A Mac permission-scope guide, written by people who ship agents for a living
SentinelOne is a System Extension with the Endpoint Security entitlement. That is the whole answer.
Every other page you read about SentinelOne will tell you it is "AI-powered EDR" and "lightweight". Neither of those are real answers. The real answer is: it is a signed System Extension, team ID 4AYE5J54KN, holding the com.apple.developer.endpoint-security.client entitlement plus Full Disk Access plus a Network System Extension. That scope lets the agent read every file open, every process launch, and every network flow on the machine. Your IT department installed it via MDM. Here is exactly what that means, how to verify it, and why it belongs in a different category than the other things on your Mac that happen to also be called "agents".
The plain answer, first
SentinelOne is an endpoint detection and response product. On a Mac, the agent is a .systemextension bundle (Apple's modern replacement for the old kernel-extension API) that hosts an Endpoint Security client. The extension subscribes to kernel events like ES_EVENT_TYPE_NOTIFY_EXEC and ES_EVENT_TYPE_AUTH_OPEN and decides whether to allow, block, or just log what just happened. Alongside that, a Network System Extension inspects network flows, and the agent holds Full Disk Access so it can read anywhere on the disk.
None of this is evil. It is exactly the scope a modern enterprise EDR needs to do its job. But it is also a much larger scope than most Mac users realize lives on their machine, and it is the reason the agent cannot simply be dragged to the Trash. A System Extension is approved by the operating system and typically locked behind an MDM profile; removing it requires undoing both the extension approval and the MDM enrollment.
If you found SentinelOne running on your personal machine and you do not remember enrolling in your employer's MDM, the machine was either issued to you pre-enrolled, or it was enrolled remotely under a User-Approved Device Enrollment profile. Either way, the agent cannot be there by accident. Somewhere in the provisioning chain, someone with administrator rights approved it.
Where SentinelOne sits in the macOS permission model
macOS enforces permissions at two layers: system-level entitlements (granted by Apple to developers, often via MDM approval) and user-level TCC permissions (granted by the user via a prompt, per app, revocable anytime). SentinelOne pulls from the top layer. Everything you download from the App Store, or most developer tools, pulls from the bottom layer. This diagram shows four agent archetypes flowing through the two layers to their effective scope.
Agent archetypes and their effective scope
The top two sources cross the kernel-adjacent layer. The bottom two never touch it. Even if you granted a user-invited agent every permission it asks for, the agent still cannot subscribe to ES_EVENT_TYPE_* events or intercept network packets. Apple does not give that out without MDM approval.
Verify SentinelOne is there: one command
If you want to stop guessing, open Terminal and run systemextensionsctl list. This is the built-in macOS utility that lists every approved System Extension on the machine, grouped by team identifier. If SentinelOne is installed, the team ID 4AYE5J54KN will appear, and at least one bundle named com.sentinelone.extensions.sentineld-helper will be marked active and enabled.
If none of those commands produce a SentinelOne-shaped row, you do not have SentinelOne. What you do have is probably something else (a different EDR, an MDM helper, a built-in Apple extension), and the same command is still the right way to find out.
“The Endpoint Security client entitlement lets an approved System Extension subscribe to kernel events including exec, open, and fork. Apple grants it only to developers who have accepted an additional entitlement profile.”
Apple Endpoint Security framework reference
The four agent archetypes on a modern Mac
Every piece of software on your Mac that people loosely call an "agent" falls into one of four archetypes. The archetype tells you the permission scope, the install model, and the removal model in one label. SentinelOne is archetype one. Everything most Mac users actually invite onto their machine is archetypes three and four.
1. Kernel-adjacent security agent
System Extension with the Endpoint Security client entitlement. Sees every exec, open, and fork. Installed via MDM, removed via MDM. SentinelOne, Crowdstrike Falcon, Jamf Protect, Huntress.
2. Network-layer agent
Network System Extension, optionally paired with a TLS-terminating CA cert. Inspects every packet. Cisco Umbrella, Zscaler Client Connector, Cloudflare WARP under zero-trust policies.
3. TCC automation agent
Normal .app, asks for Accessibility, Screen Recording, or Apple Events via per-app prompts. Revocable in System Settings. Fazm, Raycast, Rewind, Shortcuts, TextExpander.
