From ceba5d7b6db2d3819f521d4ce6932c4c3bee7537 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Mon, 21 Oct 2019 09:54:39 +0530 Subject: [PATCH 01/17] First set of pages for Linux Copied from Mac --- ...oft-defender-atp-linux-install-manually.md | 185 ++++++ ...defender-atp-linux-install-with-ansible.md | 259 ++++++++ ...atp-linux-install-with-other-configtool.md | 79 +++ ...-defender-atp-linux-install-with-puppet.md | 253 +++++++ ...icrosoft-defender-atp-linux-preferences.md | 623 ++++++++++++++++++ .../microsoft-defender-atp-linux-privacy.md | 277 ++++++++ .../microsoft-defender-atp-linux-pua.md | 66 ++ .../microsoft-defender-atp-linux-resources.md | 118 ++++ .../microsoft-defender-atp-linux-updates.md | 219 ++++++ .../microsoft-defender-atp-linux.md | 113 ++++ 10 files changed, 2192 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md new file mode 100644 index 0000000000..bed05f108c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md @@ -0,0 +1,185 @@ +--- +title: Installing Microsoft Defender ATP for Mac manually +ms.reviewer: +description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Manual deployment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Application installation](#application-installation) +- [Client configuration](#client-configuration) + +## Prerequisites and system requirements + +Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + $ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + $ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation proceeds. + +> [!NOTE] +> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled. + +> [!NOTE] +> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted. + +### Fixing disabled Real-Time Protection + +If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it: + + ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) + +You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available: + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : false +realTimeProtectionEnabled : true +... +``` + +> [!NOTE] +> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation. + +The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation". + +If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled: + +![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) + +In this case, you need to perform the following steps to enable Real-Time Protection instead. + +1. In Terminal, attempt to install the driver. (The operation will fail) + ```bash + $ sudo kextutil /Library/Extensions/wdavkext.kext + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Diagnostics for /Library/Extensions/wdavkext.kext: + ``` + +2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.) + +3. **Allow** system software from developers "Microsoft Corporation" + +4. In Terminal, install the driver again. This time the operation will succeed: + +```bash +$ sudo kextutil /Library/Extensions/wdavkext.kext +``` + +The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available: + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : true +realTimeProtectionEnabled : true +... +``` + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the *orgId* attribute is blank. + + ```bash + $ mdatp --health orgId + ``` + +2. Run the Python script to install the configuration file: + + ```bash + $ /usr/bin/python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with your organization and reports a valid *orgId*: + + ```bash + $ mdatp --health orgId + E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## How to Allow Full Disk Access + +> [!CAUTION] +> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. + +To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender ATP. + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md new file mode 100644 index 0000000000..84088ccd42 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md @@ -0,0 +1,259 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +ms.reviewer: +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# JAMF-based deployment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps: +- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Create JAMF policies](#create-jamf-policies) +- [Client device setup](#client-device-setup) +- [Deployment](#deployment) +- [Check onboarding status](#check-onboarding-status) + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > device Management > Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) + +5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: + + ```bash + $ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + $ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + ``` + +## Create JAMF policies + +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices. + +### Configuration Profile + +The configuration profile contains a custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver + +To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. + + >[!IMPORTANT] + > You must set the Preference Domain as "com.microsoft.wdav.atp" + +![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +### Approved Kernel Extension + +To approve the kernel extension: + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +### Privacy Preferences Policy Control + +> [!CAUTION] +> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. +> +> If you previously configured Microsoft Defender ATP through JAMF, we recommend applying the following configuration. + +Add the following JAMF policy to grant Full Disk Access to Microsoft Defender ATP. + +1. Select **Options > Privacy Preferences Policy Control**. +2. Use any identifier and identifier type = Bundle. +3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. +4. Set app or service to SystemPolicyAllFiles and access to Allow. + +![Privacy Preferences Policy Control](images/MDATP_35_JAMF_PrivacyPreferences.png) + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the devices that will receive the configuration profile. + +Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled device. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload the package to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled device. + +## Client device setup + +You'll need no special provisioning for a macOS computer, beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After a moment, the device's User Approved MDM status will change to **Yes**. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. + +## Deployment + +Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as soon as they are detected. + +### Status on the server + +You can monitor deployment status in the **Logs** tab: + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + +### Status on client device + +After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a device by following the JAMF log file: + +```bash + $ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash +$ mdatp --health +... +licensed : true +orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" +... +``` + +- **licensed**: This confirms that the device has an ATP license. + +- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization. + +## Check onboarding status + +You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: + +```bash +$ mdatp --health healthy +``` + +The above command prints "1" if the product is onboarded and functioning as expected. + +If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: +- 1 if the device is not yet onboarded +- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +This method is based on the script described in [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling). + +### Script + +Create a script in **Settings > Computer Management > Scripts**. + +This script removes Microsoft Defender ATP from the /Applications directory: + +```bash + #!/bin/bash + + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +### Policy + +Your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md new file mode 100644 index 0000000000..91a5f56395 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md @@ -0,0 +1,79 @@ +--- +title: Installing Microsoft Defender ATP for Mac with different MDM product +description: Describes how to install Microsoft Defender ATP for Mac on other management solutions. +keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mavel +author: maximvelichko +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deployment with a different Mobile Device Management (MDM) system + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +## Prerequisites and system requirements + +Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +## Approach + +> [!CAUTION] +> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below. + +If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac. + +Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features: + +- Deploy a macOS .pkg to managed machines. +- Deploy macOS system configuration profiles to managed machines. +- Run an arbitrary admin-configured tool/script on managed machines. + +Most modern MDM solutions include these features, however, they may call them differently. + +You can deploy Defender without the last requirement from the preceding list, however: + +- You will not be able to collect status in a centralized way +- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator + +## Deployment + +Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template. + +### Package + +Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package), +with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). + +In order to deploy the package to your enterprise, use the instructions associated with your MDM solution. + +### License settings + +Set up [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile). +Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS. + +Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). +Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. +Alternatively, it may require you to convert the property list to a different format first. + +Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value. +MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information. + +### Kernel extension policy + +Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft. + +## Check installation status + +Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md new file mode 100644 index 0000000000..7a0f0c27d6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -0,0 +1,253 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +ms.reviewer: +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: +- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Client device setup](#client-device-setup) +- [Create System Configuration profiles](#create-system-configuration-profiles) +- [Publish application](#publish-application) + +## Prerequisites and system requirements + +Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Microsoft Defender Security Center: + +1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). + + ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + $ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + $ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + ``` + +7. Make IntuneAppUtil an executable: + + ```bash + $ chmod +x IntuneAppUtil + ``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + $ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client device setup + +You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You are asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select **Continue** and complete the enrollment. + +You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. + +3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +## Create System Configuration profiles + +1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat steps 1 through 5 for more profiles. +7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. + + > [!CAUTION] + > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. + > + > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile. + + ```xml + + + + + PayloadDescription + Allows Microsoft Defender to access all files on Catalina+ + PayloadDisplayName + TCC - Microsoft Defender + PayloadIdentifier + com.microsoft.wdav.tcc + PayloadOrganization + Microsoft Corp. + PayloadRemovalDisallowed + + PayloadScope + system + PayloadType + Configuration + PayloadUUID + C234DF2E-DFF6-11E9-B279-001C4299FB44 + PayloadVersion + 1 + PayloadContent + + + PayloadDescription + Allows Microsoft Defender to access all files on Catalina+ + PayloadDisplayName + TCC - Microsoft Defender + PayloadIdentifier + com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44 + PayloadOrganization + Microsoft Corp. + PayloadType + com.apple.TCC.configuration-profile-policy + PayloadUUID + C233A5E6-DFF6-11E9-BDAD-001C4299FB44 + PayloadVersion + 1 + Services + + SystemPolicyAllFiles + + + Allowed + + CodeRequirement + identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 + Comment + Allow SystemPolicyAllFiles control for Microsoft Defender ATP + Identifier + com.microsoft.wdav + IdentifierType + bundleID + + + + + + + + ``` + +9. