SentinelOne macOS Agents with MDM tools | Guardz Help Center). The required profiles include:
Network Monitoring Extension – Allows the SentinelOne network extension for traffic monitoring (Installing SentinelOne macOS Agents with MDM tools | Guardz Help Center).
Network Filtering – Authorizes the SentinelOne content filter (firewall) extension (Installing SentinelOne macOS Agents with MDM tools | Guardz Help Center).
Privacy/Full Disk Access – Grants the agent full disk access (TCC permissions) so it can scan the entire system (Installing SentinelOne macOS Agents with MDM tools | Guardz Help Center).
Notifications – Permits the agent to display system notifications to the user.
Service Management (macOS Ventura 13+ only) – Prevents users from disabling SentinelOne launch daemons and services (Installing SentinelOne macOS Agents with MDM tools | Guardz Help Center).
Note: These configuration profiles (provided by SentinelOne in their documentation) are typically delivered as
.mobileconfigfiles. You can obtain them via the SentinelOne support portal or knowledge base. In Swif, upload each of these profiles as a Custom Policy for macOS. Navigate to Policy Management > Custom Policy, then upload the profile file (or paste its XML) and save it. Assign the profiles to your macOS device groups to deploy them to all managed Macs. After deployment, you can verify on a Mac that the profiles are installed under System Settings > Profiles (they should be listed by the names above).Install the SentinelOne App – Next, deploy the SentinelOne agent installer to the Macs. You have two options to do this:
Upload the installer: Download the latest SentinelOne macOS installer (
.pkgformat) from your SentinelOne console. In Swif, go to the Software page (Applications tab) and Add Application. Select Custom application package, then upload the SentinelOne.pkgfile. Swif will create a deployment profile for it (Software installation | Help Center | Swif). Give it a clear name (e.g. "SentinelOne Agent for Mac") and assign it to the target macOS devices or groups to push the installation.Use prebuilt package: If Swif provides a prebuilt SentinelOne package in the software catalog (similar to its prebuilt CrowdStrike Falcon package), you can simply add that to your team’s software and assign it to devices. This skips the manual upload step. (If no prebuilt SentinelOne package is available, use the custom upload method above.)
Once added and assigned, the SentinelOne pkg will be deployed to the selected Macs automatically. Ensure the devices are online and check Swif for deployment status. After installation, the SentinelOne application should appear in /Applications on the Mac.
Apply the Site Token (Agent Registration) – The final step on macOS is to register the installed agent to your SentinelOne management console using your Site Token. Since the macOS installer itself doesn’t have a command-line parameter, we must provide the token post-installation. We will do this by running the SentinelOne command-line tool
sentinelctlon the device to set the token.Using Swif’s remote command feature, create a command to run on the Macs that have the agent installed. Go to Devices > Commands in Swif (or the equivalent section to run a device command), and create a new command. We recommend scheduling it or running it on a slight delay to ensure the agent installation is complete. Configure the command to Run as Swif admin (an administrator account managed by Swif) so that it has root privileges (Install/Uninstall CrowdStrike Falcon | Help Center | Swif). For the command content, use the following syntax:
sudo /usr/local/bin/sentinelctl set registration-token -- "<YourSiteToken>"
Replace
"<YourSiteToken>"with the actual token string from your SentinelOne console. Thissentinelctlcommand writes the Site Token to the agent and prompts it to register with the cloud. (Ensure Run script as signed-in user is No so that it runs as root.) Once this command has run, the agent will connect to your SentinelOne console. You can confirm a successful registration by checking the SentinelOne management portal – the Mac device should appear as registered/online in your site. On the Mac itself, the SentinelOne tray icon will indicate it’s online, meaning it’s successfully reporting to the console.Tip: If you are rolling out SentinelOne to many Macs or new ones over time, consider setting the above registration command to run on a schedule (e.g. daily) for a short period. This way, any device that missed the token application (perhaps because it installed the agent after the command ran) will still get the token applied on the next run. Just remember to stop or remove the scheduled command once all devices are registered. (Also, never share the Site Token publicly—treat it as sensitive credential.)
Windows
Install the app – Deploying SentinelOne on Windows via Swif is similar, using the installer from SentinelOne. You have two options to deploy the Windows agent:
Upload the installer: Download the SentinelOne Windows agent from your SentinelOne console. This may be available as an
.msior an.exeinstaller. In Swif’s Software page, add a new custom application and upload the installer file (.msior.exe). Name it (e.g. "SentinelOne Agent for Windows") and configure any required install parameters. Most importantly, include the Site Token in the install arguments so that the agent registers during installation. For an MSI installer, you can specify an MSI property for the token and silent flags. For example:SITE_TOKEN=<YourSiteToken> /Q /NORESTART
(These would be entered as installer arguments in Swif. Swif will handle running
msiexec /iwith those parameters under the hood. Remember to enter each argument separately like the attached screenshot.) This corresponds to the standard silent MSI install commandmsiexec /i "SentinelOneInstaller.msi" SITE_TOKEN=<YourSiteToken> /Q /NORESTART.
