diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md index 30fbaa6c7a..7116f0b7ef 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md @@ -2,7 +2,7 @@ title: Installing Microsoft Defender ATP for Linux manually ms.reviewer: description: Describes how to install Microsoft Defender ATP for Linux manually, from the command line. -keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md index 7a0f0c27d6..5cd69d9301 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -1,8 +1,8 @@ --- -title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +title: Installing Microsoft Defender ATP for Linux with Puppet ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +description: Describes how to install Microsoft Defender ATP for Linux, using Puppet. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,236 +18,89 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Intune-based deployment +# Puppet based deployment **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) -This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for Linux through Puppet. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Create Puppet policies](#create-jamf-policies) - [Client device setup](#client-device-setup) -- [Create System Configuration profiles](#create-system-configuration-profiles) -- [Publish application](#publish-application) +- [Deployment](#deployment) +- [Check onboarding status](#check-onboarding-status) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. -## Download installation and onboarding packages +In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have a Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported puppet modules such as *apt*, *lsb-release* to help deploy the package. Your organization might use a different workflow. -Download the installation and onboarding packages from Microsoft Defender Security Center: +## Download onboarding package -1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. -5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). +Download the onboarding package from Windows Defender Security Center: - ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: + ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) +4. From a command prompt, verify that you have the file. + Extract the contents of the .zip file: + ```bash $ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + total 8 + -rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip $ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist + inflating: WindowsDefenderATPOnboarding.py ``` -7. Make IntuneAppUtil an executable: +## Create Puppet manifests - ```bash - $ chmod +x IntuneAppUtil - ``` +You need to create a puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by puppet server. -8. Create the wdav.pkg.intunemac package from wdav.pkg: +## Deployment - ```bash - $ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation +Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected. - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. +## Monitoring puppet deployment - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` -## Client device setup +You can also check the onboarding status: -You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). +```bash +$ mdatp --health +... +licensed : true +orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" +... +``` -1. You are asked to confirm device management. +- **licensed**: This confirms that the device has an ATP license. -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) +- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization. -Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: +## Check onboarding status -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) +You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: -2. Select **Continue** and complete the enrollment. +```bash +$ mdatp --health healthy +``` -You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. +The above command prints "1" if the product is onboarded and functioning as expected. -3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -## Create System Configuration profiles - -1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat steps 1 through 5 for more profiles. -7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. - - > [!CAUTION] - > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. - > - > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile. - - ```xml - - - - - PayloadDescription - Allows Microsoft Defender to access all files on Catalina+ - PayloadDisplayName - TCC - Microsoft Defender - PayloadIdentifier - com.microsoft.wdav.tcc - PayloadOrganization - Microsoft Corp. - PayloadRemovalDisallowed - - PayloadScope - system - PayloadType - Configuration - PayloadUUID - C234DF2E-DFF6-11E9-B279-001C4299FB44 - PayloadVersion - 1 - PayloadContent - - - PayloadDescription - Allows Microsoft Defender to access all files on Catalina+ - PayloadDisplayName - TCC - Microsoft Defender - PayloadIdentifier - com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44 - PayloadOrganization - Microsoft Corp. - PayloadType - com.apple.TCC.configuration-profile-policy - PayloadUUID - C233A5E6-DFF6-11E9-BDAD-001C4299FB44 - PayloadVersion - 1 - Services - - SystemPolicyAllFiles - - - Allowed - - CodeRequirement - identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 - Comment - Allow SystemPolicyAllFiles control for Microsoft Defender ATP - Identifier - com.microsoft.wdav - IdentifierType - bundleID - - - - - - - - ``` - -9. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. - -Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -## Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. - - > [!CAUTION] - > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type** to **Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -## Verify client device state - -1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Troubleshooting - -Issue: No license found - -Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml +If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: +- 1 if the device is not yet onboarded +- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running ## Logging installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) . +See [Logging installation issues](microsoft-defender-atp-linux-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md index 9894750faa..c203ebd24c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md @@ -2,7 +2,7 @@ title: Set preferences for Microsoft Defender ATP for Linux ms.reviewer: description: Describes how to configure Microsoft Defender ATP for Linux in enterprises. -keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index 2a1e938b11..83c84689a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -2,7 +2,7 @@ title: Microsoft Defender ATP for Linux ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Linux. -keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10