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. + +Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. + + > [!CAUTION] + > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type** to **Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +## Verify client device state + +1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Troubleshooting + +Issue: No license found + +Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml + +## Logging installation issues + +For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) . + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md new file mode 100644 index 0000000000..80ec6a0f67 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md @@ -0,0 +1,623 @@ +--- +title: Set preferences for Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for Mac in enterprises. +keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Set preferences for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +>[!IMPORTANT] +>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page. + +In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. + +This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile. + +## Configuration profile structure + +The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences. + +>[!CAUTION] +>The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune. + +The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. + +### Antivirus engine preferences + +The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | antivirusEngine | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Enable / disable real-time protection + +Whether real-time protection (scan files as they are accessed) is enabled or not. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | enableRealTimeProtection | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + +#### Enable / disable passive mode + +Whether the antivirus engine runs in passive mode or not. In passive mode: +- Real-time protection is turned off +- On-demand scanning is turned on +- Automatic threat remediation is turned off +- Security intelligence updates are turned on +- Status menu icon is hidden + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | passiveMode | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | +| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | + +#### Scan exclusions + +Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | exclusions | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +**Type of exclusion** + +Specifies the type of content excluded from the scan. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | $type | +| **Data type** | String | +| **Possible values** | excludedPath
excludedFileExtension
excludedFileName | + +**Path to excluded content** + +Used to exclude content from the scan by full file path. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | path | +| **Data type** | String | +| **Possible values** | valid paths | +| **Comments** | Applicable only if *$type* is *excludedPath* | + +**Path type (file / directory)** + +Indicates if the *path* property refers to a file or directory. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | isDirectory | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | +| **Comments** | Applicable only if *$type* is *excludedPath* | + +**File extension excluded from the scan** + +Used to exclude content from the scan by file extension. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | extension | +| **Data type** | String | +| **Possible values** | valid file extensions | +| **Comments** | Applicable only if *$type* is *excludedFileExtension* | + +**Name of excluded content** + +Used to exclude content from the scan by file name. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | name | +| **Data type** | String | +| **Possible values** | any string | +| **Comments** | Applicable only if *$type* is *excludedFileName* | + +#### Allowed threats + +List of threats (identified by their name) that are not blocked by the product and are instead allowed to run. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | allowedThreats | +| **Data type** | Array of strings | + +#### Threat type settings + +The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | threatTypeSettings | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +**Threat type** + +Type of the threat for which the behavior is configured. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | key | +| **Data type** | String | +| **Possible values** | potentially_unwanted_application
archive_bomb | + +**Action to take** + +Action to take when coming across a threat of the type specified in the preceding section. Can be: + +- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged. +- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console. +- **Off**: your device is not protected against this type of threat and nothing is logged. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | value | +| **Data type** | String | +| **Possible values** | audit (default)
block
off | + +### Cloud delivered protection preferences + +The *cloudService* entry in the configuration profile is used to configure the cloud driven protection feature of the product. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | cloudService | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Enable / disable cloud delivered protection + +Whether cloud delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | enabled | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + +#### Diagnostic collection level + +Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | diagnosticLevel | +| **Data type** | String | +| **Possible values** | optional (default)
required | + +#### Enable / disable automatic sample submissions + +Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | automaticSampleSubmission | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + +### User interface preferences + +The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | userInterface | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Show / hide status menu icon + +Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | hideStatusMenuIcon | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | + +## Recommended configuration profile + +To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. + +The following configuration profile will: +- Enable real-time protection (RTP) +- Specify how the following threat types are handled: + - **Potentially unwanted applications (PUA)** are blocked + - **Archive bombs** (file with a high compression rate) are audited to the product logs +- Enable cloud delivered protection +- Enable automatic sample submission + +### JAMF profile + +```XML + + + + + antivirusEngine + + enableRealTimeProtection + + threatTypeSettings + + + key + potentially_unwanted_application + value + block + + + key + archive_bomb + value + audit + + + + cloudService + + enabled + + automaticSampleSubmission + + + + +``` + +### Intune profile + +```XML + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + antivirusEngine + + enableRealTimeProtection + + threatTypeSettings + + + key + potentially_unwanted_application + value + block + + + key + archive_bomb + value + audit + + + + cloudService + + enabled + + automaticSampleSubmission + + + + + + +``` + +## Full configuration profile example + +The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product. + +### JAMF profile + +```XML + + + + + antivirusEngine + + enableRealTimeProtection + + passiveMode + + exclusions + + + $type + excludedPath + isDirectory + + path + /var/log/system.log + + + $type + excludedPath + isDirectory + + path + /home + + + $type + excludedFileExtension + extension + pdf + + + allowedThreats + + EICAR-Test-File (not a virus) + + threatTypeSettings + + + key + potentially_unwanted_application + value + block + + + key + archive_bomb + value + audit + + + + cloudService + + enabled + + diagnosticLevel + optional + automaticSampleSubmission + + + userInterface + + hideStatusMenuIcon + + + + +``` + +### Intune profile + +```XML + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + antivirusEngine + + enableRealTimeProtection + + passiveMode + + exclusions + + + $type + excludedPath + isDirectory + + path + /var/log/system.log + + + $type + excludedPath + isDirectory + + path + /home + + + $type + excludedFileExtension + extension + pdf + + + allowedThreats + + EICAR-Test-File (not a virus) + + threatTypeSettings + + + key + potentially_unwanted_application + value + block + + + key + archive_bomb + value + audit + + + + cloudService + + enabled + + diagnosticLevel + optional + automaticSampleSubmission + + + userInterface + + hideStatusMenuIcon + + + + + + +``` + +## Configuration profile deployment + +Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune. + +### JAMF deployment + +From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier. + +>[!CAUTION] +>You must enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences will not be recognized by the product. + +### Intune deployment + +1. Open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. + +2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure. + +3. Save the .plist produced earlier as **com.microsoft.wdav.xml**. + +4. Enter **com.microsoft.wdav** as the **custom configuration profile name**. + +5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3. + +6. Select **OK**. + +7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. + +>[!CAUTION] +>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. + +## Resources + +- [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md new file mode 100644 index 0000000000..0c56970e6f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md @@ -0,0 +1,277 @@ +--- +title: Privacy for Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, privacy, diagnostic +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Privacy for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Mac. + +This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. + +## Overview of privacy controls in Microsoft Defender ATP for Mac + +This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Mac. + +### Diagnostic data + +Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. + +Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. + +There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: + +* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. + +* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. + +By default, both optional and required diagnostic data are sent to Microsoft. + +### Cloud delivered protection data + +Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud. + +Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. + +### Sample data + +Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional. + +When this feature is enabled and the sample that is collected is likely to contain personal information, the user is prompted for consent. + +## Manage privacy controls with policy settings + +If you're an IT administrator, you might want to configure these controls at the enterprise level. + +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). + +As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. + +## Diagnostic data events + +This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected. + +### Data fields that are common for all events +There is some information about events that is common to all events, regardless of category or data subtype. + +The following fields are considered common for all events: + +| Field | Description | +| ----------------------- | ----------- | +| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. | +| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | +| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | +| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | +| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | +| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | + + +### Required diagnostic data + +**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. + +Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. + +#### Software setup and inventory data events + +**Microsoft Defender ATP installation / uninstallation** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| correlation_id | Unique identifier associated with the installation. | +| version | Version of the package. | +| severity | Severity of the message (for example Informational). | +| code | Code that describes the operation. | +| text | Additional information associated with the product installation. | + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------------------------------- | ----------- | +| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | +| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | +| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | +| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | +| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | +| cloud_service.service_uri | URI used to communicate with the cloud. | +| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | +| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. | +| edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.group_id | Group identifier used by the detection and response component. | +| edr.tags | User-defined