Capture Client Mac Installation - SentinelOne is not Enforcing Security

12/21/2023 18 People found this article helpful 391,560 Views

Description

After installing Capture Client on Mac OS 10.15+ you may see that "SentinelOne is not enforcing security".

Status at Endpoint :

Status at Capture Client Console :

Cause

From macOS 11 (Big Sur) kernel or legacy extensions were replaced by system extensions. The use & security of System Extensions is in the hands of the user and new third-party system extensions need user approval before loading.

Resolution

Authorizing the Network Extension :

If the SentinelOne icon shows "Needs user attention" or these messages "Authorize SentinelOne Network Extension in System Preferences", "Authorize SentinelOne components in System Preferences" you must approve the network Extension for SentinelOne in the System Preferences.

Do this only one time on every macOS endpoint. If you already approved it, there is no need to repeat it when the SentinelOne App is updated. If you do not complete this prerequisite step, your mac will not be fully protected.

If you get below alert (During and After Installation), click on "Allow".

To approve Network Extension:

Incase you did not click allow, Go to System Preferences -> Security & Privacy -> General, and look for the same prompt. Unlock & allow the same.

Authorizing Full Disk Access :

The macOS (10.15 Catalina and later releases) makes sure that applications are installed in a secure way. It limits installation only to applications that are approved by Apple and the user. This change does not let applications access specified paths (such as Documents, Downloads, and Desktop) without user consent.

If the SentinelOne icon shows "Needs user attention" or these messages "Authorize Full-Disk-Access to SentinelOne in System Preferences", "Authorize SentinelOne components in System Preferences". Approve Full Disk Access for SentinelOne Apps in the System Preferences.

Important: This is done only once on an endpoint. If already done on the endpoint, do not repeat it when the Agent is updated. If you do not complete this prerequisite step, the macOS Agent will not have full visibility to all files from all users.

Authorize Full Disk Access to these processes:

    sentineld
    sentineld_helper
    sentineld_shell

Approve/Authorize Full Disk Access on a local computer :

Go to System Preferences -> Security & Privacy -> Privacy Unlock it for editing and locate the “Full Disk Access” category
Click on the “+” button under the existing list and it will bring up a Window
Hit Command+Shift+G to get a prompt to enter a folder location
Type in /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/
You will see multiple files in this folder – you have to add and enable “Full Disk Access” for below process

sentineld_shell
sentineld_helper
sentineld

Make sure the checkbox is selected for these items under “Full Disk Access”
Once done, make sure to lock the config in Security and Privacy and close the System Preferences Window

Check your Client UI to make sure it "Threat Protection" is enabled and screen looks like below