Capture Client Compatibility with macOS
09/10/2020 31 16619
This Article Explains about capture client compatibility with macOS
Latest Information - Last Updated on 9th July 2020
At WWDC 20, Apple confirmed that macOS Big Sur 11.x, and its Beta version, 10.16, will strongly discourage support for Kernel Extensions. The 11.x production release is expected by October 2020. This change will greatly reduce the possibility of kernel panics on endpoints and reduce the attack surface.
The SentinelOne macOS Agent currently uses the kernel extensions for detection and other security capabilities. You will probably see notifications from Apple about Legacy System Extension, which notes that existing software signed by Sentinel Labs Inc. will be incompatible with a future version of macOS. If a kernel extension was approved by an MDM solution, the notifications will not show. A new macOS SentinelOne Agent, which does not use kernel extensions (Kextless), is currently in Beta and can run on macOS 10.15 (Catalina) and 11.x/10.16 (Big Sur). The new SentinelOne Kextless macOS Agent uses user space APIs to provide the same security capabilities as the current Agent.
IMPORTANT NOTE: Until this agent is made generally available, it is recommended NOT to upgrade your macOS to 10.16 or 11.x.
General Supportability and guidance on macOS Support
In general, admins are advised to refer to this table to identify if a compatible Capture Client and/or SentinelOne version is available to suppor the macOS version they are looking to upgrade to (before they make the upgrade).
Recommended Capture Client Version
Recommended SentinelOne Version
macOS BigSur (11.x, 10.16)
Kextless Agent in Development
Kextless Agent In Development
macOS Catalina (10.15.x)
Follow the steps in the flowchart below to avoid compatibility issues.
Repairing an Endpoint that upgrade to an incompatible macOS version
If the macOS of an endpoint is upgraded before the SentinelOne Agent that supports the target version is available, the endpoint may experience unexpected behavior.
- Roll back the OS upgrade to a working state (https://beta.apple.com/sp/betaprogram/restore). OR
- If that cannot be done, uninstall the capture client completely.
How to uninstall Capture Client and SentinelOne:
- Uninstall the Agent through the Management Console.
- If that does not work, uninstall the Agent locally. Run: sudo sentinelctl uninstall and enter the passphrase.
- If that does not work, run these steps:
- Disable anti-tampering in the policy for the Agent OR manually disable anti-tampering: sudo sentinelctl unprotect
- Delete our kext: sudo rm -R /Library/Extensions/Sentinel.kext. This disables protection to let us uninstall.
- Uninstall the Agent (through the console or with sentinelctl uninstall).