If you have a SentinelOne EXE installer instead, use its token and silent switches. For example:-t <YourSiteToken> -q
This corresponds to running
SentinelOneInstaller.exe -t <token> -qfor a quiet install with the token. (The-tflag is for the site token, and-qensures a silent installation.) Include--norestartor its equivalent if a reboot should be suppressed, though SentinelOne typically doesn’t force an immediate reboot for installation.Use prebuilt package: Check if Swif offers a prebuilt SentinelOne agent in its software catalog for Windows. If available, you can click Add on that package instead of uploading your own. When using Swif’s prebuilt package, you will still need to provide your site token in the configuration. Swif will usually have a field to enter additional installer arguments or a prompt for the token. Fill in the token (and any silent install flags as needed) in those fields. For example, enter the site token where prompted or as an argument (as shown above). This ensures the deployed agent knows which SentinelOne site to register with.
After uploading or adding the app, assign it to the target Windows devices or device group in Swif to deploy. The Swif agent will then install SentinelOne on those endpoints. Ensure the devices are online to receive the installation. You might want to set any requirements/conditions (like minimum OS version or architecture) if applicable, but typically the default (Windows 10/11 x64) is fine.
Verification: You would configure a detection rule or script to confirm the agent installed successfully (for example, checking that the
SentinelOnefolder exists in C:\Program Files or that the SentinelAgent service is present). When deploying via Swif, the platform will similarly check installation status. You can add a Validation Rule in Swif for custom packages – e.g., a file existence check for the pathC:\Program Files\SentinelOne– to mark the install as successful. After a successful deployment, give the system some time to report. Within an hour or two of the assignment, you should see SentinelOne installed on the target Windows devices (check the Swif device software inventory or the SentinelOne console for new agent check-ins).Uninstall the app (if needed) – Removing SentinelOne from a device requires additional steps because the agent is tamper-resistant. By default, SentinelOne agents cannot be uninstalled without a passphrase (uninstall token) or a remote command from the SentinelOne console. This means that simply issuing an uninstall via MDM/Swif will not work unless that passphrase is provided.
Console-initiated Uninstall: The recommended way to remove SentinelOne is from the SentinelOne management console. An administrator can issue an uninstall command from the console (or retrieve the unique passphrase for that agent). This will gracefully remove the agent from the endpoint when it checks in. If you're offboarding a device, do this via the SentinelOne console for a clean uninstall.
Scripted Uninstall with Passphrase: If you need to automate the uninstall via Swif, you must include the agent’s passphrase. For example, on Windows, you could run the SentinelOne CLI to uninstall:
sentinelctl.exe uninstaller --passphrase <UninstallToken>, or use the SentinelCleaner tool provided by SentinelOne along with the passphrase. On macOS, a similarsentinelctl unloador uninstall command with the passphrase is required. In any case, you must obtain the passphrase from the console first. Without a valid passphrase or approval, the agent will refuse to uninstall. (In Swif’s context, an uninstall initiated without a passphrase will fail or prompt for the token.)
Important: Always safeguard the SentinelOne agent passphrase just as you do the site token. Only authorized admins should retrieve and use it. When de-provisioning a device, it’s best practice to uninstall the agent via the console to avoid leaving an orphaned endpoint in your SentinelOne site.
By following the above steps, Swif users can successfully deploy the SentinelOne agent on managed macOS and Windows devices. The key is to include all necessary components: for macOS, deploy the configuration profiles and apply the site token (either via script or token file) so the agent activates without user intervention (Installing SentinelOne macOS Agents with MDM tools | Guardz Help Center). For Windows, ensure the silent install is configured with the site token and understand the uninstall protections in place. With the SentinelOne agents installed and properly registered, your devices should begin reporting to your SentinelOne console, and you can verify their status (security events, scans, etc.) from there. The Swif platform will help monitor the installation state and can facilitate any needed scripts or policies as outlined above, making the deployment as seamless as possible for your IT team.
Swif.ai’s device and software management tools may be flagged as “suspicious” by SentinelOne due to legitimate low-level system interactions. While Swif.ai is not blocked by default, adding exclusions ensures uninterrupted operations and avoids unnecessary alerts. For details, please visit Configuring SentinelOne Exclusions for Swif.ai to Prevent False Positives.