Script: SentinelOne MSP Multi-Tenant Universal Installer

The SentinelOne Multi-Tenant Universal Installer was created to simplify and automate SentinelOne device installations for a busy MSP. The MSP was managing over 25 different customer SentinelOne license keys with different installers for macOS and Windows across differing RMM and MDM solutions. Using AWS DynamoDB and API Gateway with PowerShell and bash scripting, we were able to create a single-script solution for each platform to determine the customer code and corresponding SentinelOne License Key, and then perform installation. This greatly simplified the MSP's installation workflow of SentinelOne.

  1. Storage of SentinelOne License Keys in AWS DynamoDB, with entries using a custom macOS data entry application.
  2. Using clever scripting techniques, first the MDM (macOS) or RMM (Windows) is identified
  3. After determining the MDM / RMM, a custom local lookup must be performed to determine the device's customer code which will correspond with an encrypted SentinelOne License code.
  4. An API call is made to AWS with the customer code to retrieve the corresponding SentinelOne License.
  5. SentinelOne License is decrypted from base64, and the appropriate installer logic is determined for the device's specific macOS or Windows version.
  6. Appropriate SentinelOne Installer is downloaded from company BackBlaze web repository.
  7. Persistent links are used so that the latest SentinelOne version can be updated in the repository without editing the script.
  8. Both Mac & Windows scripts perform an initial "runner" script that downloads & runs the actual SentinelOne installation script from the MSP's private GitHub repository. This way, the installation scripts can be updated without having to update the scripts in each individual MDM or RMM customer account.
  9. Installation logs can be monitored in the MDM or RMM solution's web console.

Dual Windows & macOS installation scripts both begin with a "runner" script, which downloads & runs the actual installation script from a private GitHub repository:

The Windows or Mac SentinelOne Installation Script is downloaded from GitHub with a private API token and then executed as a continuation from the initial runner script.

On Windows, the installation script will determine whether the device is managed by NinjaOne or JumpCloud. Then the script determines which client the device belongs to. After identifying NinjaOne - the customers Ninja Organization ID is used, and after identifying JumpCloud - the local agent Connect Key is used. On macOS, the MDM push certificate hash identifier is used to determine the customer.

After discovering which client the device belongs to, installation script will communicate with AWS DynamoDB to lookup the appropriate SentinelOne License Key for the device.

After determining the license key, the script will use logic to determine the correct SentinelOne installer to download for the operating system version and architecture. To update the installer for future installations, the file only needs to be replaced in the Backblaze bucket.

Installation logs can be found in the device or policy logs of the RMM or MDM used:

On macOS, a fully configured PPPC Profile is assigned to allow all SentinelOne services. The profile is MDM-agnostic and can be used in multiple MDM's.

Addition of future new customers is possible with a handy macOS AppleScript application that will intake customer data and add it to the AWS DynamoDB Database via API call.

Description

Installs SentinelOne with a unique customer license based on the detected operating system, architecture, MDM / RMM, and local device details - powered by AWS DynamoDB and API Gateway.