4. Assistive agent
Uses the Accessibility API the way it was designed: to help a user read, type, or navigate. VoiceOver, Zoom, BetterTouchTool, Keyboard Maestro.
Why the archetype matters
Scope and removal both flip as you go from 1 to 4. Archetype 1 can read everything on your disk and can only be removed by an administrator. Archetype 4 can only observe the UI tree of apps you let it touch, and you can revoke it in System Settings in two seconds.
SentinelOne is one of many EDR agents you might encounter
If you run into an unfamiliar endpoint security agent, the name alone will not tell you what it does. What it holds at the entitlement layer will. Every vendor below ships a System Extension with the Endpoint Security client entitlement. They differ in vendor, pricing, and detection model. They do not differ much in the scope they hold on your Mac.
All twelve hold the com.apple.developer.endpoint-security.client entitlement. If you spot one you do not recognize, the verify-it command above works on all of them.
The anchor fact: what a user-invited agent's Info.plist looks like
Every Mac app ships an Info.plist that declares, up front, which TCC (Transparency, Consent, Control) keys it will prompt for. If a permission is not declared here, the app cannot ask for it. You can read the file yourself with plutil -p /Applications/<app>.app/Contents/Info.plist. Here is Fazm's, which is an example of a user-invited automation agent. Note what is there and what is not.
Three TCC usage-description keys. The Accessibility permission is requested at runtime through AXIsProcessTrusted() (it does not require a plist key). Four permissions total, all user-scope, all prompt-gated, all revocable. And here is what is absent from this file:
Not present in Fazm's Info.plist
- NSSystemExtensionUsageDescription (no System Extension)
- com.apple.developer.endpoint-security.client entitlement
- com.apple.developer.networking.networkextension entitlement
- Full Disk Access (TCC: kTCCServiceSystemPolicyAllFiles)
- Input Monitoring (TCC: kTCCServiceListenEvent)
- Any MDM-only configuration profile requirement
SentinelOne has all six of those. That is not a criticism; SentinelOne is doing a different job. It is the precise reason the word "agent" is doing too much work when it covers both products. The shape of the install is the shape of what the agent can see.
SentinelOne vs a user-invited Mac agent, row by row
We compare to Fazm because it is what we build and because the Info.plist is public. The comparison is not about which product is better, it is about which archetype each product occupies.
| Feature | SentinelOne (kernel-adjacent, archetype 1) | Fazm (user-invited, archetype 3) |
|---|---|---|
| Install model | MDM-pushed System Extension, auto-approved by enrollment profile | Download signed .app from fazm.ai, drag to /Applications, launch |
| Macos permission scope | com.apple.developer.endpoint-security.client entitlement + Full Disk Access + Network System Extension | NSScreenCaptureUsageDescription + NSAppleEventsUsageDescription + NSMicrophoneUsageDescription + runtime AXIsProcessTrusted prompt |
| Consent at install | MDM profile installed by admin, user sees one generic 'allow system extension' prompt | Per-permission TCC prompt at the moment the app first uses each capability |
| What it can see | Every exec, every file open, every process spawn, every network flow on the machine | UI element tree and screen pixels of apps the user explicitly grants access to, microphone when recording |
| Revoke mechanism | None without the sentinelctl passcode; MDM must remove it | System Settings > Privacy & Security > Accessibility / Screen Recording toggle, takes two seconds |
| Runs with what privilege | Extension runs in its own protected user, agent daemon runs as root | User-scope, current login session, no root, no admin |
| Data destination | SentinelOne cloud tenant, admin-visible dashboard, optional long-term storage | Anthropic API for LLM calls, local database for workflow state, no analytics upload by default |
| Audit command | systemextensionsctl list | System Settings > Privacy & Security > Accessibility (no system-level audit required) |
| Tamper protection | Yes, passcode-gated. sentinelctl required to unload | None. Quit the app and it is gone from memory |
| Uninstall | Requires admin passcode and MDM removal | Drag /Applications/Fazm.app to Trash, then tccutil reset All |
Audit every agent on your Mac, in four steps
You do not need a tool. macOS ships every command you need. Run these four in order and you will know exactly what is auto-starting on your machine, in which archetype, with which scope.
the four-command audit
List every System Extension
systemextensionsctl list. Shows every approved .systemextension bundle, grouped by team ID. Look for rows under the com.apple.system_extension.endpoint_security category. Those are archetype 1. Anything under com.apple.system_extension.network_extension is archetype 2.