tags. | +| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | + +#### Product and service performance data events + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| version | Version of Microsoft Defender ATP for Mac. | +| instance_id | Unique identifier generated on kernel extension startup. | +| trace_level | Trace level of the kernel extension. | +| ipc.connects | Number of connection requests received by the kernel extension. | +| ipc.rejects | Number of connection requests rejected by the kernel extension. | +| ipc.connected | Whether there is any active connection to the kernel extension. | + +#### Support data + +**Diagnostic logs** + +Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: + +- All files under */Library/Logs/Microsoft/mdatp/* +- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac +- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac +- /Library/Logs/Microsoft/autoupdate.log +- $HOME/Library/Preferences/com.microsoft.autoupdate2.plist + +### Optional diagnostic data + +**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues. + +If you choose to send us optional diagnostic data, required diagnostic data is also included. + +Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product). + +#### Software setup and inventory data events + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| -------------------------------------------------- | ----------- | +| connection_retry_timeout | Connection retry time out when communication with the cloud. | +| file_hash_cache_maximum | Size of the product cache. | +| crash_upload_daily_limit | Limit of crash logs uploaded daily. | +| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. | +| antivirus_engine.exclusions[].path | Path that was excluded from scanning. | +| antivirus_engine.exclusions[].extension | Extension excluded from scanning. | +| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. | +| antivirus_engine.scan_cache_maximum | Size of the product cache. | +| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | +| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. | +| filesystem_scanner.full_scan_directory | Full scan directory. | +| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | +| edr.latency_mode | Latency mode used by the detection and response component. | +| edr.proxy_address | Proxy address used by the detection and response component. | + +**Microsoft Auto-Update configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------- | ----------- | +| how_to_check | Determines how product updates are checked (for example automatic or manual). | +| channel_name | Update channel associated with the device. | +| manifest_server | Server used for downloading updates. | +| update_cache | Location of the cache used to store updates. | + +### Product and service usage + +#### Diagnostic log upload started report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| sha256 | SHA256 identifier of the support log. | +| size | Size of the support log. | +| original_path | Path to the support log (always under */Library/Application Support/Microsoft/Defender/wdavdiag/*). | +| format | Format of the support log. | + +#### Diagnostic log upload completed report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| request_id | Correlation ID for the support log upload request. | +| sha256 | SHA256 identifier of the support log. | +| blob_sas_uri | URI used by the application to upload the support log. | + +#### Product and service performance data events + +**Unexpected application exit (crash)** + +Unexpected application exits and the state of the application when that happens. + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ------------------------------ | ----------- | +| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. | +| pkt_ack_conn_timeout | | +| ipc.ack_pkts | | +| ipc.nack_pkts | | +| ipc.send.ack_no_conn | | +| ipc.send.nack_no_conn | | +| ipc.send.ack_no_qsq | | +| ipc.send.nack_no_qsq | | +| ipc.ack.no_space | | +| ipc.ack.timeout | | +| ipc.ack.ackd_fast | | +| ipc.ack.ackd | | +| ipc.recv.bad_pkt_len | | +| ipc.recv.bad_reply_len | | +| ipc.recv.no_waiter | | +| ipc.recv.copy_failed | | +| ipc.kauth.vnode.mask | | +| ipc.kauth.vnode.read | | +| ipc.kauth.vnode.write | | +| ipc.kauth.vnode.exec | | +| ipc.kauth.vnode.del | | +| ipc.kauth.vnode.read_attr | | +| ipc.kauth.vnode.write_attr | | +| ipc.kauth.vnode.read_ex_attr | | +| ipc.kauth.vnode.write_ex_attr | | +| ipc.kauth.vnode.read_sec | | +| ipc.kauth.vnode.write_sec | | +| ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.denied | | +| ipc.kauth.file_op.mask | | +| ipc.kauth_file_op.open | | +| ipc.kauth.file_op.close | | +| ipc.kauth.file_op.close_modified | | +| ipc.kauth.file_op.move | | +| ipc.kauth.file_op.link | | +| ipc.kauth.file_op.exec | | +| ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.fork | | +| ipc.kauth.file_op.create | | + +## Resources + +- [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md new file mode 100644 index 0000000000..2696590c99 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md @@ -0,0 +1,66 @@ +--- +title: Detect and block potentially unwanted applications +ms.reviewer: +description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, pua, pus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Detect and block potentially unwanted applications + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Mac can detect and block PUA files on endpoints in your network. + +These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. + +These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. + +## How it works + +Microsoft Defender ATP for Mac can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. + +When a PUA is detected on an endpoint, Microsoft Defender ATP for Mac presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". + +## Configure PUA protection + +PUA protection in Microsoft Defender ATP for Mac can be configured in one of the following ways: + +- **Off**: PUA protection is disabled. +- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No notification is presented to the user and no action is taken by the product. +- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. The user is presented with a notification and action is taken by the product. + +>[!WARNING] +>By default, PUA protection is configured in **Audit** mode. + +You can configure how PUA files are handled from the command line or from the management console. + +### Use the command-line tool to configure PUA protection: + +In Terminal, execute the following command to configure PUA protection: + +```bash +$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +``` + +### Use the management console to configure PUA protection: + +In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) topic. + +## Related topics + +- [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md new file mode 100644 index 0000000000..2f67653ec0 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md @@ -0,0 +1,118 @@ +--- +title: Microsoft Defender ATP for Mac Resources +ms.reviewer: +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Resources + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +## Collecting diagnostic information + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1. Increase logging level: + + ```bash + $ mdatp --log-level verbose + Creating connection to daemon + Connection established + Operation succeeded + ``` + +2. Reproduce the problem + +3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds. + + ```bash + $ sudo mdatp --diagnostic --create + Creating connection to daemon + Connection established + ``` + +4. Restore logging level: + + ```bash + $ mdatp --log-level info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Logging installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. + +### Interactive uninstallation + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp --scan --path [path]` | +|Protection |Do a quick scan |`mdatp --scan --quick` | +|Protection |Do a full scan |`mdatp --scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | +|Protection |Request a security intelligence update |`mdatp --definition-update` | + +## Microsoft Defender ATP portal information + +In the Microsoft Defender ATP portal, you'll see two categories of information: + +- Antivirus alerts, including: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information, including: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md new file mode 100644 index 0000000000..50267f26bb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md @@ -0,0 +1,219 @@ +--- +title: Deploy updates for Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments. +keywords: microsoft, defender, atp, mac, updates, deploy +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deploy updates for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. + +To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. + +![MAU screenshot](images/MDATP_34_MAU.png) + +If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization. + +## Use msupdate + +MAU includes a command-line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate). + +In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window: + +``` +./msupdate --install --apps wdav00 +``` + +## Set preferences for Microsoft AutoUpdate + +This section describes the most common preferences that can be used to configure MAU. These settings can be deployed as a configuration profile through the management console that your enterprise is using. An example of a configuration profile is shown in the following sections. + +### Set the channel name + +The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`. + +The `Production` channel contains the most stable version of the product. + +>[!TIP] +>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`. + +||| +|:---|:---| +| **Domain** | com.microsoft.autoupdate2 | +| **Key** | ChannelName | +| **Data type** | String | +| **Possible values** | InsiderFast
External
Production | + +### Set update check frequency + +Change how often MAU searches for updates. + +||| +|:---|:---| +| **Domain** | com.microsoft.autoupdate2 | +| **Key** | UpdateCheckFrequency | +| **Data type** | Integer | +| **Default value** | 720 (minutes) | +| **Comment** | This value is set in minutes. | + +### Change how MAU interacts with updates + +Change how MAU searches for updates. + +||| +|:---|:---| +| **Domain** | com.microsoft.autoupdate2 | +| **Key** | HowToCheck | +| **Data type** | String | +| **Possible values** | Manual
AutomaticCheck
AutomaticDownload | +| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. | + +### Change whether the "Check for Updates" button is enabled + +Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface. + +||| +|:---|:---| +| **Domain** | com.microsoft.autoupdate2 | +| **Key** | EnableCheckForUpdatesButton | +| **Data type** | Boolean | +| **Possible values** | True (default)
False | + +### Disable Insider checkbox + +Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users. + +||| +|:---|:---| +| **Domain** | com.microsoft.autoupdate2 | +| **Key** | DisableInsiderCheckbox | +| **Data type** | Boolean | +| **Possible values** | False (default)
True | + +### Limit the telemetry that is sent from MAU + +Set to false to send minimal heartbeat data, no application usage, and no environment details. + +||| +|:---|:---| +| **Domain** | com.microsoft.autoupdate2 | +| **Key** | SendAllTelemetryEnabled | +| **Data type** | Boolean | +| **Possible values** | True (default)
False | + +## Example configuration profile + +The following configuration profile is used to: +- Place the device in the Insider Fast channel +- Automatically download and install updates +- Enable the "Check for updates" button in the user interface +- Allow users on the device to enroll into the Insider channels + +### JAMF + +```XML + + + + + ChannelName + InsiderFast + HowToCheck + AutomaticDownload + EnableCheckForUpdatesButton + + DisableInsiderCheckbox + + SendAllTelemetryEnabled + + + +``` + +### Intune + +```XML + + + + + PayloadUUID + B762FF60-6ACB-4A72-9E72-459D00C936F3 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.autoupdate2 + PayloadDisplayName + Microsoft AutoUpdate settings + PayloadDescription + Microsoft AutoUpdate configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 5A6F350A-CC2C-440B-A074-68E3F34EBAE9 + PayloadType + com.microsoft.autoupdate2 + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.autoupdate2 + PayloadDisplayName + Microsoft AutoUpdate configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + ChannelName + InsiderFast + HowToCheck + AutomaticDownload + EnableCheckForUpdatesButton + + DisableInsiderCheckbox + + SendAllTelemetryEnabled + + + + + +``` + +To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using: +- From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*. +- From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*. + +## Resources + +- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md new file mode 100644 index 0000000000..f87f5332c7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -0,0 +1,113 @@ +--- +title: Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes how to install and use Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender Advanced Threat Protection for Mac + +This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac. + +> [!CAUTION] +> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. + +## What’s new in the latest release + +[What's new](microsoft-defender-atp-mac-whatsnew.md) + +If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. + +## How to install Microsoft Defender ATP for Mac + +### Prerequisites + +- Access to the Microsoft Defender Security Center portal +- Beginner-level experience in macOS and BASH scripting +- Administrative privileges on the device (in case of manual deployment) + +### System requirements + +> [!CAUTION] +> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported. + +- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) +- Disk space: 650 MB + +After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. + +The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. + +| Service location | DNS record | +| ---------------------------------------- | ----------------------- | +| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
