Sentinel: macOS Installation

Install and configure the Sentinel Agent on macOS for AI tool monitoring and DLP enforcement.

System Requirements

OS: macOS 10.13 (High Sierra) or later, up to macOS 14 (Sonoma)
Architecture: Intel x86-64 and Apple Silicon (M1/M2/M3)
Memory: 256MB minimum, 512MB recommended
Disk Space: 100MB for installation
Permissions: Administrator password required for installation

Installation Methods

1. Homebrew (Recommended)

Install Homebrew (if needed):

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Install Sentinel:

brew tap truthvouch/sentinel
brew install sentinel

With API Key:

brew install sentinel \
  --with-api-key="sk-..." \
  --with-org-id="org-..."

Upgrade:

brew upgrade sentinel

Uninstall:

brew uninstall sentinel

2. DMG Installer

Download:

https://download.truthvouch.io/sentinel/macos/latest

Installation:

Download Sentinel.dmg
Double-click to open disk image
Drag “Sentinel” to “Applications” folder
Open System Preferences → Security & Privacy
Grant accessibility permissions when prompted
Restart computer

3. Command Line Script

# Download and run installer
curl -fsSL https://download.truthvouch.io/sentinel/macos/install.sh | bash -s -- \
  --api-key "sk-..." \
  --org-id "org-..."

First-Time Setup

1. Accessibility Permissions

Sentinel requires full disk access to monitor AI tools:

Manually grant permissions:

Open System Preferences
Security & Privacy → Privacy
Full Disk Access
Add /Applications/Sentinel.app
Add /usr/local/opt/sentinel/bin/sentinel (if installed via Homebrew)

Grant via command line:

# Open Privacy settings
open "x-apple.systempreferences:com.apple.preference.security?Privacy_FullDiskAccess"

2. Configure API Key

Edit configuration file:

nano ~/.truthvouch/sentinel/config.yaml

Add:

cloud:
  api_key: sk-...
  organization_id: org-...

3. Start Agent

Using Homebrew:

brew services start sentinel

Using LaunchControl/LaunchRocket:

Applications → Utilities → LaunchControl
Find "io.truthvouch.sentinel" → Start

Manual start:

launchctl load ~/Library/LaunchAgents/io.truthvouch.sentinel.plist

4. Verify Installation

# Check if daemon is running
launchctl list | grep truthvouch

# View logs
log stream --predicate 'process == "sentinel"' --level debug

# Check service status
brew services list | grep sentinel

Configuration

Config File Location

~/.truthvouch/sentinel/config.yaml

Or system-wide:

/usr/local/etc/truthvouch/sentinel/config.yaml

Edit Configuration

# Edit user config
nano ~/.truthvouch/sentinel/config.yaml

# Reload daemon
launchctl unload ~/Library/LaunchAgents/io.truthvouch.sentinel.plist
launchctl load ~/Library/LaunchAgents/io.truthvouch.sentinel.plist

LaunchDaemon Setup

Location

/Library/LaunchDaemons/io.truthvouch.sentinel.plist

Manual Registration

sudo cp /usr/local/opt/sentinel/io.truthvouch.sentinel.plist \
  /Library/LaunchDaemons/

sudo launchctl load /Library/LaunchDaemons/io.truthvouch.sentinel.plist

sudo launchctl start io.truthvouch.sentinel

Control Daemon

# Start
sudo launchctl start io.truthvouch.sentinel

# Stop
sudo launchctl stop io.truthvouch.sentinel

# Restart
sudo launchctl stop io.truthvouch.sentinel && sleep 2 && \
sudo launchctl start io.truthvouch.sentinel

# View status
sudo launchctl list | grep sentinel

# View logs
log stream --predicate 'process == "sentinel"' --level debug

MDM Deployment

Deploy Sentinel via Mobile Device Management (Jamf, Kandji, MOSYLE):

Jamf Pro

Create Smart Group:

Criteria: All Computers → Scope

Create Policy:

Deployment → Software
Add “Sentinel.dmg”
Scripts → Add install script
Execution Frequency: Once per computer

Installation Script:

#!/bin/bash

# Download DMG
curl -o /tmp/Sentinel.dmg https://download.truthvouch.io/sentinel/macos/latest

# Mount DMG
hdiutil attach /tmp/Sentinel.dmg

# Install app
cp -r /Volumes/Sentinel/Sentinel.app /Applications/

# Unmount DMG
hdiutil detach /Volumes/Sentinel

# Grant permissions
sudo chmod +x /Applications/Sentinel.app/Contents/MacOS/sentinel

# Configure
defaults write ~/.truthvouch/sentinel/config.yaml \
  -dict cloud \
  -dict api_key "sk-..." \
  organization_id "org-..."