List every launchd job
sudo launchctl list. Every background daemon and agent registered with launchd prints here. Filter with grep -i <vendor> (sentinel, crowdstrike, jamf, huntress) to isolate specific products. Anything that shows a non-zero PID is actively running.
List every login item and extension
Open System Settings > General > Login Items & Extensions. You will see three sections: Login Items (archetype 3 or 4), Endpoint Security Extensions (archetype 1), and Network Extensions (archetype 2). Every row here is a thing that starts when you log in or boot.
List every TCC grant
Open System Settings > Privacy & Security. Go through Accessibility, Screen Recording, Input Monitoring, Automation, Full Disk Access, and Files and Folders. Every app listed is holding that permission right now. If the toggle is enabled and you do not recognize the app, you have a starting point for investigation.
The scope gap, in numbers
These numbers are drawn from Apple's Endpoint Security framework reference and from Fazm's shipped Info.plist. They are not marketing numbers; they are counts of keys and event types in documentation you can open yourself.
0+ kernel event types vs 0 declared TCC keys is not a fair fight, and it was never meant to be. They are different products doing different jobs. The point of counting them is to give you a concrete mental model for what the word "agent" actually means on a given machine.
The takeaway
What to remember
The SentinelOne agent on your computer is a System Extension with the Endpoint Security client entitlement, Full Disk Access, and a Network System Extension. Your IT department installed it via MDM. You can verify it with one command (systemextensionsctl list), and you cannot remove it without the admin passcode.
That scope is intentional and appropriate for an enterprise EDR. It is also very different from the scope of a user-invited agent that runs on per-app TCC permissions. If you keep those two things in separate mental buckets, the word "agent" stops being ambiguous. The archetype of the install tells you the scope, and the scope tells you what the agent can see.
Want to see a consent-first Mac agent up close?
Hop on a 20 minute call. We will walk through a live permissions audit on a Mac and show you what an archetype-3 agent feels like compared to SentinelOne.
Book a call →Frequently asked questions
Frequently asked questions
What is SentinelOne agent on my computer?
SentinelOne is an enterprise endpoint detection and response agent (EDR). On macOS it installs itself as a System Extension named com.sentinelone.extensions.sentineld-helper, holding the Endpoint Security Client entitlement, Full Disk Access, and a Network System Extension. In plain terms: the agent can read every file you open, every process that spawns, and every network packet, then forward telemetry to SentinelOne's cloud or your employer's tenant. If it is on your personal Mac, your IT department put it there via MDM; Apple does not permit a user-installed app to hold the Endpoint Security entitlement without MDM approval.
How do I verify SentinelOne is actually running on my Mac?
Open Terminal and run systemextensionsctl list. If SentinelOne is installed, you will see a row with the team ID 4AYE5J54KN (SentinelOne, Inc.) and a bundle identifier starting with com.sentinelone.extensions.sentineld. You can also run sudo launchctl list | grep -i sentinel to see the launch daemons (com.sentinelone.sentineld, com.sentinelone.sentinel-ui). The helper binary itself lives in /Applications/SentinelOne/SentinelAgent.app and the main engine in /Library/SystemExtensions/. If none of those exist, you do not have SentinelOne.
Can I remove SentinelOne from my Mac?
Not without the passcode your administrator set at install time. SentinelOne ships tamper protection that requires a sentinelctl passcode for most destructive operations, including uninstall. On a corporate machine, ask your IT team to run sentinelctl unload -a followed by the MDM removal of the system extension. On a personal machine where SentinelOne was installed by mistake, you will need either the original MDM operator to uninstall it or a full macOS reinstall in Recovery Mode that drops the system extension approval along with the rest of the OS.
Is SentinelOne spyware?
No. Spyware is unauthorized; SentinelOne is an authorized enterprise security agent deployed by your employer or school under an MDM profile you (or your administrator) accepted when the device was enrolled. That said, the capability surface is similar. The Endpoint Security client entitlement lets the agent observe file opens, process launches, network flows, and more. The difference is the consent model and the use: a deployed EDR is forwarding telemetry to your IT team for threat detection, not exfiltrating to an attacker. If you are running it on a personal device you never enrolled in an MDM, that is worth escalating.
