What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

How to Deploy the SentinelOne Agent via CLI (Windows & Linux with sentinelctl)

Install and manage the SentinelOne Singularity agent from the command line on Windows and Linux, with the exact installer flags and verified sentinelctl commands for token, status and configuration.

SKYLINE Engineering @skyline

Published: Jun 1, 2026
Reading time: 5 min

This guide walks through deploying and managing the SentinelOne Singularity endpoint agent from the command line on both Windows and Linux. The on-device CLI is the same tool on every platform — sentinelctl — which you use to register the agent to your console, check status and apply configuration. All commands below are taken from current SentinelOne / partner documentation; adjust file names to match the exact installer version you downloaded from your management console.

Before you start: get your site or group token

Every agent must register to a Site or Group in your Singularity management console using a token. In the console, open Sentinels → Packages (or the Site/Group settings), copy the relevant token, and download the matching installer for your operating system and architecture. The token is mandatory at install time — without it the agent installs but stays unmanaged.

Windows: silent agent installation

SentinelOne ships a single self-extracting installer, SentinelOneInstaller.exe (versions 22.2 and later). Run it from an elevated CMD or PowerShell prompt. The -t flag passes the token and -q runs it quietly:

# Quiet install, registering to a site/group token (run as Administrator)
SentinelOneInstaller.exe -t <SITE_OR_GROUP_TOKEN> -q

# Pass extra installer arguments if needed
SentinelOneInstaller.exe -a <installer_arguments> -t <SITE_OR_GROUP_TOKEN>

Note: with the -q quiet switch you must also supply -t and the token. The Windows /QUIET MSI switch is not effective on the EXE installer — use -q (or --qn) instead. If you deploy the dedicated MSI package via your RMM or Intune, the pattern is:

msiexec /i "SentinelInstaller_windows_64bit_v*.msi" SITE_TOKEN=<SITE_OR_GROUP_TOKEN> /q /NORESTART

Verify the Windows agent

The agent installs under C:\Program Files\SentinelOne\Sentinel Agent <version>\. From an elevated prompt in that folder, check status:

cd "C:\Program Files\SentinelOne\Sentinel Agent <version>"
sentinelctl status

The output shows the agent state and the Monitor Build id, confirming the agent is running and managed.

Linux: package install and registration

On Linux the agent runs entirely in user space — there is no kernel module to rebuild on kernel updates. Install the RPM or DEB package you downloaded for your distribution:

# RPM-based (RHEL, Rocky, Alma, Oracle, Amazon Linux)
sudo rpm -i <package_pathname>.rpm

# DEB-based (Ubuntu, Debian)
sudo dpkg -i <package_pathname>.deb

After the package is installed, the agent is not yet registered. The Linux sentinelctl binary lives at a fixed path, /opt/sentinelone/bin/sentinelctl, and must be run with sudo using its full path. Register it to your console with the site or group token, then start and verify:

# Register the agent to the management console
sudo /opt/sentinelone/bin/sentinelctl management token set <TOKEN_VALUE>

# Start the agent services
sudo /opt/sentinelone/bin/sentinelctl control start

# Confirm the agent is running
sudo /opt/sentinelone/bin/sentinelctl control status

# Confirm connectivity to the management console
sudo /opt/sentinelone/bin/sentinelctl management status

# Show the installed agent version
sudo /opt/sentinelone/bin/sentinelctl version

Pre-seeding configuration on Linux

For golden images, VDI or automated provisioning you can register the agent at install time by pointing to a config file. Note that the RPM path requires the --nodigest switch to avoid digest-verification errors:

# RPM with config file at install time
sudo S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg" rpm -i --nodigest <package_pathname>.rpm

# DEB with config file at install time
sudo S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg" dpkg -i <package_pathname>.deb

Day-2 management with sentinelctl

The same sentinelctl utility manages the running agent. Several operations require the Agent passphrase from the console (retrieve it under the endpoint's Actions → Show Passphrase). Common commands:

# Check agent status
sentinelctl status

# Disable anti-tampering protection (needed before some maintenance)
sentinelctl unprotect -k <S1_PASSPHRASE>

# Re-enable anti-tampering protection
sentinelctl protect

# Unload / load / reload agent monitor and agent components
sentinelctl unload -m -a
sentinelctl load -m -a
sentinelctl reload -m -a

# Run an on-demand scan of a folder
sentinelctl scan_folder -i <path>

# Check whether the agent has ever connected to management
sentinelctl ever_connected_to_management

# Apply a configuration parameter (passphrase required)
sentinelctl config <parameter> <value> -k "<S1_PASSPHRASE>"

On Windows run these from the agent folder; on Linux prefix them with sudo /opt/sentinelone/bin/. Commands are case-sensitive on all platforms.

Troubleshooting tips

Agent shows unmanaged / never connected — confirm the token with management status (Linux) and re-run management token set; verify outbound HTTPS reachability to your console region.
Maintenance blocked by anti-tampering — use sentinelctl unprotect -k <passphrase>, perform the change, then sentinelctl protect.
Linux service not running — run control start then control status; check the agent logs under /opt/sentinelone/.

Need help with a fleet-wide rollout, policy tuning or a migration in Saudi Arabia? SKYLINE deploys, configures, supports and troubleshoots SentinelOne across Riyadh, Jeddah and Dammam. See our SentinelOne deployment and support service or call +966 50 993 9334.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Endpoint Security for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops IT AMC Annual maintenance, 24/7 SLA, Bronze→Platinum

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.