# Start daemon
launchctl load ~/Library/LaunchAgents/io.truthvouch.sentinel.plist

exit 0

Kandji Catalog

Create custom profile with:

App installer: Sentinel.dmg
Configuration: API key via environment variables
Post-install script: Grant accessibility permissions

Uninstallation

Via Homebrew

brew uninstall sentinel
brew tap-delete truthvouch/sentinel

Via DMG

# Stop daemon
launchctl unload ~/Library/LaunchAgents/io.truthvouch.sentinel.plist

# Remove app
rm -rf /Applications/Sentinel.app

# Remove config
rm -rf ~/.truthvouch/

# Remove launch agent
rm ~/Library/LaunchAgents/io.truthvouch.sentinel.plist

Auto-Update

Enable Auto-Update

advanced:
  auto_update: true
  update_check_interval: 24

Manual Update

# Check for updates
sentinel --check-update

# Install update
sentinel --install-update

# Or reinstall via Homebrew
brew upgrade sentinel

Logs

View Logs

# Real-time logs
log stream --predicate 'process == "sentinel"' --level debug

# Last 100 lines
log stream --predicate 'process == "sentinel"' --max 100

# Save to file
log stream --predicate 'process == "sentinel"' > sentinel.log 2>&1

Log File Locations

~/.truthvouch/sentinel/logs/
/var/log/sentinel.log (system-wide)

Permissions and Entitlements

Sentinel requires:

Full Disk Access — Monitor all processes and files
Network Access — Outbound HTTPS to TruthVouch cloud
Accessibility — Monitor application windows (if enabled)
Camera/Microphone — None (not required)

Firewall Configuration

Add Firewall Exception

# Allow outbound HTTPS
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Sentinel.app/Contents/MacOS/sentinel
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Applications/Sentinel.app/Contents/MacOS/sentinel

Network Requirements

Sentinel requires outbound HTTPS to:

https://api.truthvouch.io
Your custom endpoint (if configured)

Troubleshooting

Permissions Issues

# Check accessibility permissions
ioreg -l | grep "Sentinel"

# Request permissions
open "x-apple.systempreferences:com.apple.preference.security?Privacy_FullDiskAccess"

# Check file permissions
ls -la ~/.truthvouch/

Service Won’t Start

# Check daemon status
launchctl list | grep truthvouch

# Check logs for errors
log stream --predicate 'process == "sentinel"'

# Manually test
/usr/local/bin/sentinel --config ~/.truthvouch/sentinel/config.yaml

Network Issues

# Test API connectivity
curl -I https://api.truthvouch.io

# Check DNS resolution
nslookup api.truthvouch.io

# View network connections
netstat -an | grep 443

High CPU Usage

# Monitor CPU
top -o %CPU | grep sentinel

# Check config
cat ~/.truthvouch/sentinel/config.yaml | grep monitoring

# Reduce monitoring scope
sed -i '' 's/clipboard_monitoring: true/clipboard_monitoring: false/' \
  ~/.truthvouch/sentinel/config.yaml

Performance Optimization

Reduce Memory Usage

Edit config.yaml:

database:
  max_size_mb: 50

monitoring:
  clipboard_monitoring: false
  network_monitoring: false

Selective Monitoring

monitoring:
  tools:
    - name: "ChatGPT"
      enabled: true
    - name: "Unused Tool"
      enabled: false

Integration with Company IT

For corporate deployment:

Share via Homebrew Tap:

# Create custom tap with your company's Sentinel package
brew tap company/sentinel https://github.com/company/homebrew-sentinel

# Deploy via MDM script
brew install company/sentinel/sentinel

Create Installation Package:

# Create pkg installer
productbuild --component /Applications/Sentinel.app \
  /Applications \
  --version 1.0.0 \
  Sentinel-1.0.0.pkg

See Configuration Reference for detailed options and Policy Sync for managing policies.