*.blob.core.windows.net
officecdn-microsoft-com.akamaized.net | +| European Union | europe.x.cp.wd.microsoft.com | +| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com | +| United States | unitedstates.x.cp.wd.microsoft.com | + +Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +- Web Proxy Auto-discovery Protocol (WPAD) +- Manual static proxy configuration + +If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. + +To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. + +If you prefer the command line, you can also check the connection by running the following command in Terminal: + +```bash +$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' +``` + +The output from this command should be similar to the following: + +> `OK https://x.cp.wd.microsoft.com/api/report` +> +> `OK https://cdn.x.cp.wd.microsoft.com/ping` + +> [!CAUTION] +> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. + +### Installation instructions + +There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. + +In general you need to take the following steps: + +- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - Via third-party management tools: + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) + - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md) + - Via the command-line tool: + - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) + +## How to update Microsoft Defender ATP for Mac + +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. + +To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) + +## How to configure Microsoft Defender ATP for Mac + +Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). + +## Resources + +- For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-mac-resources.md) page. + +- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md) From 9e19ea28af8c96d07364ecb8b6819d8ed40fd72f Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Mon, 21 Oct 2019 10:53:14 +0530 Subject: [PATCH 02/17] Updated overview section for Linux Updated overview section for Linux --- .../microsoft-defender-atp-linux.md | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index f87f5332c7..2a1e938b11 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -1,8 +1,8 @@ --- -title: Microsoft Defender ATP for Mac +title: Microsoft Defender ATP for Linux ms.reviewer: -description: Describes how to install and use Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +description: Describes how to install and use Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,34 +18,33 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender Advanced Threat Protection for Mac +# Microsoft Defender Advanced Threat Protection for Linux -This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac. +This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux. > [!CAUTION] -> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. +> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to lead to performance problems and unpredictable side effects. + +> [!NOTE] +>How would users give us feedback? +> **TODO:** Should we add atp --feedback "Feedback" that will send the feedback to us / OCV. I am keeping the original line for reference. +> +> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. -## What’s new in the latest release - -[What's new](microsoft-defender-atp-mac-whatsnew.md) - -If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. - -## How to install Microsoft Defender ATP for Mac +## How to install Microsoft Defender ATP for Linux ### Prerequisites - Access to the Microsoft Defender Security Center portal -- Beginner-level experience in macOS and BASH scripting +- Beginner-level experience in Linux and BASH scripting - Administrative privileges on the device (in case of manual deployment) ### System requirements -> [!CAUTION] -> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported. - -- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) -- Disk space: 650 MB +- Supported Linux distributions and versions: RHEL 7, Oracle 7, CentOS 7, Ubuntu 16 and 18, Debian 9 +- Disk space: 650 MB. +> [!NOTE] +>**TODO**: Verify this After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -58,6 +57,9 @@ The following table lists the services and their associated URLs that your netwo | United Kingdom | unitedkingdom.x.cp.wd.microsoft.com | | United States | unitedstates.x.cp.wd.microsoft.com | +>[!NOTE] +> **TODO:** Verify the proxy paragraph + Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Web Proxy Auto-discovery Protocol (WPAD) - Manual static proxy configuration @@ -78,36 +80,34 @@ The output from this command should be similar to the following: > > `OK https://cdn.x.cp.wd.microsoft.com/ping` -> [!CAUTION] -> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. - ### Installation instructions -There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux. In general you need to take the following steps: - Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: +- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods: - Via third-party management tools: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) - - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md) + - [Deploy using Puppet configuration management tool](microsoft-defender-atp-linux-install-with-puppet.md) + - [Deploy using Ansbile configuration management tool](microsoft-defender-atp-linux-install-with-ansible.md) + - [Other configuration management tools](microsoft-defender-atp-linux-install-with-other-configtool.md) - Via the command-line tool: - - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) + - [Manual deployment](microsoft-defender-atp-linux-install-manually.md) -## How to update Microsoft Defender ATP for Mac +## How to update Microsoft Defender ATP for Linux -Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. +>[!NOTE] +> **TODO:** Upgrade story is not very clear right now! -To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-updates.md) -## How to configure Microsoft Defender ATP for Mac +## How to configure Microsoft Defender ATP for Linux -Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). +Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md). ## Resources -- For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-mac-resources.md) page. +- For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-linux-resources.md) page. -- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md) +- [Privacy for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-privacy.md) From 4b130022ee3f552aa42b364ab15135f622b63cc1 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Mon, 21 Oct 2019 13:41:01 +0530 Subject: [PATCH 03/17] Updated manual install steps for Linux Updated manual install steps for Linux --- ...oft-defender-atp-linux-install-manually.md | 141 +++++------------- 1 file changed, 41 insertions(+), 100 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md index bed05f108c..490b35ec75 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md @@ -1,8 +1,8 @@ --- -title: Installing Microsoft Defender ATP for Mac manually +title: Installing Microsoft Defender ATP for Linux manually ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +description: Describes how to install Microsoft Defender ATP for Linux manually, from the command line. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,36 +22,43 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) -This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +This topic describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following steps: + +- [Configure Microsoft's Linux Software Repository](#configure-microsoft's-linux-software-repository) +- [Download onboarding packages](#download-onboarding-package) - [Application installation](#application-installation) - [Client configuration](#client-configuration) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. -## Download installation and onboarding packages +## Configure Microsoft's Linux Software Repository -Download the installation and onboarding packages from Windows Defender Security Center: +Follow the steps given in [Configure Microsoft's Linux Software Repository](https://docs.microsoft.com/en-us/windows-server/administration/linux-package-repository-for-microsoft-software) to setup the repository. + +> [!NOTE] +> **TODO:** Use a forward link for above instead of URL + +## Download onboarding package + +Download the onboarding package from Windows Defender Security Center: 1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: +4. From a command prompt, verify that you have the file. + Extract the contents of the .zip file: ```bash $ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + total 8 + -rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip $ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip inflating: WindowsDefenderATPOnboarding.py @@ -61,89 +68,24 @@ Download the installation and onboarding packages from Windows Defender Security To complete this process, you must have admin privileges on the machine. -1. Navigate to the downloaded wdav.pkg in Finder and open it. +1. Install Microsoft Defender ATP for Linux - ![App install screenshot](images/MDATP_28_AppInstall.png) + - ### Enterprise Linux (RHEL and variants) -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation proceeds. - -> [!NOTE] -> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled. - -> [!NOTE] -> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted. - -### Fixing disabled Real-Time Protection - -If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it: - - ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) - -You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true -... -``` - -> [!NOTE] -> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation. - -The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation". - -If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled: - -![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) - -In this case, you need to perform the following steps to enable Real-Time Protection instead. - -1. In Terminal, attempt to install the driver. (The operation will fail) ```bash - $ sudo kextutil /Library/Extensions/wdavkext.kext - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Diagnostics for /Library/Extensions/wdavkext.kext: + sudo yum install mdatp ``` -2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.) + - ### Ubuntu and Debian systems -3. **Allow** system software from developers "Microsoft Corporation" + ```bash + sudo apt-get install mdatp + ``` -4. In Terminal, install the driver again. This time the operation will succeed: - -```bash -$ sudo kextutil /Library/Extensions/wdavkext.kext -``` - -The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : true -realTimeProtectionEnabled : true -... -``` ## Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Linux. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -155,8 +97,10 @@ realTimeProtectionEnabled : true ```bash $ /usr/bin/python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudo password) ``` +> [!NOTE] +> **TODO:** update the path associated with Generating ... 