From 402d66cf2d6e71fc1f511079881b8f70f96e0e88 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:01:47 -0800 Subject: [PATCH 1/5] Update MDE for Mac docs to use new command-line tool syntax --- .../mac-install-manually.md | 4 ++-- .../microsoft-defender-atp/mac-pua.md | 2 +- .../microsoft-defender-atp/mac-resources.md | 2 +- .../mac-schedule-scan-atp.md | 4 ++-- .../microsoft-defender-atp/mac-support-kext.md | 16 ++++++++-------- .../microsoft-defender-atp/mac-support-perf.md | 2 +- .../microsoft-defender-atp/mac-whatsnew.md | 2 +- .../microsoft-defender-atp-mac.md | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 904279814f..375f715a8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device. The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash - mdatp --health orgId + mdatp health --field org_id ``` 2. Run the Python script to install the configuration file: @@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device. 3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash - mdatp --health orgId + mdatp health --field org_id ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index a83bc01f7a..37371fa8f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma In Terminal, execute the following command to configure PUA protection: ```bash -mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block] ``` ### Use the management console to configure PUA protection: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 8ab4ccb54a..227df25707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -149,7 +149,7 @@ To enable autocompletion in zsh: ## Client Microsoft Defender for Endpoint quarantine directory -`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`. ## Microsoft Defender for Endpoint portal information diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index b7f2649c73..331b7057ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. sh -c - /usr/local/bin/mdatp --scan --quick + /usr/local/bin/mdatp scan quick RunAtLoad @@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. 2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. 3. Open **Terminal**. 4. Enter the following commands to load your file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index 3cefc80735..dae30c8c6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) -You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. +You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. ```bash -mdatp --health +mdatp health ``` ```Output ... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true +real_time_protection_enabled : true +real_time_protection_available : true ... ``` @@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl sudo kextutil /Library/Extensions/wdavkext.kext ``` - The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available: ```bash - mdatp --health + mdatp health ``` ```Output ... - realTimeProtectionAvailable : true - realTimeProtectionEnabled : true + real_time_protection_enabled : true + real_time_protection_available : true ... ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 96b85255e0..9aff2517bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -48,7 +48,7 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the Terminal. For security purposes, this operation requires elevation. ```bash - mdatp --config realTimeProtectionEnabled false + mdatp config real-time-protection --value disabled ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 2ae1e83837..55c92067b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -173,7 +173,7 @@ ms.technology: mde - Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service ```bash - mdatp --connectivity-test + mdatp connectivity test ``` - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 61c7fe0660..9766c422da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -132,7 +132,7 @@ The output from this command should be similar to the following: Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal: ```bash -mdatp --connectivity-test +mdatp connectivity test ``` ## How to update Microsoft Defender for Endpoint for Mac From 5d73e88e40b16c8c285dcbe144712e9f82d9fcef Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:05:01 -0800 Subject: [PATCH 2/5] One more file --- .../microsoft-defender-atp/mac-sysext-preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 3e8f336502..b02e640d1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device - Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command: ```bash - mdatp --health releaseRing + mdatp health --field release_ring ``` If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted). From 47bd07c3fa4979cb5e91ca1c8bda30eadccec328 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:12:40 -0800 Subject: [PATCH 3/5] Typo --- .../microsoft-defender-atp/mac-support-kext.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index dae30c8c6a..8d726d2f36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -44,7 +44,7 @@ mdatp health ``` ```Output ... -real_time_protection_enabled : true +real_time_protection_enabled : false real_time_protection_available : true ... ``` From f29f13280dc50788d2e9537221dfe79d255d7335 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:13:11 -0800 Subject: [PATCH 4/5] Corrected indentation of content in list items --- .../microsoft-defender-atp/mac-support-perf.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 9aff2517bf..cbfb2f15f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. - ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) + ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) - From the Terminal. For security purposes, this operation requires elevation. - ```bash - mdatp config real-time-protection --value disabled - ``` + ```bash + mdatp config real-time-protection --value disabled + ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). From f0446c8eb4ebb6e9c0598e76fee5cf30b2c76462 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:15:28 -0800 Subject: [PATCH 5/5] Corrected indentation and, thereby, broken numbering in a procedure --- .../microsoft-defender-atp/mac-sysext-preview.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index b02e640d1e..3a5f837ab4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr 1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process. -You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. -For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. + You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. + + For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. > [!IMPORTANT] > You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval.