SentinelOne Agent

Installation guide for endpoints

and servers
Revision History

Version Status Date Comments Author

Pau Risa
prisa@fluidra.com
1.0 Created 25.01.2022 First version Javier Ramon
jramon@fluidra.com
Added new Windows and Pau Risa
1.1 Updated 04.02.2022
Linux versions of the agent prisa@fluidra.com
Oriol Cardús
Added new Windows and ocardus@fluidra.com
1.2 Updated 08.09.2022
Linux versions of the agent Pedro Guadalajara
pguadalajara@fluidra.com

CONFIDENTIAL Page 2
Table of Contents
1 Preface .............................................................................................................. 4
2 Install on Windows endpoints .............................................................................. 5
3 Install on Linux endpoints .................................................................................... 7
4 Install on Windows servers .................................................................................. 9
5 Install on Linux Servers ..................................................................................... 13

CONFIDENTIAL Page 3
1 Preface
The following guide is divided in several sections depending on the target system. In order
for the installation to be successful, follow the steps based on the asset you want to install
the agent.

Configuration and installation steps differ between operating systems and type
of asset (endpoint or server).

CONFIDENTIAL Page 4
2 Install on Windows endpoints
Administrator permissions are required to install the agent.

To proceed with the installation of the agent on Windows endpoints, it is first required to
download the installation package for the corresponding architecture.

• Windows 32/64 bit Installer

Manual installation (Graphical user interface)

Run the installation package and enter the Site Token when prompted in the installation
wizard.

LATAM Site Token:

eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==

Silent installation (Using MSIEXEC via GPO/Lansweeper/WS1)

Configure the installation of the MSI using MSIEXEC and the following parameters to deliver
it via GPO, Lansweeper or WS1:

<SHARE PATH TO MSI PACKAGE> SITE_TOKEN=

eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ== /QUIET /NORESTART

CONFIDENTIAL Page 5
 Parameters information
/QUIET: Used to install the agent silently without user input.
/NORESTART: Used to prevent the installation package to automatically reboot the
endpoint after installation.
You can also use the following GPO template and tune it for your organization:

@ECHO OFF
REM --- Check for an existing installation of Sentinelone on 32/64-bit (the
'Sentinelone Service' process)
IF EXIST "C:\ProgramData\Sentinel\assets\assets." goto _End
REM --- Deploy to Windows 2008/2008-R2/2012/2016/10
IF "%PROCESSOR_ARCHITECTURE%"=="x86" (GOTO 32bitOS) ELSE (GOTO
64bitOS)
REM 32-Bit commands run here
:32bitOS
\\<Server>\<Share>\SentinelInstaller-x86_windows_32bit_v4_5_2_136.msi /q
/norestart /SITE_TOKEN=
eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==
GOTO _End
REM 64-Bit commands run here
:64bitOS
\\<Server>\<Share>\SentinelInstaller-x64_windows_64bit_v4_5_2_136.msi /q
/norestart /SITE_TOKEN=
eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==
GOTO _End
REM --- End of the script
:_End

After installation steps

The endpoint must be rebooted after the installation process has finished. If the endpoint
is not rebooted, it will only be partially protected.

The Static Al and Reputation protection modes are active immediately after installation.

The Dynamic Engines (Behavioural Al) mode becomes active after the endpoint is rebooted.

CONFIDENTIAL Page 6
3 Install on Linux endpoints
Root permissions are required to install the agent.

To proceed with the installation of the agent on Linux endpoints, it is first required to
download the installation package for the corresponding architecture.

• Linux DEB/RPM Installer

To automatically install the agent without the need of post-installation configuration, we
can use a config file and add it to the PATH as follows:

1. Create a configuration file with the installation parameters below, each on a separate
line. Save the file as config.cfg

S1_AGENT_MANAGEMENT_TOKEN=
eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVfa
2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==
S1_AGENT_AUTO_START=true

Parameters information
S1_AGENT_MANAGEMENT_TOKEN: Configure Site token to add the agent to the
LATAM account.
S1_AGENT_AUTO_START: Automatically start the agent service after installation.

IMPORTANT: Create this file in the target Linux endpoint. If not, the characters
encoding and Windows CRLF may cause the installation process to not read it
properly and, in consequence, install the agent with the wrong configuration.

2. Export the S1_AGENT_INSTALL_CONFIG_PATH environment variable that defines the

absolute path to the configuration file.

sudo export S1_AGENT_INSTALL_CONFIG_PATH="<PATH TO THE FILE>/config.cfg”

3. Install the package with the package manager.

• RPM: sudo rpm -i --nodigest <RPM PACKAGE PATH>

• DEB: sudo dpkg -i <DEB PACKAGE PATH>

CONFIDENTIAL Page 7
 After installation steps

The endpoint must be rebooted after the installation process has finished. If the endpoint
is not rebooted, it will only be partially protected.

The Static Al and Reputation protection modes are active immediately after installation.

The Dynamic Engines (Behavioural Al) mode becomes active after the endpoint is rebooted.

CONFIDENTIAL Page 8
4 Install on Windows servers
Administrator permissions are required to install the agent.

To proceed with the installation of the agent on Windows servers, it is first required to
download the installation package for the corresponding architecture.

• Windows 32/64 bit Installer

Manual installation (Graphical user interface)

1. Run the installation package and enter the Site Token when prompted in the installation
wizard.

LATAM Site Token:

eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==

2. Get the passphrase for the agent just installed from the Management Console.
a. Go to the Sentinels section in the left sidebar.
b. Go to the LATAM Site in the Scope section.
c. Search for and select the server where you just installed the agent.
d. Open the Actions menu and search for “Show Passphrase”.