3. Verify that the machine is now associated with your organization and reports a valid *orgId*: @@ -165,21 +109,18 @@ realTimeProtectionEnabled : true E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. +After installation, you'll see the status by running the following command: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +```bash +mdatp --health +``` -## How to Allow Full Disk Access - -> [!CAUTION] -> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. - -To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender ATP. +**TODO:** Add step to verify ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-linux-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](microsoft-defender-atp-linux-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Linux from client devices. From bb622651e1495549c4232f1b04165c8b25179a8c Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Mon, 21 Oct 2019 16:56:13 +0530 Subject: [PATCH 04/17] Update preferences section Update preferences section and minor corrections to manual installation document --- ...oft-defender-atp-linux-install-manually.md | 15 +- ...icrosoft-defender-atp-linux-preferences.md | 447 ++++-------------- 2 files changed, 88 insertions(+), 374 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md index 490b35ec75..30fbaa6c7a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md @@ -40,7 +40,8 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic Follow the steps given in [Configure Microsoft's Linux Software Repository](https://docs.microsoft.com/en-us/windows-server/administration/linux-package-repository-for-microsoft-software) to setup the repository. > [!NOTE] -> **TODO:** Use a forward link for above instead of URL +> * **TODO:** Use a forward link for above instead of URL +> * I am assuming that ring 0 customers will download the onboarding package from ATP portal ## Download onboarding package @@ -97,10 +98,10 @@ To complete this process, you must have admin privileges on the machine. ```bash $ /usr/bin/python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudo password) + Generating /etc/opt/microsoft/mdatp/mdatp_onboard.json ... (You may be required to enter sudo password) ``` > [!NOTE] -> **TODO:** update the path associated with Generating ... +> **TODO:** verify the path associated with above command. 3. Verify that the machine is now associated with your organization and reports a valid *orgId*: @@ -109,13 +110,15 @@ To complete this process, you must have admin privileges on the machine. E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` -After installation, you'll see the status by running the following command: +After installation, you can see the status by running the following command: ```bash -mdatp --health +$ mdatp --health healthy +1 ``` -**TODO:** Add step to verify +> [!NOTE] +> **TODO:** Should we add eicar detection step? ## Logging installation issues diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md index 80ec6a0f67..9894750faa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md @@ -1,8 +1,8 @@ --- -title: Set preferences for Microsoft Defender ATP for Mac +title: Set preferences for Microsoft Defender ATP for Linux ms.reviewer: -description: Describes how to configure Microsoft Defender ATP for Mac in enterprises. -keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra +description: Describes how to configure Microsoft Defender ATP for Linux in enterprises. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,28 +18,31 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Set preferences for Microsoft Defender ATP for Mac +# Set preferences for Microsoft Defender ATP for Linux **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) >[!IMPORTANT] ->This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page. +>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-linux-resources.md#configuring-from-the-command-line) page. -In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. +In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile. ## Configuration profile structure -The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences. - ->[!CAUTION] ->The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune. +The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences. The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. +>[!NOTE] +> **TODO:** +> * Should Domain be removed from all the entries below? +> * Should we add path to wdavcfg? +> * Verify each of below? + ### Antivirus engine preferences The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product. @@ -240,33 +243,12 @@ Determines whether suspicious samples (that are likely to contain threats) are s | **Data type** | Boolean | | **Possible values** | true (default)
false | -### User interface preferences - -The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product. - -||| -|:---|:---| -| **Domain** | com.microsoft.wdav | -| **Key** | userInterface | -| **Data type** | Dictionary (nested preference) | -| **Comments** | See the following sections for a description of the dictionary contents. | - -#### Show / hide status menu icon - -Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not. - -||| -|:---|:---| -| **Domain** | com.microsoft.wdav | -| **Key** | hideStatusMenuIcon | -| **Data type** | Boolean | -| **Possible values** | false (default)
true | - ## Recommended configuration profile To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. The following configuration profile will: + - Enable real-time protection (RTP) - Specify how the following threat types are handled: - **Potentially unwanted applications (PUA)** are blocked @@ -274,350 +256,79 @@ The following configuration profile will: - Enable cloud delivered protection - Enable automatic sample submission -### JAMF profile +### Sample profile -```XML - - - - - antivirusEngine - - enableRealTimeProtection - - threatTypeSettings - - - key - potentially_unwanted_application - value - block - - - key - archive_bomb - value - audit - - - - cloudService - - enabled - - automaticSampleSubmission - - - - -``` - -### Intune profile - -```XML - - - - - PayloadUUID - C4E6A782-0C8D-44AB-A025-EB893987A295 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP settings - PayloadDescription - Microsoft Defender ATP configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 - PayloadType - com.microsoft.wdav - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - antivirusEngine - - enableRealTimeProtection - - threatTypeSettings - - - key - potentially_unwanted_application - value - block - - - key - archive_bomb - value - audit - - - - cloudService - - enabled - - automaticSampleSubmission - - - - - - +```JSON +{ + "antivirusEngine":{ + "enableRealTimeProtection":true, + "threatTypeSettings":[ + { + "key":"potentially_unwanted_application", + "value":"block" + }, + { + "key":"archive_bomb", + "value":"audit" + } + ] + }, + "cloudService":{ + "automaticSampleSubmission":true, + "enabled":true, + }, +} ``` ## Full configuration profile example The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product. -### JAMF profile +### Full profile -```XML - - - - - antivirusEngine - - enableRealTimeProtection - - passiveMode - - exclusions - - - $type - excludedPath - isDirectory - - path - /var/log/system.log - - - $type - excludedPath - isDirectory - - path - /home - - - $type - excludedFileExtension - extension - pdf - - - allowedThreats - - EICAR-Test-File (not a virus) - - threatTypeSettings - - - key - potentially_unwanted_application - value - block - - - key - archive_bomb - value - audit - - - - cloudService - - enabled - - diagnosticLevel - optional - automaticSampleSubmission - - - userInterface - - hideStatusMenuIcon - - - - -``` - -### Intune profile - -```XML - - - - - PayloadUUID - C4E6A782-0C8D-44AB-A025-EB893987A295 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - C4E6A782-0C8D-44AB-A025-EB893987A295 - PayloadDisplayName - Microsoft Defender ATP settings - PayloadDescription - Microsoft Defender ATP configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 - PayloadType - com.microsoft.wdav - PayloadOrganization - Microsoft - PayloadIdentifier - 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 - PayloadDisplayName - Microsoft Defender ATP configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - antivirusEngine - - enableRealTimeProtection - - passiveMode - - exclusions - - - $type - excludedPath - isDirectory - - path - /var/log/system.log - - - $type - excludedPath - isDirectory - - path - /home - - - $type - excludedFileExtension - extension - pdf - - - allowedThreats - - EICAR-Test-File (not a virus) - - threatTypeSettings - - - key - potentially_unwanted_application - value - block - - - key - archive_bomb - value - audit - - - - cloudService - - enabled - - diagnosticLevel - optional - automaticSampleSubmission - - - userInterface - - hideStatusMenuIcon - - - - - - +```JSON +{ + "antivirusEngine":{ + "enableRealTimeProtection":true, + "passiveMode":false, + "exclusions":[ + { + "$type":"excludedPath", + "isDirectory":false, + "path":"/var/log/system.log" + }, + { + "$type":"excludedPath", + "isDirectory":true, + "path":"/home" + }, + { + "$type":"excludedFileExtension", + "extension":"pdf" + } + ], + "allowedThreats":[ + "EICAR-Test-File (not a virus)" + ], + "threatTypeSettings":[ + { + "key":"potentially_unwanted_application", + "value":"block" + }, + { + "key":"archive_bomb", + "value":"audit" + } + ] + }, + "cloudService":{ + "enabled":true, + "diagnosticLevel":"optional", + "automaticSampleSubmission":true, + }, +} ``` ## Configuration profile deployment -Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune. - -### JAMF deployment - -From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier. - ->[!CAUTION] ->You must enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences will not be recognized by the product. - -### Intune deployment - -1. Open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. - -2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure. - -3. Save the .plist produced earlier as **com.microsoft.wdav.xml**. - -4. Enter **com.microsoft.wdav** as the **custom configuration profile name**. - -5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3. - -6. Select **OK**. - -7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. - ->[!CAUTION] ->You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. - -## Resources - -- [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) +Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. From 431a070d4e8e674776e9b80e952e74eab2c51d28 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Mon, 21 Oct 2019 17:18:01 +0530 Subject: [PATCH 05/17] Updated the privacy document for Linux Updated the privacy document for Linux --- .../microsoft-defender-atp-linux-privacy.md | 52 +++++++++---------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md index 0c56970e6f..0e2884b388 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md @@ -1,8 +1,8 @@ --- -title: Privacy for Microsoft Defender ATP for Mac +title: Privacy for Microsoft Defender ATP for Linux ms.reviewer: -description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, privacy, diagnostic +description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,19 +18,19 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Privacy for Microsoft Defender ATP for Mac +# Privacy for Microsoft Defender ATP for Linux **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) -Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Mac. +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux. This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. -## Overview of privacy controls in Microsoft Defender ATP for Mac +## Overview of privacy controls in Microsoft Defender ATP for Linux -This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Mac. +This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux. ### Diagnostic data @@ -62,7 +62,7 @@ When this feature is enabled and the sample that is collected is likely to conta If you're an IT administrator, you might want to configure these controls at the enterprise level. -The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md). As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. @@ -83,7 +83,7 @@ The following fields are considered common for all events: | org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | | hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | -| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| | sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | | supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | | release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | @@ -97,6 +97,9 @@ Required diagnostic data helps to identify problems with Microsoft Defender ATP #### Software setup and inventory data events +> [!NOTE] +> **TODO:** Please review if all the following fields are valid for linux as well + **Microsoft Defender ATP installation / uninstallation** The following fields are collected: @@ -130,13 +133,16 @@ The following fields are collected: #### Product and service performance data events +> [!NOTE] +> **TODO:** Please review if all the following fields are valid for linux as well + **Kernel extension statistics** The following fields are collected: | Field | Description | | ---------------- | ----------- | -| version | Version of Microsoft Defender ATP for Mac. | +| version | Version of Microsoft Defender ATP for Linux. | | instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | | ipc.connects | Number of connection requests received by the kernel extension. | @@ -149,11 +155,9 @@ The following fields are collected: Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: -- All files under */Library/Logs/Microsoft/mdatp/* -- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac -- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac -- /Library/Logs/Microsoft/autoupdate.log -- $HOME/Library/Preferences/com.microsoft.autoupdate2.plist +- All files under */var/log/microsoft/mdatp/* +- Subset of files under */var/opt/microsoft/mdatp/* that are created and used by Microsoft Defender ATP for Linux +- Subset of files under */etc/opt/microsoft/mdatp/* that are used by Microsoft Defender ATP for Linux ### Optional diagnostic data @@ -186,17 +190,6 @@ The following fields are collected: | edr.latency_mode | Latency mode used by the detection and response component. | | edr.proxy_address | Proxy address used by the detection and response component. | -**Microsoft Auto-Update configuration** - -The following fields are collected: - -| Field | Description | -| --------------------------- | ----------- | -| how_to_check | Determines how product updates are checked (for example automatic or manual). | -| channel_name | Update channel associated with the device. | -| manifest_server | Server used for downloading updates. | -| update_cache | Location of the cache used to store updates. | - ### Product and service usage #### Diagnostic log upload started report @@ -207,7 +200,7 @@ The following fields are collected: | ---------------- | ----------- | | sha256 | SHA256 identifier of the support log. | | size | Size of the support log. | -| original_path | Path to the support log (always under */Library/Application Support/Microsoft/Defender/wdavdiag/*). | +| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). | | format | Format of the support log. | #### Diagnostic log upload completed report @@ -228,6 +221,9 @@ Unexpected application exits and the state of the application when that happens. **Kernel extension statistics** +> [!NOTE] +> **TODO:** Is this valid for Linux as well? + The following fields are collected: | Field | Description | From 1976c84ec5d419e023cb2090047cb34041fdbca6 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Mon, 21 Oct 2019 19:21:53 +0530 Subject: [PATCH 06/17] Draft of deployment via puppet Draft of deployment via puppet (incomplete). Corrected spelling for redhat --- ...oft-defender-atp-linux-install-manually.md | 2 +- ...-defender-atp-linux-install-with-puppet.md | 243 ++++-------------- ...icrosoft-defender-atp-linux-preferences.md | 2 +- .../microsoft-defender-atp-linux.md | 2 +- 4 files changed, 51 insertions(+), 198 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md index 30fbaa6c7a..7116f0b7ef 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md @@ -2,7 +2,7 @@ title: Installing Microsoft Defender ATP for Linux manually ms.reviewer: description: Describes how to install Microsoft Defender ATP for Linux manually, from the command line. -keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md index 7a0f0c27d6..5cd69d9301 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -1,8 +1,8 @@ --- -title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +title: Installing Microsoft Defender ATP for Linux with Puppet ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +description: Describes how to install Microsoft Defender ATP for Linux, using Puppet. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,236 +18,89 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Intune-based deployment +# Puppet based deployment **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) -This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for Linux through Puppet. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Create Puppet policies](#create-jamf-policies) - [Client device setup](#client-device-setup) -- [Create System Configuration profiles](#create-system-configuration-profiles) -- [Publish application](#publish-application) +- [Deployment](#deployment) +- [Check onboarding status](#check-onboarding-status) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. -## Download installation and onboarding packages +In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have a Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported puppet modules such as *apt*, *lsb-release* to help deploy the package. Your organization might use a different workflow. -Download the installation and onboarding packages from Microsoft Defender Security Center: +## Download onboarding package -1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. -5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). +Download the onboarding package from Windows Defender Security Center: - ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: + ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) +4. From a command prompt, verify that you have the file. + Extract the contents of the .zip file: + ```bash $ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + total 8 + -rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip $ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist + inflating: WindowsDefenderATPOnboarding.py ``` -7. Make IntuneAppUtil an executable: +## Create Puppet manifests - ```bash - $ chmod +x IntuneAppUtil - ``` +You need to create a puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by puppet server. -8. Create the wdav.pkg.intunemac package from wdav.pkg: +## Deployment - ```bash - $ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation +Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected. - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. +## Monitoring puppet deployment - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` -## Client device setup +You can also check the onboarding status: -You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). +```bash +$ mdatp --health +... +licensed : true +orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" +... +``` -1. You are asked to confirm device management. +- **licensed**: This confirms that the device has an ATP license. -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) +- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization. -Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: +## Check onboarding status -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) +You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: -2. Select **Continue** and complete the enrollment. +```bash +$ mdatp --health healthy +``` -You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. +The above command prints "1" if the product is onboarded and functioning as expected. -3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -## Create System Configuration profiles - -1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat steps 1 through 5 for more profiles. -7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. - - > [!CAUTION] - > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. - > - > The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile. - - ```xml - - - - - PayloadDescription - Allows Microsoft Defender to access all files on Catalina+ - PayloadDisplayName - TCC - Microsoft Defender - PayloadIdentifier - com.microsoft.wdav.tcc - PayloadOrganization - Microsoft Corp. - PayloadRemovalDisallowed - - PayloadScope - system - PayloadType - Configuration - PayloadUUID - C234DF2E-DFF6-11E9-B279-001C4299FB44 - PayloadVersion - 1 - PayloadContent - - - PayloadDescription - Allows Microsoft Defender to access all files on Catalina+ - PayloadDisplayName - TCC - Microsoft Defender - PayloadIdentifier - com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44 - PayloadOrganization - Microsoft Corp. - PayloadType - com.apple.TCC.configuration-profile-policy - PayloadUUID - C233A5E6-DFF6-11E9-BDAD-001C4299FB44 - PayloadVersion - 1 - Services - - SystemPolicyAllFiles - - - Allowed - - CodeRequirement - identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 - Comment - Allow SystemPolicyAllFiles control for Microsoft Defender ATP - Identifier - com.microsoft.wdav - IdentifierType - bundleID - - - - - - - - ``` - -9. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. - -Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -## Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. - - > [!CAUTION] - > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type** to **Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -## Verify client device state - -1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Troubleshooting - -Issue: No license found - -Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml +If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: +- 1 if the device is not yet onboarded +- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running ## Logging installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) . +See [Logging installation issues](microsoft-defender-atp-linux-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md index 9894750faa..c203ebd24c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md @@ -2,7 +2,7 @@ title: Set preferences for Microsoft Defender ATP for Linux ms.reviewer: description: Describes how to configure Microsoft Defender ATP for Linux in enterprises. -keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index 2a1e938b11..83c84689a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -2,7 +2,7 @@ title: Microsoft Defender ATP for Linux ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Linux. -keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, edhat, ubuntu, debian, sles, suse, centos +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 From ed1f730864af4cf4d735b20de9f27f1c6d7de2fb Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Tue, 22 Oct 2019 17:20:54 +0530 Subject: [PATCH 07/17] Updated documentation for deployment via puppet --- .../ATP_Portal_Onboarding_win_intune.png | Bin 0 -> 95659 bytes ...-defender-atp-linux-install-with-puppet.md | 90 ++++++++++++++++-- 2 files changed, 80 insertions(+), 10 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/images/ATP_Portal_Onboarding_win_intune.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/ATP_Portal_Onboarding_win_intune.png b/windows/security/threat-protection/windows-defender-antivirus/images/ATP_Portal_Onboarding_win_intune.png new file mode 100644 index 0000000000000000000000000000000000000000..f5c28532260e833cb94a120070caa32c471ecc90 GIT binary patch literal 95659 zcmc$_2{@GB`#&C%Rw{|IOgoW1TbQAg$X2#wOO|9COqRjSNTCv=?7J3(B4iocRLWRl zlHFjkjLAC8Fk{U2AL;%1e*WLzdi|E`_gr;(o_WrB&VBCtKKFUu%Xwm9X1H(n(cRm& zZQEyb)!@dqZTvFZwr$_Oa|ibq=;O5j?jIh=4a1Au%DN?Hxewd#>YM6s+g5?x!*t>2 zKJW6sY6sc2O|WJ2KMw}{)@|E1PJxkuzE!Bx0t@`ifd(Unhbi6s{*XU7ihl>=_NT6@ zxNVeUrvMgSdNv;(>zepr4G!uVHRPj&PF-rg>|oIM(48+_zWeAwkq>8fc|Ot*i+uIa zqJ|ngb*5HqZ(o+(TiW>J_cza%kHt%61!JC#8DVDc`_yVzWF3}>pfTCm5ICnhucWNk zx}OC%ZJsK-KxB54Xxc?jtpPbD8*NX7rQHVha4F|rpL|Z_Z{NCAQr@1tb+_$IOyt3> z+fQHjTkvk(ri<|!|9vlfNpIKI?d>}|Wq7u3P4@Df-nxr?a{T}8N7K1ep;R`a6d4SG zcU|ro<~4YSzodKgit%>jo*Ts{#>evwu=r1k-&H+9hVpIQ|2HPP{#@d3Tj3Vu z^xxZbG2rCBt^5B5J0=VR|F$*R3wrT)h}(D8A8Ty={GS*m*ywX@ z-70j+PyOk+>gmc?qZU;=?aJFTo8&~J^K0_35q&k3o}%d#wl+C`me?M$)IRCmy)MPD zhO&QV1%_OM$uyre7)y!`!M~u3=Dm$Ws^XTi!ZNx3s_l;!An-+ad4@lEW&EOl%FM~(TaJl} zW2gTv*!0U>A=XL@?Z~5)Jvy)N?ifk6IINf+R0@=0{~lMPzwsgogFE=botG^5I^LDQ z3mP4WYN+}5%X)sgj_CJ-#~Em+g%;9DeBPFU@V7c(5que8IJIZoFf%V=Mc(cjY$<## z6BW2zF*xmXp{Y|R(LT>&ky$^w`(Q`QJ{jlKf)Z>QsnNBT)Gk?jQfU1AgxBJ_iv6BI zeK3Hk3}6^R`^|xWHEC+6OhX~4nd!6AL+Ay->{6qg>F~PscXk8lyCkEtXhQ1p9Ed6R9xnp;^tQpj(ZM2lFkg9Zika~^AM$=c&E58?P(w4qAr zo;{QB#PIiE64-7+=!=Axp4Jy2c?G7@xT<<%5F?4gg+z^8nzu!Fg4@SpTiAyVY<-|` z7Z1TDY}sSwl5+93a^Eg5J$i=zT6NkL2ms*wz9R>24qS@B5R=jlPan6n+LHbEQ@kCQ z)+`R^slLn*F%Cnq*0Uc4U^F86@use*8y3kNs7`<~M4d1o2 z#feYvj_2!G%|?=Y#s*CyZN=HvS=7kDyX}5i>->R(ufxkl026+KGVhrJp=N7t_mbPU zY|tlz0~QILb5Ri!POytq&$Ud}Vw&S~&PtV5A$xZc@tQk&ccTQ#tP z>^d&wz7jQDQ-gdtSv#Mgf|!UTBhJYZlk|l^T&^}LLt-zMH|qIrY3niduFzd zGbLd9y*}1ScioC?TLLIn-!b?muiiunS36uI9hc%vxyjzWF3q6*1jH`M=6|2Ly;#o@ z@l$L5%m?OdS{_k_?B|$p-3E?-_*zpEpIschKHOaD+z7Pcg9T-N@~;iD*`7RAxlyQd zucf-agsm?sGKoUp$mw@Q%VI&SN42nZKCM~bxmO%)2a>W)XyS?W)1bgjbt5;GNUPVgW6eXaA8Z$ zm6EvAzejpGD(;X*7d6%Mj{(ZZ2`#E%2FAR}#s|WH$FYr6C#afh5l_J@_|VLIA9$|p zmr-tS{TY1yUEKFtAy8S9w9rChDti1q??4)1?OS+Hf8k$NNN!I~m$K)hKNAEfb~bd` z{oUmfw(%O9#5WbBb@e~T%3qzFG~a43q0enE7)}~?Rso$AEkVrw-E|DP+q&Slk@vZ) z0$ihSwoaMWCND2#ku#Xu8hLQbMm*-P3O>K0_vBK=KrN4(sV;oN)NZOldh1Ps2(Ph3 zLQ`yD$jU9QcFhg8+A}X|ZH=06?jPH~?SBX=GOp^;@yvOIJZI2(ogd0_X6`|)Vc8i> zG>Ck_aSj}mcdKx~$Tv%N>(kq+W`FQ?IMZ!8#_U)G8yja)S<-jGYs^aAWs9zD>87zq zElNHqi(DD7&Px0T@%UW$7IiySInXD*Ua^}Gx=7y^RQ9z ztwBC*wkC6^d(gLA+L3K7;HOL3UMk!Rr>Au+uNZcc(F7MaE{S;NodA25znK>T`Y%GKcFAD7J8!!VeynRa zOG^`|^mla%Ysz(K(oG~VvdAD-C*mG2MiFiar*^&jK61irKOHTP!@>l33O9mC({SH^ zeMvw_2CLW>Q-3=!1wID6QEshv%k@*(DYWW8FeQ!0A{Ik-hvw0M)EKNMDUWul18K|#b8Lx5JtgX>V zmhiMHVri!S?aiM|z3%3B_;ctavMrpD$y`xn=Owwkv7hT`SD$$E9~%9Mhmc~RXEz!G zZ;vo1SR-%(pp9H6qMIGn2%XzS&tnU57$=gg&;#$``wd}4w_Z&B*kAmvlyzmV47ek# zree1YR^Imt58;X2oWT8aEIE94W$vvSIXQ~-bj$|1BR)EC`0=J^!@X{+$BS7|-Jm$8 zQuh-%xk_=z(;5B4l%MlW$B3i;Dy5WbVV6)YxFJW>q&%QttIxLYg$MXLgag}8B?qp3 zJuP{@V@9uAdVn%F8s)Qqvmn2yf1z@~C&A)xYmeSGE-4Vc;qOO>94>&%UyY`u#C!-C zcThQNJJa1BWh`5pM!0dO$>l#ppqu~Qm?M_p({TfA)}5=H<$x*I%E;0_P83ylb9U5) zzGeoI9v<5Ie&q1|{7CZGCzKiEHkPSfCRkX#+lWNv^4t>kJzN3Rz5K7KN-E`l_wsW} zRi{-IQr#hh8ixy6H>FFf()`+f#ymYka}S3`{JSuI@f4I*sep!l*j|xkG-Op)R9x>1 zZobW3R}^31ZlJ@z)|~5Z8OjB@G{3!W?yyVhAvAXc!Z}z&!wu$sOhX|@eBL_A??2iK z%1B%O!y4iLpG);412M#?U~Tc?SbXF`y}N(CFFj$d8O`|zIh*d3d0wNM7*|xr1;M+X zMg4W=&L7WT_;icI^%+F05d8`{2ev1R@%=TwKORK}X5W7sazjBdctNtDn*A&q#(n+p z-fo$Y9l9jY(Kk{>6_Ti4?Xy)>yl8zsr)7`ugCBEhT4UmF$Yi5iDeU6h(Tbd34x7yM z5aJ;Wt%DOiq&Uv9+QC|I-= z>A9Qlk9%1a8yRSF1uFdZQqttpvS0iB*o9c9l#KGUu<{EI+VsG+nC>x!P>7-46Xo=T zNb<4cCwT}9$Mf$W_~WOh^Ka^>-9n(J7!d~k7M@4$?oUl6aDYXRcr&!>LX)-PTIj=f8*4B|8)C&<-#)@i@BNQS_}^ zz_XJ&JGwPR5V;5M<40FAf}i?E(Uqt60fgD1tYhD^_xJ(6OijQHt2AtjmHAnnzgf}9 z=m^gH4blQ$fkqtb32bCjeP=%5J*2~zEMU6_<637Fs*vKG^fY9=KVXwN++`sV`+Hx> zOZ?Th8nQKH8vmT>#W~$5TH%S%sppoyGxHK}BwL#4*H$aMOgR=YG=CSfF_@gst7D|`y_EHo49pW)6ZmD!)$^;e~Ra?FaoP-RdIgINK1Hoo;p3Y& z#FFc`p3BzQYsAjl%bNMTi+`*H)|+-6oIR>xQ><>KR_$67gg4*^Ka#~O@hqA;>)rdk z?F&$075@a22z^KbDtyNm2lbOjEMCv9SWz_9kOV6W7wWy#QewUpo{R}SalYLEd;FW= zjFWn9!OYjw?-%(m}NctN@O z-O`EP+{^N*!h8BGr5~JH88Jzy&2CwpIx$o}o~K>NTtB^Gi$asr!x`@u5n;?(p#8q7 zeT-M@-I}&U*&R7tT^J>zLlZ(dylA?B8#392<)HwPj5NxkcaC{#9c}X zv~Ll*o_R4f6r~Ms^3xRcf@Tp9>57`+pbc~Er}Qa#@nys0IE*wR=>sC7f zvFz--Uz)=hUKb31zUUl7CCo?0-VeED%o%=RNk(`_XWeDq@aGW`^oyFQtKMdLNK@bNv2c_~X0wCokh8ZzZu`gU;) z9s?11oZzdOmhtN*y^^IhUr$-ULccA(8oLk5;x+EAT_2UHc`_q?z~W3o5XxLF4-ROY zI#5GelU6IN)0LFD;JQ3h{F1|#@K`|2OM+}mS2l>wCD?I^A$6u}7F*ERb|WCE+InT^ z?LH^25F>Y;%$GPxxgx!GWuQ^(ED4E!C(|Rue`-AWEo>e9=*m6m1tbhIJ^sgBrOL^e zMow6*r?*{t@~VXI1v4PmuT!Vyse5-&OeXK zKMgL$V_ONU@5PEF^P0!{azA}`HX>WoQ9koofI&sVf{30iXiafb+u*lJ?nxE(Z&O(^1q6iEE+c6 zHM6!*y;PDLcWb%jdcM6&2#B*r32%D=&bDAMD@}Y)XJvB^9(_tfAs+O0yHXB!#C*xzQtn{>*<48M zlu{7CZ`h(5C3gmXXc+JCJgZ4dD}ef9^ybYM1qBcG`e8eVnH?R>FC8q$;qF>A`dHI6 za6~k6)_@y1UtHdVNs&`Nf1H87flcTb;G8Pz*H!?51m0Q7b~xhmn85?~MOfPSQQZ`9 z)J>o9Lj(xt*ZZ!v;e_ogYOLJ0-X~m+{KJ6Z2fSR|F02x=#Giq#IMz9j3s5>Tf=`W4 zIgNrB z3OAwb#}(DUNS^+rB)3ysGRP zOOeyZwfvWSBR?9gLn~IIP7!Ao6vGXFC^Qh9rr=?1!iO|GMHE&i@;D(h& z(}RT}0;Z=sKV*UUOC~cTGH~q{RkQJoH`T)oWWy+>rdD&oa_|^mUagsZQnf704b;aX zP^>gXwzbCoSsa*Qu8T72E2-G=Wi)8vB7cRdXy@?&$C6N40B)=Gb zYH2E9Pcm?{PM)ICJi-LX!B?&6NDj-_j*-#i_~7qMfAhH8*!E)@X{6406r}POtUKI3 zwY>0)(b_EOTHxf*z?v&`-4ucMc9!%rpq<-0g}5fkI> zUr-P-KH^?F7m%Ho=Cb}9c%~B5c5E+?xDXY%K=Mxd0JyVA? z$Km97`?cc*g3{o27UE;A_n(B-FHLO=J?LaMoo&Rrq(Q7gQ#xfd29qY<(EU0nDi)ym zCa&sO`X*RZ6>i9$(qMA^6PC)(A1)7s_kNwwXKet*U)15|KlJR9i8^*-4zjobZM&f` zsDH;Ye1fXR>Yai-6m1&a=dHBQW6m(JG0`mNAvNL#(FXo1T0fUN1&lQT>XVvQ6tu2+ z?*eIzD9|rL5tETJECGk%3v((ntnDC~Cfv;16`LbB1P_?W{;{o^-GYZLJc68x;u|Uh z-OXmo-nk*HhaA&z#HzJ^^N{(q-o^MERfUdvM|Sc)atr-syj`#$6cmt`9eGArq1+j? z_o|9M!i%rN4bM`aT9Kwcd6HEe`BOJ`6!L?veS!2UQYDmG-)TAF^bKyzhQ625AmE3a z`>cOZ1^YE9=_igW_VEyW(%(n^)WY;>-OM)O8jsX)VtPo~fIxCP<{hI>Y_1VY zEf}6HadkZu)@8<7B%;TG-IA7l1VW_(%irz*PKY)b=@gbmDzBj6DRv-G`WDT zl`%h-EE1$$)d05-gFt?Y`}_v{ybch^yH*_#nW=VN^DdMY>vDPjF@p*HmW^i3t52fR z^oEEVYeHfcHmhS}(wl@;N2-8?NZX0ETFwG%wpZ1+C-=BoU8fOW&BSN$IuO5n<>lObADp+qvDP~=x1X90dXKRPp zm}TdreU91qMQip^M1r!d)VwD(=u|Ih>AgGoG-0@1`(Jc=574Z)pG}#U-f(DO^YC>< z07rL3v7)C;mxP5iAY7l-=dGNOrM@c`j(Odp4HoA$W{LS@uZQP~5`!pE@W6GJKQ-z7 zYriy{JIjCMF+grtyMNzmQE2vDP}B;K7`Oc&?oI8H3Cc;K7ns5d-YodFb#%ng%{sWD z5|q|BGN?h#dsW1gda{RY_}UR_acAxh=hpsX$(>y_rt=L4^^IE}Wx9)x_gktv1U$@| zTN8G15sQ4Z2-Qcvh}D47U61Ey@2e8E7@>4)i;7UzpO#5Ua094MDNfckW$bTY+GrVw zBm!HK9yy0)<;Q!T+chy&^$S@36?^1AY;QWBu_dHQyz)(X=4eVhA?s(>wQ`LzUZorl z#r*A&?Z37lfE`zAF8^txc=k6$@~@qn8zlI>nWp|{BU0Uj7F-Y$85~;1#TuUiuITN` zSN->W@PCLjPX2{Jp0PyPKkVf8zOb1e|7Vx~uM+Y7Gm=yKc?r zCBr$H*$FS&9_~n%Jtu(>``t4!rDj*9;X3x{omaPl;Nz2b`MF%)yts5}Da#sI@i@zx z=b#7`L4?lv^PdF;a*Vx5x^DwP3y?LxKc2?cxWlwB^N*~ zDF5(%&^-FNJfE>f8-#Xb&3uJ%s9gA5`97JJAn)yr;(apqs}0c6HA>9HKhoxkR5;Q3 zo2d1HY}Ct4x^{K5-MGHqtYgYe@|Vwi{K@-Ry|!xguD(YsYJP_-)~%VUDTKfS_Wv6P zU+#IR)47Mq46^!UBbges-{MTU!QPF4{K(2Xg2_s5d#RS?~OCf1kX?)!09j zbHju}_Lm>e2)OHe7M9DH_`bfs-(m#aL~sEJ9byJ= zs`T{UP8n-}%+pu@{LA#|=cXUsWN%aWDqjd1fY& z@xFWN3v$%inCCH4akmOJcGs2*$%r6K=qlAtaJ&&}2t6b4@`6~<0FBqUpc!91r7)sS z;D0G*)GNII553#|S5`v%1HKLvMDc3*pm?#9rbe0%WQc1y{!xo0K7nLgn_yqd7MvsM z#eaIYvOT#$F7R~4yZW-n!`xM@+3`=e{~T@opLcHlEkyfoosO96oo%Q@RU8+8@2!gC z#%nd_{uwHXs{#;P8#nvvN^~9z|DiyAG&MyI(q0pLcFP0UWX<^_TKV5w+F9}ZT6s6e z9fvgwFDqNdK|%+qV61`x;3u8O4LHYG$PEJIe)k{nO-N{@WL}!lqoya&kwq zhP$J$B+Mr~`Nlrqwu^zF#oeFo|5F}hdWHR%Mla>FvomLH>rSk0KJl=Wn8fh3-$M4A zRCosF1KKlE|FBnxn@r9I2AK{lblH6z0G%!3!t4R%^L@$@$7*wdXR!{>DTY+3&0d;< zJ7uKx&@Ldt!1*2fwF8SpSF1GImbx+s7_AV!s^Yye0Nq4;(J~}Kxwh&;BD>%&Ap<#r zY1>Tca*H$$lTwh$eB5mYc1f~D(ypHQuCa3c$M|OPR^-%!$UxpcacUf&^qlx=q0*zB zd{-e23pAhY$rBD!{-*YNDB5j(ryiF{9sn3A)t2TIanTG!efJ%`mhet@^m$X0?l81Y z_8QnRbA(XateT7y=zpba{6X&@<%DS8qA$q&zQX2L{ZZ!?AOyIkNk zUaJ_+9j#|r+|LdD^vTnEr8jUxm|Kz2+y8vC3~~0l)uP{_N{2zsM^oQ z9LTC%O_NHGR8K@83uj~PXf}NZitzTNj(O4CwgKIwu7_3Q-MXltvv}eWdMGLLoNmN< zE3O(W>(YM`M4ysYBbcsvse=MS_Uzjx^z7Q&`oyl3xz|UqX*QJS+%gY%IlNo7WzCga zdEl62o2$;~#5s0`%u2Rs#I61Gjlm{8r8qRNIR(F4kibEXvDA3&@^+NBMiaE7kZyZ=E9@i#%6rO2UYiPYLW> z^R0soyeb8$?qjXh7|GKv+R{ijWb;=yqRk{xk>rUe9mHJa$7UJw=Pa@j7$&aQq?X8z z7M&hwl4p&jgxi+}mWEt01F;HqK6rc8l!v5-kyk|V$qm#71sb=uLVis$-Tdy{84SB#m(GTfH{fe^w1T(`QMJwyt%- zk-mjY?@@%CE$LXWhF%B=b$ya@XGP5P36nGIN$o9?xb86xf-0ah7gD)6qB~QG@gE?u zZ(G+qg`>}ka&=8~?AXT_yU0#xxFe7^!E1F|_yNqWOyY>*D zqWi_|L@M8M)NpTuDH3`DkNkFKra66X+*O9%dt?4BoAB8TCeF=ozvz{=c54SJ2b`{GuGeG+b~J@drz|u^u*!sw&o-Cb zR$g;VR7tMPts(m`J2OyiVtmb$Fu^uz&~XRa^HJF1GaYu1^t7rAaV5w4M%31VR^}QJ`zs{g-^aOrk!!QOQ+bf@gt^nf9 z;~@2$TKlPw3)>>+A}dd=%kNn%=9 z<2*1o%x=15~(y}9(UW}mJg z*kvxh_7eI@2yV|HvPA%7aJ@5&x8q$`v#Oz2-lb?$v4Q6eQDmo@MX|E{cVQCi$ckr+ z^Sa@xlko*h%HY!&_SG7xM(L38dIeUeVjBfJOhTD#PcB~O#uhT(VN-OUVft>9CQ8o9 zJEbW$QUeFlnA-9V)X4)XYCe{B*7t{3A|%?9fsx|NumnZIPV{fHr1A(FOfe_?rFz_m*7ob+Rj@n^pr$Q zaP7xBCXBqX#&1_2VlL&g*q*za*IsgSa^0?X9OM}j9Dx@{gD@YGB2^IZ(zoiEKQ#-2 z+^}xp!!Tj|Oc&6jLAhdMlmHrT|1o?a`+xx)aF$I8n{^(DRxdeAW^FiiesbB7>@~KKT}nTCV^j6g zjWi=cjc%8Q+=}EB4oNdO#ZB{VFJH6$h z=v>aBk8Jq&ugF@RFmorwxp~9R$Qw0>r@s^zHNvO4_7-tw9+4IKlT(qFO)ns~?3KaM zS{xo^>Zq61Q+yYA3U;Ld%-K7IH!0wz$~I%_8Id=f7uO#(RwnQKbwg?sW_7pCBAbt~ zK8Md}@1{||BfA{X=dhsQE4hfZF@s1gV?DaoEG;jE$RPbD#r84m920Hx%%WY9mFl@a zS@l7*mkUG4wYjy|pR61MpjV{O{*Fro*5LeFC99evXiWHQkL{R3!frKNEI_Ue90o~a zK}B%4LQ}ossOooka|Cw-8R~%zL)UX7CcaeJIRkAam!Yi(ECh#zBoCIlHXZX07Npfk zwf%hWeIwgAR>Go$^kbnE(z0k7tRr=<=`>|{#WUA%bB3A`o31j%jn8=TxzAYmwHfCK z8(>+Prj_k(`082ucfx$-YW^Gq{d#+HNqKl>O{kqhMBf6jy~sJ0{j;T`bUN4ytuW*~ z1q`|ZgilmP%sSo4LrQhz3<7-_oJTs4+045;k zrYYiVMb~e&QY*bdlC$@bACeW3fokF*;A2x_37MF|a`;85_i85X|%LTTJX{Ua8IWx)F+O9XE5dksCa zu!~)?Tbn`%_-z-ldMiy>C2TPUhw}Acv~AdnSZpk&0RjeJx(A>e-h)I5mCNwnB2DIZ zj4yZuRqx8^X+$7=9=%-rmoqjcB(vC`G+#?>WGKpmLju>{l-RwwSg)ic=c*|D7NwuQ zYmIE7)R_5G=-0r8%UiJ>VT8c3vMMk)Zb%E>!BW@5IyL+t$9hNRu3lc;U{JKiYG!+ z@q8&uv%0}?f8W`q8nwko$Mf%X)`;`J%NPL`fAf2s{yS|cB#faHDRGtyN$t^y{${+? z$iFEc)*v~NU7AoP!OvE~{Gy=n!Q5nHTutUhjiYx$u^P(RO zW8m96IrL6)%KJG0ezUw;3D+uSVK%cl@adpxr`CO|HzsnMvAbk~wC94^X!_Vhjo*ii zp^#ps6aLJnj#_+fg*^brV z&@%ZxLkP47{CXTWmMO>aH-{4!tz?c2s$Qc_0~S0swKgF}nLk;?);zcFIBm1G46o?w zte!UG-ffTgn0fkw=lw5gX@D1WfVMiiQPP1R%Ky+n0j0U6FnSfJxFPUo zADZ=35r;+?0Xf#drOlHw5~sQKt#W0#&%DiM($uSJPfYERw&o^kEk!I6bRQcr4Idh5 zPAA^WPO#Uz$96T`f7Js6zGJEM6{VWsYOQ6P<(#@lU+l<$DuT>OA#oPKgd7m``)KX5 zJ3V)7^T5uh1@TLIc0p@yH^&|&m2BfiMLI6&=|PXhidf9COmG32FCxhTa*75I-q>Hr zW9b)KP9dAMfW7w)^BOCLR?Ls} z*wz!A_xwVPMG4+)EI;2SI~>eT+1*X8*Qa?Oii)&c1UYMz%6#9IIzQu+H`u31cK1u1 zj@Ruel5sPAR(oSPWxu{XeKb=}V2Vm6Y#=D=qs@04-9J-T*kh%_zL7c~AgQ(UT@%$l zsM$-!aHbPt0d;3U8D@mF1(K*91@-jrI8Ovnt-CzLPiD5F0b_1G{Pit_z!-TUe6^Xy zd4XqO0g8S_Ek>5;*YF2In{0XR|0|Lljgw;w;eAR;(IaULTS`##mZo10QfabV~|ki8#%;#gb5qqOt*iY zN9xF95s`y2Nq+*OpL$dZ0qyPc*?ap4$yt0_Mc@#CSqV2HRY*4sB;WqF$EopC>&{Dg zF92;{O~j`Cj#j4(Ik)?Q{7Nl)i1&A_xq}myHeOm=Y~n%mJovimUlYwN?}vG|38}Gi^gI z!*k`|?vkeeIq2p8@tH<`W0-U7^O?E!mR*0iT(xn4<-|qIyCcX z^D8pdo0{^wN_0E4Q~2|9;b*g`Whz+CBr`b^RkF7_iiPP^EdkY!JyjN9$S0Wg4f-?g zd(Kc_!kM#dt7yOG)n?sziWZY@1wtRW%i5^G_{Im7y#lmfKTg1R2+6jzzuP*>_Uq~q zSG`#$U1;bZWuASzJz1;CucGnH`M#LF$*<&ok5avP%M9|GjC9=%1! zjD(CEh1ef9;xSl;TojYeYcS_LOE** zLO(%!Z-`c_4WLHSK#U}3V}a-G8>hLP>K|<1TxXiHTvK}3)?CU@vzQxv%w$Cd8ZNEo z;Ks?y0?8B2{k}!8F>{SiBLU41Rm8GHzy4v4=(A$w=+8GqdTkEf(t!ylxvHp!7Iw?fU!h3Mm z+B~KVM?Ng&R(6m*k<0AH6)UNf-A!F;2Mu*?QYf)+vzWJ3I&FIHccgAPeVycOGCS|=ZrNe1p5H<1N1vIEly}A`l>UZPAabGcX2+$3e0`YCNIr7Pl zO;1hnA4JIccLOP?p-k;vYP$S6!x2B_A5jpldBcP7@T{<2df7Y<(DL zGZhng(p`tApeZa6!dh-IvfftM%QfGhl-+oZHF|P*K=?EgVzHA<=g{%(MLtS&FrK@+ zk`e662=_Q-(B?L0*v~yVNvV8OmfI)D%~x*4j+0cA{zNV#UGF^uy--E{3I0B4-@=Yc za$GF;f45lZ|0qcPKVQrAzfYdW2yaI<+ei!6Q9P~}yigfzQ-COu4vE2eF7#$ixvmDnRa5Th}uYRM%Kx^Rl#d)xqh|o$CQiX8*48d|Re0h(m`A;Tay%sCiFt*CJ-uYG@@9(1#9Z$l zKARtWW>t92g7eD+1G1O{B+hc{;`L$$1ok{xZKQ^YKC7ub=p{&&8 z^>*_blx9);HN$_BY$a){uE2=BnZy@@7dr&MQM61IKNU@B70yF8K9~$@CS3h-{xlDv z4uFYeY}`q2mU>Q^NsL!p5I?{}SQcc|ePd)r=xMdnw0c<^p7*QBncSK;y}N~{^ZU%( zM8KzF!YgwV5cxZ0gt;K|3|55Yv6{JB@7`WWSrE)AnEb`KEB?ZG3M3i+ z9pkE|PdwKYnzJPOi+f0|Z_O2=X?V)>M83pBmyIxk?yO5xHo$DDqn(>ySmwqd8Q_8Y zXyDPYca4RcK3B%-(jB(n#(p~+Z^PH&Mp}oKI>`+W#4Il(c`oRoCl%#a|Jkb z$&I5_>JH6Y1Icu6ctQI?qjV5(4iHimeJX| z>y#9U+DwhRIb;C7&~-vp@v%))GqJCdT>>g2M|{vwT@s56u#y;@gUhK+NqIDKyvKln z6Lk_bq;KO*FrsUDF0o_E3+D()ilvUkf#Xoi)j?lXQl9pVKY|^gG+)S=&MTtVEpC)9xdKChZ?h?f5Zt4s zg)7sYEy}~+QW5ZI)=I5u4q^@2zMKsqR&fjAheARaAEzm?lWTHv;1fO#?Nf)lAB-Tz zLz={hSXze|mZ&m-)he?MYQBys^4ndR|q}HfeJ60~- zQk5pMxSd5#u$!VZE^=AthSL3#JE zG2Zj|6#NHVX3!Wl3hLPd9)o`vZ8EnG$kv^jHxEMuFiaP}b+RDK8mVaS5gmWMSx`3% zQw5XIXl9rCx%LtJKXg@cd^Zl&f@?x>COYUtojvZiEoeT{(PP{kgf-Vc( zDzj<7J-Ept#v5n)n^^^H-j9cfw@(o!WQ0sM;?!yq1dj6~0Uv~Sstzv(R@^JE^UeD` z*0lyYyae(H&M86EQ4k-<>SV;Dr)w>2H^mahXV9x}^&9-P+99RGao$0%@8y0cHwwAr znE*P1Ta@cLdL_Y~6-#ZKrvr|KL4Hi$-2N0+yf&((I6}n~%(Up%u1aV!aP3ade#3@c zXM#^>KWs$PZ^~iDKIBY-vy2)8$k9`Qb+{Oc=y%IHeEn1=)~KR++&nZvlTq2(N#7@> zJzntvGp-wB`=h>OhpjK32Mc6?KpetJ2ytI@``kI~{yh^w6NdpSaIVrVHsX>m` z4EuFo@)(=b^3sqh=Y&ah;_7w5P7m4c^R~d+VG0%i&w`XSOubCgmL%taMi;--bk&t2 zv+gxG;Lj<>_A4!^6TzBkL6AI6FcY$pPc&=mMrz00{_f4HcV|0*vFO-66Cr}4_=e1eAu2{dpcyK!8cr{D1sk|_t|9e)hD^2V! z_{U;inWw_o;(fH2RO|#$1s-0*@nbyDag%#^PI&oHt#2Zc-(~|SEw-B%rF6fS;h##> z&q(#eueJ-NWa9ics(kqrG|t~wD+6ErP-(8NxhLx9h?d-j*GNe=^7axFHms!JoJ*_v z9sU8I%2G(3hweMkd7l|&e{tmK4l@Wy0qg2K_OO}qCl;M&JN9#LKu?~xQ zUa0;BQ+5Y{eyzjV+f#H$k`?h{Od;1YiYOk`K!)l#Xk=j*@bW>|%869fQ0{^C_i0*- zLqIyN9$PxRIHFuL=%}YPn3UBiS9$-nG^Ci|dXDRK+3D=*}rF{mgNUwFFt1S_AI9pQDy<8^YdR`-;Sh)n4S+kl2K)Bq}qzPO&%$7)@ z#p1N*Pt)$6X7`wNzprxYugj{jd=)geQP}@IuFAI&T#=+oUBlSUuK<4;2)Mq$#e(>2-#c*x3>N=37_VKqeR>bv<` zyi#r-*#zqJCJo~%dl@3NTE3D!PYyjbsBwcuX5jrtRp8=qyf`N3w|%ceObM~a(~m1? z>Euk>D&19cez4k`QCzNY>;3*n9qmjAYF?y`WSdUguUMO8rO8|KdjYzz4SXE4kXI(vfxe`)H@HJKi{WlkO@^{+mXP66vuMl3d4k$hz#)owG6Mb;DSA3{>cSH` zQcBnhxXK=b_2+~isU4f9r!9pmz#YyEgp9n;gE)`YOeVZ^(J3Yz=`YKmJ+0uU?3bKs z{Os9WLbFYH-7@vu!P$t`nOC|oRk%(p#d*X9Xyl+pVCC5i1H>4WsfATr{Sb>ADVWo*Q)h#E8Ky`yw0RA`6g*C?2yM>9##WM`DXz=dl$#$xY9Zqi-xy$o z!W(4Dbx>I=6p|3|&B}|g-e1u{O9T29nreqUf&9oTt*i>O61Pks=I?2h%7mc0u51c$d65L zo?CQ#OV>`CePG4uexcLt3%FBG`LYC%N&sUV^rZ*1;|Y6+Q8KP);A#ykfl~H2@AR(~ zN=wO{X?K>wq8l7oj+|GzMYvt;igS-3_|S8A*rEM8(Rh8)1YAbvQ`Ws|PMh{CSNFOp zzbeO%W{&ueUsw8=jQJU}l}&vRpE;#w7UUdou8*3MQ+yODw|2AJfMr~sHs@UMm5D*_ zx>lY=!j6U9G4X3C!A~etN1lFzU47P{gB;NkGN8PzBO0`X-sn^%G}=nI79l5;$*ozx zou{-02`kI3OV@I}y;!d}`!MoTwG-4arla*n|yr=zL zR(-H9sEY=n&s!nU-y%wbn?Cnbh&J~$0bl6*TE(ckhZfC!Ns@{PPD{?7C$9FM%4If` z!ja+;!!ux2G21|=(V&AwW7bXA_8*viVFzEDiy22VBX96uRpYt7We?UFs(rA4bocXR zxp!Ss`D|O7~{-u*sQfVI$Q|D8;=gLP# zj-z860zR7Bw^2?b&<0t8#vvMP z9eSrd>!H{)T-yMo+4ZyL(iR@G|+8HD^y@{9|fYvqJ}i z1MW>cq#xUzVwFf-yhg9$*Zc2;j0aa?!gkquEhoo9A^^+C+#^q=V8dPCn7 zRDE!Z*gUAhrHgX+K9BV5HEHF%H+78#RtQZOaNga}{v^RfzO?m(W_OG4?i@s){`jJL z5EY$CeX1v75*jK~EI#9ULa1llBgw6t0k+_CYF!BQROT4@p6??8BmdDHSu&D!?{bWY zY{0xP#4Y8s3Hg{+e#6DZ)2B^o zk#;Vr-6yJEV1ioSN_Q@vs%y?nKJJD$RNwtIWmWGE`qF{Hf>kkvolvn9iNu`G$7LkS z1cj+zGFsQ!v5!b(RGb%-6;xD8YHuzzHAq8ADI*7^Cl6jlgAD`x-M_|8=?j?i6T}Ph zLj#-dg80ndOZc@ySRzR=SZ#uaLeQ!u6iu-+^g|pyxfyE0MMpUzZ&CpRBm<4Zm+oC`m@q zCKaECxtqq;r1Ez!7&1H;P01fj)hwAv@$jz-R_YAfw=Ec>d}Ij}wJdJ?2$PzU>@`L8 zS(Uz49o!cptlnbI+289m#QwR-{4Fk)lr*uQ@P>E2FqnLrbi7YbYmQvs3U!ca-ch^4 z(NzubtP}LAQW4i}TA3{{KgI>z9VAZdgbEuH3t#S;e_N$LO20m_WM1@a|Lv2!7x#U) zrUVRwBdLj+(A0*@8j8KR{ckdw1eYrm50rN4+a4zk(iGSwb3?S@M>AoFIczJZ?=}%R z_`Ts|sOb12-E$D%_HLSmb33hPu>z@Du3x6#CP%VE_a_@puuMJkvaPCcb2!y@BNB4~ z1lE!cW8IrwaS}Bt^u(A7B8QR0q={!QeCs@U<=24t!+3n6=TzSvlO;%urW}~xY|Yj- za0!I5mo^F%=RJS2IQ+g-m6r#aH}Q0hBauQSf)e;dVg#Ai7izs=di8AKifpYl^pHEi zc$s3(@*8u)TjLxw&pdU6Y7A%HazYPtD-_7cPH$le5(}GREz8sGd>|(12BbFK#GI7-`^sPMC@&k_+tEyM%8f^Xd zXi{We;g^{ayDnPEn+?E3G~-CdW^ag;TWuI*BNmJfq!5E;jS=E7PDa8+_dR?&qLQGJ zjqj5`SkQc&H?ZmH7|$vX5bHNCvpUHlZsQ3rV|GxC%cQtmbZ#Y>!u_0Ym42-Q0#al0a{P9!)d<_!BPR%8s>1qd^_(wC8@eL`z&}5 z?HG0oK`U05oS9M7zH2NW3FN*twsKKbTbnyCbZu8i)fD2H)0#9f+EXNZU+L<()*C6} zKvto{G++{iTX22^fa>;c=u)kzQLSkTJ1tZIG_W;wJU^j7w2o#kt;~^q)ol7pmA)?F z!{)23QoX1-%`@6}jP96Cau;9U_jBB1cVKxr&za^M;UMh{$a#_>g!$Ar35tp0A@v=5 z>1&)E05-Q;q4=cHfG>E5y~C*3`Rx ztD@wqxdqYPHMyX=t6)Wps`8>i@H$!enp zPbprQVE5g2GfxJjbteQpL+buQRb<_@z|aI!(<^94jC+sHf6Br)g2aj?Kh>Mh_IX10!pqPj0oAY_cG2DI!@E}i`J>7ek^H@D zuV{;xk`Kwtru+wW_8B-Ot(gy)_BOFCLJAv0ePG*)$?q_!o@Uc zx9r~LZT7-SJWu832`;knZq4Bx6&`yQHD?~tPL@k(joQ^5{`m3f-(vK~Y>P0pvQ#j* zd;Vyo0){Yc7PcxH7{?Z^{svBvSiZZi_Vqal<+?&e8NsEKa>oj`x8nJ6U+iGt1V>*R zh5dbF=QgD&O)l{4x>${5RywXfcW|2(a+sy#7lLhO4{b`b79(E+Dg_D`I!L$2YObyC zy6!HB(<+VcLZLMQ6w;q&fi-b8ud4Cd4`>4v;i22y1og=f-{6kL9YXTJUF7AX!)dSv z#1Ws>itRe7_Ga#~dnTo{3woj$o16V8q5(JwAx_f}^BZ`f(e&R_ZcL-oCXtfI zWMQ()4{(NPxw&U119nU|YMNI}F|C*eTC_3I>);$NRx2$`K(6Z$+~6PpP8HSSlswA(Pz&?pe#}fFrDW zhjo8|IMg*m>blGC#n!L6SdcX}4f&_*RORBK`bakm#6k?@5`j4SL=ZTT9d1!}>oeev zS&+LaG)_g6K`2UW%F%+yJSM9#*gb5u5fp%YjW`Lod@x@(kNtRh&P@LRDBq{Vimx9S z+Zc?HIK3&&pnuzjPA{kcGnlYVeyg%H%TBOX>FdD)V*$<0Rj*2t@5x`x%y(84r>=P} zwFaAh&m`Hdn@h|Vl!e05ZmaU=$oi&4o{8?MG1D@<`169t3#on~T z0;FnKZKTblEbCF@dxudh?D!Tnyc1AW0E{ir_ob`4xa)(GE3?k6k+bO^+Ybu|HZ99w zgZE}6_|704yR|835w9g%bVI<;5=`Skj$*AbF7L%A+Z6B4!?knw5!keGY8O7_;aU!WcsR?(UHO2gThe+;B~y z7tXl0`Pg@eAj5fI&*ZfVlJ{Pdk#fsNAe@Js9p5)p@B=f^3$DgOa7w==O>!#1Ke`zm zYojZ#;47sJ>Rp`WIr?