deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-25 19:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Draft of deployment via puppet

Browse Source 
Draft of deployment via puppet (incomplete).
Corrected spelling for redhat
This commit is contained in:
Amrut Kale 2019-10-21 19:21:53 +05:30
parent 431a070d4e
commit 1976c84ec5
4 changed files with 51 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md
View File

@ -2,7 +2,7 @@
title: Installing Microsoft Defender ATP for Linux manually
ms.reviewer:
description: Describes how to install Microsoft Defender ATP for Linux manually, from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

243
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md
View File

@ -1,8 +1,8 @@
---
title: Installing Microsoft Defender ATP for Mac with Microsoft Intune
title: Installing Microsoft Defender ATP for Linux with Puppet
ms.reviewer:
description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
description: Describes how to install Microsoft Defender ATP for Linux, using Puppet.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,236 +18,89 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Intune-based deployment
# Puppet based deployment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
This topic describes how to deploy Microsoft Defender ATP for Linux through Puppet. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
- [Create Puppet policies](#create-jamf-policies)
- [Client device setup](#client-device-setup)
- [Create System Configuration profiles](#create-system-configuration-profiles)
- [Publish application](#publish-application)
- [Deployment](#deployment)
- [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have a Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported puppet modules such as *apt*, *lsb-release* to help deploy the package. Your organization might use a different workflow.
Download the installation and onboarding packages from Microsoft Defender Security Center:
## Download onboarding package
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
Download the onboarding package from Windows Defender Security Center:
![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png)
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
6. From a command prompt, verify that you have the three files.
Extract the contents of the .zip files:
![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png)
4. From a command prompt, verify that you have the file.
Extract the contents of the .zip file:
```bash
$ ls -l
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
total 8
-rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
inflating: WindowsDefenderATPOnboarding.py
```
7. Make IntuneAppUtil an executable:
## Create Puppet manifests
```bash
$ chmod +x IntuneAppUtil
```
You need to create a puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by puppet server.
8. Create the wdav.pkg.intunemac package from wdav.pkg:
## Deployment
```bash
$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation
Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
Creating intunemac file for /Users/test/Downloads/wdav.pkg
Composing the intunemac file output
Output written to ./wdav.pkg.intunemac.
## Monitoring puppet deployment
IntuneAppUtil successfully processed "wdav.pkg",
to deploy refer to the product documentation.
```
## Client device setup
You can also check the onboarding status:
You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
```bash
$ mdatp --health
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
...
```
1. You are asked to confirm device management.
- **licensed**: This confirms that the device has an ATP license.
![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization.
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
## Check onboarding status
![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
2. Select **Continue** and complete the enrollment.
```bash
$ mdatp --health healthy
```
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
The above command prints "1" if the product is onboarded and functioning as expected.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
![Add Devices screenshot](images/MDATP_5_allDevices.png)
## Create System Configuration profiles
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
>
> The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Comment</key>
<string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
<key>Identifier</key>
<string>com.microsoft.wdav</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>
```
9. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png)
## Publish application
1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
> Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated.
![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
6. Select **OK** and **Add**.
![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
![Client apps screenshot](images/MDATP_10_ClientApps.png)
8. Change **Assignment type** to **Required**.
9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
## Verify client device state
1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
3. You should also see the Microsoft Defender icon in the top-right corner:
![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
## Troubleshooting
Issue: No license found
Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
- 1 if the device is not yet onboarded
- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
## Logging installation issues
For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) .
See [Logging installation issues](microsoft-defender-atp-linux-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Uninstallation
See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md
View File

@ -2,7 +2,7 @@
title: Set preferences for Microsoft Defender ATP for Linux
ms.reviewer:
description: Describes how to configure Microsoft Defender ATP for Linux in enterprises.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md
View File

@ -2,7 +2,7 @@
title: Microsoft Defender ATP for Linux
ms.reviewer:
description: Describes how to install and use Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10