What is the difference between SentinelOne and user-invited agents like automation tools or screen readers?
Permission scope. SentinelOne holds the com.apple.developer.endpoint-security.client entitlement, Full Disk Access via MDM auto-approval, and a Network System Extension. That scope is kernel-adjacent: the agent inspects syscalls before they return. A user-invited agent (an automation tool like Fazm, a screen reader like VoiceOver, a text expander like Raycast) runs only on per-app TCC permissions: Accessibility, Screen Recording, Apple Events. Those are user-scope, per-app, prompt-gated, and revocable from System Settings with a single toggle. Both are called 'agents', but they live in different sandboxes.
Why is SentinelOne using so much CPU or memory on my Mac?
The SentinelOne extension inspects every file open and every process launch. The usual culprits for sustained high CPU are: (1) a full disk scan running on first install or after a definition update, (2) a build system or package manager (Xcode, npm, cargo, Homebrew) generating tens of thousands of small file opens per minute, or (3) a developer tool using mmap or fsevents in a way that triggers inspection for each change. The short-term fix is sentinelctl exclusions path add <path> (requires the admin passcode) to exclude a known-noisy directory like your build output. The long-term fix is asking IT to tune the exclusion list fleet-wide.
Does SentinelOne see my passwords or read my browser?
Not directly. SentinelOne does not hold Keychain access, and it does not install a browser extension. What it can see is: files written to disk (so an on-disk credentials cache is visible), processes that spawn (so a password manager helper is visible by name and path), and network destinations (so the hostname of a site you visit is visible, but not the page contents inside a TLS session). If you are inside a TLS-terminating proxy deployed by your employer, that is a separate product (usually a CA cert installed alongside SentinelOne) that can see decrypted browser traffic. SentinelOne itself does not perform TLS interception on macOS by default.
How do I audit every 'agent' on my Mac, not just SentinelOne?
Four commands. (1) systemextensionsctl list shows every signed System Extension, including any Endpoint Security client, Network Extension, or driver extension. (2) sudo launchctl list shows every launch daemon and agent registered with launchd. (3) tccutil reset All resets every per-app TCC permission so the next prompt shows you who is asking for what. (4) Open System Settings > General > Login Items & Extensions and check 'Login Items', 'Endpoint Security Extensions', and 'Network Extensions'. Together those four give you the complete picture of what is auto-starting on your Mac and what scope it holds.
Is SentinelOne safe to keep running?
On a managed corporate machine, yes. It is signed by SentinelOne, Inc. (Team ID 4AYE5J54KN), notarized by Apple, and carries a valid entitlement granted via MDM. The more useful question is 'what does it see, and am I okay with that?' If you are doing company work on a company machine, the answer is almost always yes. If you are doing personal work on a machine that also has SentinelOne installed, keep in mind that the agent cannot distinguish 'personal browsing' from 'work browsing' at the file system and network layer. Use a separate machine or a separate user account for personal activity if that matters to you.
What does an agent that does not need kernel-adjacent scope look like?
It looks like a normal .app in /Applications that asks for a small set of user-scope TCC permissions when you first run it. Fazm, for example, ships an Info.plist declaring three usage-description keys (NSScreenCaptureUsageDescription, NSAppleEventsUsageDescription, NSMicrophoneUsageDescription) and it calls AXIsProcessTrusted() at runtime to request Accessibility. It does not declare a System Extension, does not carry the Endpoint Security client entitlement, and does not request Full Disk Access. Every permission it holds is revocable in System Settings > Privacy & Security with one toggle. That is the shape of a user-invited agent. SentinelOne is the opposite shape, by design.
Related guides
Keep reading
What is Huntress agent on my computer
Huntress sits in the same archetype as SentinelOne. Different vendor, same Endpoint Security client entitlement. Here is the full archetype taxonomy.
Do I need HP One Agent on my computer
A different kind of unwanted agent: OEM-push, shipped by the factory image. The consent axis that separates it from user-invited agents.
Selenium vs a Mac automation agent
Selenium owns the browser. A user-invited macOS agent owns the whole desktop. When each is the right choice.