CONFIDENTIAL Page 9
3. Open a privileged command line on the server and change directory to the Agent
installation directory:

cd "C:\Program Files\SentinelOne\<SENTINEL AGENT VERSION FOLDER>"

4. Run the following commands in this exact order and one by one to set the proxy:

sentinelctl config -p server.proxy -v http://proxy.fluidra.cpd:3128 -k <PASSPHRASE>

sentinelctl config -p agent.deepVisibility.proxy -v single -k <PASSPHRASE>
sentinelctl config -p communicatorConfig.forceProxy -v true -k <PASSPHRASE>
sentinelctl reload -a

Silent installation (Using MSIEXEC via GPO/Lansweeper/WS1)

Configure the installation of the MSI using MSIEXEC and the following parameters to deliver
it via GPO, Lansweeper or WS1:

<SHARE PATH TO MSI PACKAGE> SITE_TOKEN=

eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ== /QUIET /NORESTART
/SERVER_PROXY= http://proxy.fluidra.cpd:3128 IOC_PROXY=single
FORCE_PROXY=true

CONFIDENTIAL Page 10
Parameters information
/QUIET: Used to install the agent silently without user input.
/NORESTART: Used to prevent the installation package to automatically reboot the server
after installation.
/SERVER_PROXY: Specify the proxy in order for the agent to reach the Internet. Not
needed if the server does not need a proxy.
/IOC_PROXY: Specify the proxy in order for the agent Depp Visibility capabilities to reach
the Internet. Not needed if the server does not need a proxy.
/FORCE_PROXY: Always use a proxy to reach the Internet instead of connecting directly.

You can also use the following GPO template and tune it for your organization:

@ECHO OFF
REM --- Check for an existing installation of Sentinelone on 32/64-bit (the
'Sentinelone Service' process)
IF EXIST "C:\ProgramData\Sentinel\assets\assets." goto _End
REM --- Deploy to Windows 2008/2008-R2/2012/2016/10
IF "%PROCESSOR_ARCHITECTURE%"=="x86" (GOTO 32bitOS) ELSE (GOTO
64bitOS)
REM 32-Bit commands run here
:32bitOS
\\<Server>\<Share>\SentinelInstaller-x86_windows_32bit_v4_5_2_136.msi /q
/NORESTART /SITE_TOKEN=
eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==
/SERVER_PROXY=http://proxy.fluidra.cpd:3128 IOC_PROXY=single
FORCE_PROXY=true
GOTO _End
REM 64-Bit commands run here
:64bitOS
\\<Server>\<Share>\SentinelInstaller-x64_windows_64bit_v4_5_2_136.msi /q
/NORESTART /SITE_TOKEN=
eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2VudGluZWxvbmUubmV0IiwgInNpdGVf
a2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==
/SERVER_PROXY=http://proxy.fluidra.cpd:3128 IOC_PROXY=single
FORCE_PROXY=true
GOTO _End
REM --- End of the script
:_End

CONFIDENTIAL Page 11
 After installation steps

The server must be rebooted after the installation process has finished. If the server is not
rebooted, it will only be partially protected.

The Static Al and Reputation protection modes are active immediately after installation.

The Dynamic Engines (Behavioural Al) mode becomes active after the endpoint is rebooted.

CONFIDENTIAL Page 12
5 Install on Linux Servers
Root permissions are required to install the agent.

To proceed with the installation of the agent on Linux servers, it is first required to
download the installation package for the corresponding architecture.

• Linux DEB/RPM Installer

To automatically install the agent without the need of post-installation configuration, we
can use a config file and add it to the PATH as follows:

1. Create a configuration file with the installation parameters below, each on a separate
line. Save the file as config.cfg

S1_AGENT_MANAGEMENT_PROXY=http://proxy.fluidra.cpd:3128
S1_AGENT_DV_PROXY=http://proxy.fluidra.cpd:3128
S1_AGENT_MANAGEMENT_TOKEN=eyJ1cmwiOiAiaHR0cHM6Ly9ldWNlMS0xMDQuc2Vu
dGluZWxvbmUubmV0IiwgInNpdGVfa2V5IjogImY0YmI2MjQwYmMyMTQ5YzUifQ==
S1_AGENT_AUTO_START=true

Parameters information
S1_AGENT_MANAGEMENT_PROXY: Only needed if the endpoint needs a proxy to
access the Internet.
S1_AGENT_DV_PROXY: Only needed if the endpoint needs a proxy to access the
Internet.
S1_AGENT_MANAGEMENT_TOKEN: Configure Site token to add the agent to the
LATAM account.
S1_AGENT_AUTO_START: Automatically start the agent service after installation.

IMPORTANT: Create this file in the target Linux endpoint. If not, the characters
encoding and Windows CRLF may cause the installation process to not read it
properly and, in consequence, install the agent with the wrong configuration.

2. Export the S1_AGENT_INSTALL_CONFIG_PATH environment variable that defines the

absolute path to the configuration file.

sudo export S1_AGENT_INSTALL_CONFIG_PATH="<PATH TO THE FILE>/config.cfg”

4. Install the package with the package manager.

• RPM: sudo rpm -i --nodigest <RPM PACKAGE PATH>

• DEB: sudo dpkg -i <DEB PACKAGE PATH>

CONFIDENTIAL Page 13
 After installation steps

The server must be rebooted after the installation process has finished. If the server is not
rebooted, it will only be partially protected.

The Static Al and Reputation protection modes are active immediately after installation.

The Dynamic Engines (Behavioural Al) mode becomes active after the endpoint is rebooted.

CONFIDENTIAL Page 14