*T{b>HSlMamJGN3qACZTNG@G^H<;_f(F@(JG?Ud)2D9+Wf5 zIywJc*^Nc^X1J}K3*88~>7$HeQ?I7k3)(xzH zajBL@tSE&RQ>E?whhBc|%l+^^rM3`OMPgEy+2~z50%aBacx;I-E@6=DJ~c{^7;hg_ zJ15blBj%?ePSFEyN?cJfAV&K}Zh-g-@;V#Wc5O@v%T&4Do35pei-VIS9?rj4{jFkn z-EngASXKUPYUwRlBs3al?>4B1{h~p7Aa?zDUJ*akjU@^+{o+Z5hs9Fd_H*BeD#?-e zA2eu@Im+Ktbo*SGu~B0#cbkl=D-f@4_K>krt7_S z@Ardm!RDhGgM;g^#6C1h-DCK%p2OC)|PP`=p4`7%iQ%Uf8qZ zup*mf@iy49-P0U@OtzApqB|fP?n8_1_wvfzBApDc8 zPF-S^tWkBS;PR#fJ{EYy3b?)`7t(pi_lr!twxyYSah?6J0UrEqZpTFr+YsA{c^sCAkYA3w8wTpu3B&n#=IX@3l` z^YI5I2(>V6`dd$JP8;Kv_`uDk6?G$1dY6C8!2u8U`|WG?zO3oSyIQM@Hyyq8Tz@mj zdjFbS;)&nvvO&g#);;=NS^9a&B{@SinOx$qvK8 zqg)m`gB4Q^edFt|3vMDlkoCIvlLp7GHoP&V@Z+?|I$#%OQ6R+uQoLK(Q|?x3REbja z$B#B$??)mls`#?_+v_cRH+$HaAG(5!)AA6ZrC34ciqlfui8{KvAlY-}1>063s|&6T)jZv>78B=yn%IezVb{}(33|6k6=|K~T+HdZX!c1=45Fa98;cn!6# zSsMXM(jJYL|AZE6)x zi4FmD*81!XT|gbST(l)>w_T-oxevzen@Gj_s{B9CzGZ`@FgMNo`^~ma<+u}V=IRC8 zGp0!`XTDkb16A4YRD+y^Q7PV6%Nb$z|W_ zT(^x*|Rl@$;?YPOAtk%kZZOFWNv6?`#Wv|NB9H@kf3My5o)k>m;$OSZ-TQEaIGw z4%#mg;lt%c`o;L3`{tVQgF67^eHunT{L^=~ww>^D&*&9av;!y&PoJm7AIvtJpX?SU zTMs+Okf~`jzzwH!;UrKL2n0eS841GR!Kp5s!!^(T$j+3e-iZPv8*dFyUvq@5yQ-3W zyr5Zy$1?{6a&nbVj8r*R$io62Eii2P=30`#*(?j8dz9jj?i12LCR)y_6lYUx+L8%o>Z(}Tk)lo)0IycZdu>u^4H-1 z0kD$=Ge;;j>P^T=LnTgX6odVWOzzG2p$a@4_zytlEHR{K)j3w_VmIlntM|b z&%vc!zcSHO#DHktq>MX@Zj29(2`w1vXP=IQntcDBDPquXz7TEnCGzM5uTVsxu!Ni4 zk)J#v_2+Q+Jl5Qt_6sCH@M=7?%}TWf`x36KR2A;-e&vZ=CIEg+PY<$QZ~0yCg(&U| z?u$)=Cn1_2vA2?j(GDcdqvh;I%zE81+Yc@#AMCj!c$yH(YMhB^z~ZP8LbX-{Im-+r z9yTXQQmlpVlgcL1#usGLf?uOZsvW+Wh7*f)htt!kru(&j-E~y5W&s%pHv@KcuNcHY zj6I$M7Dp+6)q?GJPg&m&)!AZIH+COn^I7(OND>t*dpP>gHFB!PlLdiREUsHqm4$VD zFl!q)8wkb1&CRA4sa~a_YK{}q_$_N^f8p;de2A&RwH#8l!q5V%lv)ZayOeB zC;-U&W8x~>WcaY6ysZAugFvK#t z$A@-=@;+2^QLH!;C(#vnx6w(?duVc_UuU`K@=ce`p?(^!;fP9;0(mSo7qA1&ju|yP z02W%hR&`6uU+P=`wimc~t-2G+*!Z1#IwkrA{fgC6clBXD&h;fDdbG{gu5Fpz4D)wi z(45k^`BgZx=?`!D`T_B@lYE5}j8g^g7_JZEfvb*yj(VczqI~y>ad774po_eyVo+Jw!h}7AX zX36o4o*?eu_Sg7$1Bxm74c4rT`>@O!Du*;P*hnXIZgUl{dC4NVJ>k%0Z@?huGBUpb zd{Dh(CC30B+xgFtA=a+yzh;e)1>m7II^@b`KMIms7MDe0O8t54%H!h&PKSN~T+pXiBF;v4lMc&m3mYd(y4&Z^QM@y(5*OE|ip02@yMb1) z-OyRr8^7MC5!11BM4wc1$E5B=`F+W!qcU0fJ{if$fAr*AS3u%`=rzUZFT=NiW=UL_ zH)8b%pV{!SW>=WGdUKYiPRcLk)7oZWo!Rqhm^kg|q9$upreVLQg1#>9#PCjllED}? zCH(6!V3%!^lX*WGD0_k2eGYuOs_~>aU2+YnK^f{1t-^*qvomWuLDDY&FxhH##5oM) zECinb?7pDkQEGbcqKx|sT~`}IuX<-mm%47|l9c857YBcRXV?vS_B=_fazm`2q zuV|pc9#|i}ZPyTy#+ATw=P2esD0cL-@qd<$8|%erOSixM5Ti{~%nBbmco`2j9TNf& zNPp_7jcEw%`~h?O{>y7z&JfSv>}=wsl*P;WmYo`=PTlkfulfo{I3Al_afpiFw~KPoOM9R`CZjs*Lt>L z)X>b=kUC@qP&;}XDI!pNQ;MMS)cwTiP(4ucZo6#F-Q`m{D1NdUuv-6(!&>{)s}kpA zD!iT>0<%&=tcZU`Bl4lEU9`2c7696I?&sEByB;QwI@v@yQ&q6=I-HauF8;rNsMh!P z36b9QF1vmoA;C3d-_haX#hI-G??^lBW@u;3+|1d7Ub?ujJ_cm(v5tw)%-t}Fv+XyK zEap`~#VV~Z#HMe}!txJL#x5YBG6>?demEcXx>eW9c$(Mtz3%}8I_&2wsjPi0>JE2T z1zYRo?FR38*XE++_|SXICXU^Jzo`3r z6)V1p@HQ_Q7fe07P$z-v;H8VhP4TbdmoJ$0hK7j%3yC_CL^&u>wa#xM==XQ(Ye=;> zAb_XQt2XIZl<_CctjE)An9YVIntobonrANJOfP@e z8;f%o-gjdn>x*i)!3*|8LHN4T6c|nB*|Fy47rlr;crP>tw7{8r`#XURILS=^ghpM_ z#HT32oJA7|fVBnp2fO~7W&Wb30GJo48z*H{P=3R((C;@*Rm!V$9#!de52{yg-d?$7 zf%IsDCAg`vpjxHiolrG$--52s6A7(cL18Gv&(F~Bpi>{bYYT@-OfXaf)Iq_xl{qJH z`I3-TB^7#t96IF}VHl3U!UJQ?Jy`IW4tqr9eJ4bDeB(;D06c zRPR~{6@0t)%+Rzvth8Eq&wjE=vByHwf8avIi6l}V_k$o5V74*p^%jC|(O( z>Ets{8;jjUe~6gP?m8Lp}VJeygrI?I%fmRQ-*h6u;uPx*c_^28iz!8 zPr>yt+6mB2ewA9U+O7S(tfGPsgAzs?6sRk zuW4hV6Q#X&ni&A`HzGo505+HDyxB~WX^~@s$!0&n;Laa()mEaQJ16u$R&U`IksyL` zup%-4N?sM!D5YyTvJ8Zpw1)71BvYA;Ep#&tmy`N9R`ewMbxQ}czc(t^h4b|fj&B{I2H`H`ctr7BDY*2%ToY!I01glvyE zGc~!;G#hX@uIn^fF+@Q2$EM#@gz62*&pHRoRhCMIo+xDILi@)x)PhxgC`KtdVmVio zppPX)p(jQb)|=wg-w^)julcd^U?ODlD7C&f!g05qiuuLmNC0Cf@y}r%2KFiE4hX%X z{nm|d@=pvo-$#-u-zbJ0pT+yIHlI~_yY(*0K;~LXByQJZmremI^sn8=uL7K^Yc=?8Fm!9=DRx5FxqE^iU)b? zm1Ov7Vvnfahj+~1t=eyYF=GTX4F*LOjr8Ftvk4~Nri*)pn#H*InlnQIqrr=@0*D`2 zR#+j;&BiS9%ForH@rUITf{D4fgYUjhEYLAdrc%Yn;~Zfilg-zj+$8!{`6O~Qsb;A! z`SKwp2EL>S_QK>rQfh4l+4gHh)^F=AVL=?7Meed*k0_g7xwa+&^88=mMgNiwmI`i5 z*PhCLxv6vBUeS7hmT=Tx_y;CME^dk0K9;t%D`%d|{QSWh89rdLvbZwPGq3R~u|r|D z%Co;8>pQi~C1C;D%RR?A@-lM}gzP)x++eiG_?C`8ygy;&o3V6{{x~82Kqe_;kk}Y{ zBMG~iacfS#q#gD}FvtGM|H6{L_^v!l(7iaZd_2RPey{dKRBTqm#nIAl*2E3JM*A1x z<&J;Jddq{E5?KE;yECq5`~_Y73&*4xGwU2P=NIQ_>!qL4#RM-E#ej_ih zY2d6f2_>1yzcTgzMOf9gNh{N%wT6a>5iJ0s5x>h}{l5v9Qo3twn9*=|@8Jxg=KZuk zbM*g(PlZQ`74Nd4m{hTl&wl|Jn-04=Fr@8)kO?dSgmR=QTH63BIH?cIK%isbskvqs4Ma{$)f7k5m2 zi!$903IQ?|(r(CZt^6Py?4KWBY<<`CKVdv;a_xUZQ2_<_N~bOStUYko|NPf~uN>H? zuYp+|{(fzDG3x*PH9uLGs?KRgXi;cj*yTbU&uiHm#oH_fR~**P5OW^z(`&+YXcPG-kz zRA4-m70|*%?0=k4-`_BPrK|Io17S=FlYYl+UqwCuha$1?t&X4#U+?|T(^}qtOmKcO z)1<{qXf!{F3iTsM)Q`yam>_^RM_rKi0nE~H!866q5ATi?y!sFRs!-X| zSph&#UxGCo%EA#p0OHhRkvVv$<>iK~Ey||#Dy6nw>Cz57M1;Lgo8Y)(G{vS%PVx7Q zX?{}k%gQAzKmB8k6R2xEfH5LSj13vM#Xg9~b4RN(Z-i=Bvp)NEcbo z8NCkuHaTu}E{7C4%}nj*SaBvISNyo{x~b85xp*{BUd!6qNNK>RW7OaiM^Ppn3O`Nn z=!*$zEEd7`58}ebtIA+T1kVA*!6KNAn^U#iO{lSC4e=-lR31MEu&p@%u!_T_X;L4m#zp ziZ5esOa?XrJD?O1=Z5R)QG9x#vPy*kK=S__d%9>jofVsIzuvM%T6mVU8<>(m^u&IQ zf!LccJR7v8bs^gJeCtsF22RCDN*Sl>I> zNbtxO4gZYjzp`d&-1=hnaA>ar5)!0@$|Pb{*H#b|v%N1CKU|MHn%dF&G~alhqO zz1Wwf!I`U}?^m~YkDFhckh9>FG~TRo(;Z4BJpcg((F-a*-kb+2@TY8^BkqtYmzJV5 z}&qJ29Y48pmar*AEr^A#uT>n}P1d5Ho4acZR9+zOVVSXlCB?F(aq^s?!sn zU)sWbTskKds$7i`q6xC0>@G3KhUUWDDfvLo(3VN#S=%tuj7sVm7pPAl{yKZxWRHB+ zq{#ysZ#Y+go(SdbV_BVaR^P+p3GwdWKDBO)^fyVKJ5;UR_atHNd&Ahmfax2m zg*Ro{(UeCCC0O#xr}ap{nD)-`z59rb`j0veyi;_UZ+7gSNwqRji##w7dJdWBeS^B{ z-9m5r*pO+U^9arUAZ*7nIu7(a7p%DH>NtwvCdkDj@QO4UOhCtU9u6)L)!b~zeT3pD zQ>jz*#N1W$rWDMH@{iD9mMW==fy)+0G?&qz|Ae-lj9D4Q`=6p*ZOWd=y%L-k5QIaC ztTFhPy`1~UBi%nIWYhJN3SXmvuQ%Y^S);VhZX0eN-&EU3ZN3Qc$(fdY)xOPGP^b|b z>V87HyIEtwdtCr{??U5n1Z|sfEp;3XJ98x{z~`V#i$(>^UIBZR==~}i*M_C3UuQ;N zlbP5~FCbUOa$d5)*;ci=ytDd?7Y>8f=kCTVVe#Ev4du6MqkH@1j@cS_Jlz_L?S&{BtY^JZKAZ5}dpR|XRAw-k*_--H6#c&oEHSeH_)Ge|MaSkp2 z$TS2MCNBxu&$WKD`iICcNU7Wjm$NKE-6#-VHagZaakFDgjfV#bCT7nOJ+MY(#N3O@ zvhPMCJ?Km5;tX@&aQcGkFr;KA@|CsEJ;C#K4vpAGvGPRg%661@( zsHTQrH;NWS!Bz3(I~3;wnX#fatZVMB2&iVpcQ`ECRtMSGL#a-i} z!N%wiQ*QGX0mEr1&z*YfNCTo2F%~<$n9GdkDCY>qh`VY{*-KCv;+rO7iO52@H3c(_ zjW*#31@uRV?F;fTknamhFW6HNI{7R{;#6}t$(eM&J163fq6!fj*)tZKL4*J^ew&j5 zu>Z}?DvQ%9pK34R6{@N8+Oq|iH$QYvW^AIhXxIeF;zBAtCKt4$ivp~u?B<`&#axfY zR_e5)vrmhzVrTVW%g@s^wAV02jDJ8)l{@&kMAske6)8WhIc>RcCYfj&?3XU!5F6%2 z*)Ts^@8}acXd?6uo~i+co6c&1g(Z-)Cy9gL{TA07TuX#E368#7_~Xe(s^NMz>{xpm zSNn9SHD^aJbX0GbOmEYh2i4~%lu<8Jtxtc6%7H}-!UW^_8Ef_Q`$#Umkslf zADeFs+z~kuYfo0O6JZ-c=zX?d$@Q=#K`Gx3*3-K9e4qLsTO(4EV`8u(ysrUudrx5fOHT2Bba zzrsQXe->)I=F0-C;_$jN-tCXxpGS7eveLWn!e?ZQ{1w|DIn_xAP|ckmw=CN-I!aMC!#NgzYFi1ubso2PWocA}9) z5(?Df`^0r=vSUOeOXVOU$paM3?2wUt{JddYOr`z3vUZWkKvXm@S1msA z7pRFnaD_i`RX^o_QZEkVW5P)@xHhOgX%gRZjj{s2A@hdKJ()v#JA;4f>FpRu zZUm!j3D8+JB7IQK;<_*-XDlaLxWLcJG~|ASI`vs-PbNVsQFlBdd?bAnJM8;4U_C1G zoQo4%xn(1tMm!hzQ~4Vxp_d3T*NvTJgb-rlPk1fty0=pqjLuXVsmu%T@TMZ^*xsn@ z$quIDKz+H2JYY59E)}O(&|=@|sr3!TFDGRf`VMxtnv~JnO^|ur(N404MsrrVcfB9 zyb%r;@g5scOyZ`Tfgl5sMDLdU&3{1Xr@({Iwx=z>T||ic!S3Tph9!KHNE}>oo+PS% z9j*QK?Hl-!=WgDQ`^c5qy6nBEc}fs!UQjY9o#N~sKJnU(<%}jzTMc7Eur(+{*+qDc zel_Gru%fYd5uD#G3{AlQUjALuFUkl|1uMcqYTn_K?YX57s;8hK^!`<~_gyBNW%9)N z5nrQb8~yHg_kh@QlgTGxZ`Sn&KI=o*p0`+{S9y9bjehw@7s>5*QP zYEYga%IIVYB!m?OoA01_c5C9t|j`wV(aU~zS=e4{C3W+YC^I+8h-ccFM<}s|D?Yn&~ zPk3F;ZapLpoc4_Y9=h-uQ}IRJp*D&CiaU)nOYvzQ>@9}%RaCY143^zeA6b0@lm2Fn z>%4jME1?*dztoOH1m$XO0x~yM9({8zq>@Q>YL#wBW(}v)cn@Lu37Aa?V4~;dmw?_O z^pgfkg`po|+F*&?K*N-Zqy`@MY38clrQFnZEpTjNXg%av-7aAxEVKfIh=*T*WK3Db zvW87I(e2@RuT5M`ETZrlH=Ayq=mg2}_okbAD=g?fR;v7H;!GuDH`6cPA-6&?-Q$Z+ z1G&3CXt9^{=`Y`OKvgCW>ft!^gnS){PfD#@6-zIMiIm8XZ`Hidh)LgX8*;!|F~H*k zpBBYPv6^w?b7TMl1B;cjCD8xSO$kw}4I>u)5Zy5Z5ufwt(){RsNL9x=q4Xp$j!~kvwQ=l_J2xJC zoWDz+4d`v4)h9HigPW}BH~;QjXM;k3=JHg>zi<&)@5?k8XahhAy{hxGp$ zR2(XJ^}5JqQZjnEPn}ZXxI5hG5xps^a=fU^)7l1@gsuM!JhuRU@b8_q!~gMX^q(8L zIJ$m*kUxA-0rn}$EE+~5YkWv00GVW8I2iK)dcjE^!2V(BWE&&vy)xv z9~+r~W#;g|H>tTme_guk4Og_^vICUbP~2M~#|ZoC1^)D_DEY4orH8Bsu*vghfoeL5 zF>`LT<_^If{q||N@3}qX#e`p3m49ap8YO=KVdzM}vt@RzD`pG#FS8v`M8NA-on=EIjySPhn(fPd@h4v^K|)ve^^^HjG6 z+cI}1aCmoy0rf%l>V$&`%Kb2KWJQncnMTZOR8f4Dp%AU`Wdd(PbYbHciu5L7vM&kMKwn7Av&kg|zcB=lVGHN1`cC*9a`V%AR@r zO$hF`m>kUIqfeB6ldI0a-6RReON>^&fDqlYfU0N0-`Ze|&Wpk8Uj4D9O@o=vgF8Rbrxv5Q^jPV1fI;5}&`HZZ+RAFk7$GMoxm9lrPVl*qV^mY;!ST z_b_s-`uJwY%9Cd?F&L60IH(27N_S!uVx&TfAVSj$GfMIi~ z3@<9}k5v)`Os2$XsTqUA@lN8)6T(!Z+IgcZbRee*RI1gwJGhmz?BFiphvuA<8M&E% z@B=%6(s*Hf=UYN|Z+Q6hk4CbMnquWIFjJBJ3@W#*G3;4f*vD*ET-XeuR*j(tw1hzS znm9i>%@p&yla~V2IrmTIunpd`U%^i6&NNhprCiyZ=3XYUURWM`fwR$jtjb$3xgu_9 zQMX0e!});SF?v_e7#*kAvwRAud^yWr8+f52t^8d0ZDJW63xBc zde|rx76}3LNjm23$%18zx~kWTZNus5s&f(My`ve6K}aUeJ9>EskRwz`k8{9m2x%LDb)pHKVUg^}$uCI3kLcz3Morg#JyI=a z^^ch5W^SwRbdUAI1!|9@KKG;N>o25qW&=HjhDE8ocogRIL6gJJ;&pqKiekHnSwG;M zs?~sRTZ%<~+prd9^-P&4i;0>%XwuQx z3hlJ)J;R^7MGDD7^hO7-#^bYfx%H!soQg1;785)yiEpQmJB_a^Q6bW^h3Dya=2x5t zbefM>z0#tI>p|B6Wu;T;IA|o>v6v^*(&zHh4r}v`3*+^|4r|P#F}_QVb=GKDD30Xs z_2LQfk6Nr0j;yJ~&96c__eZ=X_f#n)9Pq&QY}Ih^4HN9<9x^%>e6_R^ErAKrw|d{N)XtvX%vx$#R&Emt(i}mG6~wwzY+_G5V&;a@ z@NbQzdm~t)8O2hTW|f@9XK}Ehhj){^j4+6zlcQKg{IEP`GWmr*dILoOS}!>_;HuP~ zG&_)WBY}3baU3eW=RqMBUE8mMT8UAC?SOKv0Qx@qjLoLEko zDq_PE%u}5E7D}uEczZU`*iQhSS%4AtE-+ELa(!}TL96W`l23rgYVx&aa?hDzYL`gg z_Y?K940AK+HHnt98Q3@4e?a<-W;7vco8`}OUbM`-G7gB5lUT-MW|m4jW>{8l7{QE; zD;WlA&H~FcN`5W;8_&F@a=0>Q7b!wdiGb$ID`zCovqnu6U9aQ#$q1~Gfzn+jXm!PR zXUgfk{F)k(&q;v+d8k$Rks**#!@wf>B_#EZ>w}T_Jw2KFgfZxIOaQtHDPG$`qF%ks zH9A4Mn0Cd2cxedUu)6fZIobV9(@p;K5sa>hGqCquc3x;dL0$Q-I>|0!)<_V)_BYU7 z^>8)~q#2kY^B!zrvV&52rIHlJzon=ynhWE~nB=uiFch|FABdz*J228A`?yr6D77Jp zj$nSKn{DRw?P|D5#`V}T-@QGx+OpPkcV^BWm=r&a=#E?-0K^r*QyuBNiQ}9@3>PF$ zwv*Kc!&SHYI`~nYnhqtvH+XLrUq;Rx4*J~P9l`neo`j7$2RfUm_4*U_Be1*SPl3RL zJW4?V=v%UOooRTJr;oUp&1xpjEyXzJ(G-`5J%T6@Tq8*eaxuvL&%dUy&b>9-{;DTx z6z2@;3Y)`tNOJaji$$2;wpe9?2WN(w@E6o=@0qj0THr&tFi+9)jmZHJks4r)9E&S=Ii~c)aR`Qc;l$9gMB;b9yo4A zC!4nq*JlMPqCC_Chmn&g7dL@d?rK88pW1Y78&`y-l!q61)B2I5OABpfe3KiUh& z=Te5>gkmzUxUh;w=ZJzLfX=Q(W0s-g8`M>2131_f%c?3>eeXy_A}D@hFQJx{+OPSO zpQWcR41H&KArLv`R@z1KX&Z8YJf8x)hsFf1P&7kHm(euLZ;FnQ(0bf&gy%ozq`Tbl zhIs^GI=&(pyHjA3t4@iYVV{plCKZ1xGtNML;gog{>rgNwl}1t`@~aUij-Q}U1E5jp zDA?AKgB-OFU|MyaanhnZQD5+Qp{{=q=5hp{bgQjNt&bg>gqU z$1XS{ioyh$Q&wTd9_gGXH}Sd8`!(%J3=<^icH1s5NnxMhVy>JhVi9j*tXMae@>Lvc zOoxN>Db2Kj*vn+JP*acejZh28Z#psasO&mI5)|#r{kDj=*H1XdZ3x1fR?>vi%c^U4 zOJ63V2^44?32m!?M%1M6ohQ08%R?u-k-)*L(ECE`MJkfCVC0&|=vyi&op}tj;@cVi z^cDXi4+@L1iRN1=>H3AR?&WxNi70>rv5-m5e!l5>*s%;r*V^`b54`>BwVxO+Go8$a z2Un2wE2B8Gpsz-gH65eg(eC<) zM6^=_X*Z%ATW0bnO&%2=|CYH&Fps(}tZ=|L&(&|l_ZbpvR7jT9^tIzqu%wwv5zbR8oYq3{01?M9(aXZHfwZV7L-phuL=!WG;Yo;4aQ* z&*>F&GXvX@O*(WJ-*(VzSd;J(0RihF!;{1EHqq~5j5O5(pu!b@hJo;QHoeeE5RDAO z)d`M&lUC6eJ@|RX`DcfbI!`hhcG3B_14B9!pxSv#kM8|Vb9?U~XCz*~Z52*gg4y?_ z$KA%_aSKW>Lt-(pkO=wgUhhZ^?VdS>(NQlzZ9hV0i``3xh6G# z3L0n?Vfm(u2|+;X+-{=e`Sx_VZS-akfuR1Wi(fM9FE<;U&3@yFGp4`Mw(L#Qh})jL z)2`9=>K>;ZBhTSDpf_n^mN2enJo&{HQ^XPb29S5C+>CWR?^y5cB4~ae@??wkxV5)4 zR8WpMQXCuuZdIW?ZUS$a5FKSXGNU+?+#`AMz$C5vJIS#|`E4 z;o9_^rP*=U{e<|p`5-RM1xPeLn{Z~(1y(_F^7xRvZb(Ov+<^^s@IK;H&K6=rl5d)P zKw;|~RB(H*M__P2>Pu>b zE?*bT3tow^1o|_zfeWbAMo?|O4#}L+zi92+zOsqegjaPIkza%2Im2%r=wC{99HlGR zvSUNb1C4@@9sr{X;dNeBmE$_C4GWWM2Hw5~#AaGzXhZh^HJ!uA2rRu-86QTVj|ex? z!yS*ti(y)IN6`Ip45N1sNk7je-)!Jq@KE1It!L;`K<84E))fa|_HGAS!9mC3n{YQx z#=o~Q)+Qui$L|})le@1zP@Lizt(JXmFJiRWbZs)Cj1qjj_pvs@KGU;A@V+oY3+$Mn zf@_bsOpfbRjMv5j{>1 zy_Vu#do*-Y@$IQNplA4uW#`*7btjr^eazh(viEw_ z{#A`P)!ilup163HB~zr$bPpr*?Za9A$nypeoEU6K9`5=7C5pL3EVEnu^ckbR6? z`&JSlu8~-}Ol6V44b~%sfAn3z%4v`>!6b$FVQlPUukZ|g!L1=1=cv2~^ia>S6_ggo zHL|BwBK0NK>oh%4zYLagE7}MOB$({Vd<(mcOUg)S6^yMj`N95jk|~(gie7A{lcXc_ zpueW6%A3%3d4EPa&k*7T$#c#F0#FlZ;~o0RfCc)+u1#;JHqd+ z6LgSSRX3?*?z!CgMzs9=zy$BzIn|)tCT9HY;0t9yas`TdzW2Fo z$UVro3tBOta>DnyYg@CwaBFH}12eT~dZ>KevAnA65Ij;m#?XyQEuD^hXY``Gz8A$A zRPY%!Qc{_XacKmx>vb_@=;eM{oWjN+QFFFtJ<|m!H^c6qL7I3ciY5h%bQMJ(lT1;= z%kHe_BcKHMfuE{D9vFJB&u7ec`Jd%*`5EqKF+Y<7nA9_hD-BM51Q7d$EMytP9*bcdg%K(rkeWp4PX3Ftaj-LhqC+kk=LYB zo`3i8MgPvxV|6K&Q^^jaa%CUo!VF8od_>3+r`1A1Kk_8F2X4AD7XTi*YqHyS0Mr4g zz}p2Wa&gce`{de|k2N7Fj1-(2uw|t5%Gu+5LS>i+0x;RtPQ+)`TPr5{QTFb_D@V2E z=4_zn%n{fX%&EbGQQzGsZRL+RLp24>QD1qJ)yslT?n}hzAcCBBx(m|r zHuX}Z;Tc8Tvf?$&?$URl@H}vc(ztq$qsJydG*kf3Og=%kS>i z(w$=$8^{P>#rqp1UtU=9r#9OYNd(Hx1RUjd+oS7L3Ri?pnnzbNk5S*_N#&yGv2)iE z=1o2;5xb>c6dWRh&rS86DpCHaF=pP7A1f?Cu#6I%b*nzCq;tmBzKeLy0L!(x+oYVi zi^E`Qzj$<0P+_`U)yzQMRyVS71|t0d-c>JLKJ@gvTXYK5RNdY5;K9W}SlO~YP) zs5=YfdhxYA&JJ~o`LF!ZJu=tl(tUT+WQiMUuY^khz3i^R-^2*fyg63$h;Td-)@z`C zUjB4J&+DuIi@EoXYHI7=My=RDR75&ak)kM7dI^Y%(nYG2pojE^2z$5FPe1$$N@Uf{UXWshT>nMX_PhQz8hB&i_opVDUwnFzUXJBk!>{hS zR;96PBdc&<=e}|Jq{r-i06iAGWmz%#*};sSp0**0$7cf}f+EFy7eB{3`&y|YFO=QqZRm-1)gj?HfGyUM(DxHRYVO<`DbRotQhSjB>;8QqG`GE`2iAM zhM$k+8UUV6)%R5)JtxL)9~aWTL?p$XUC0MAZx-(DWa>WuublVjcd0wnUoPMr-hZdOlr zANk&1Mm_Sv^z@-zYN&h3@y&%&?AwPiV{bs(U6jq8yj{QF>LPfIv|iUs>P( zCmsqYvrrl$uYQG2*416}KgGkg)`Rm+k>LI|L%#27m@%}Ij@B!(KRJ3NdgEc?*ie2g z)#-fVaL^F!6O^x;>F;&s_$w^aaa)DMQhbY*{GDD9i0l?YXITuLIFLb%*$%ln`o71k zTg3IC28&MB!|Y=RLzRdB`g-)5Hg$svn-$}+HtC#Q5WQPM zXBlqWs2H#TC@@{ef_do+9_RoUWmd6fs?e)TqUq?-Dx@9VX;dUnNJ!y3YxHE9H^#Zu zWL^Ad8{i?sR$a?Z^9JjH8vI7E^zmxH7w|V6@M@x4&IY=YkqYb}Y|jo`%g{9QvxS%P zmLcMG00#JG;EZc}C7{suqC&aazhm_PA%`$~3YGSk_TgZGiu)feYQl4Xx^SNPTNg4| z!gB3vkr&Dfc3C?r@i+0dnVSpYLze~5uHI0_(a{0DOsfsY8}sucjmIkSZ!Sa^v@GlI z8R^vl5|bVl-{b7>cg8KNHzt2>;W(UJziD4NlJ!K<=?ws3nR9Wx52gMl%xmCKKyV#} zsy@_Li^w&S4o8SnHEP4RZDRS6-uq9~hlZf3rVfwCeb*6bSf0O?(ahGkP{$`Cs`rHHtpFx2HzqyZP~y)lcP5f3qa+p9>*MaAn!|B!hNtpJD(%-2nd+LV+=)kW3i=|0s^=drEGVxV+$AYzGLHO9jKGzP6s$9YTObg2q zOOuE5pVcmb8FLwh9N*0{s7-q42^_p46D=`@qwXrJ7r!mwvsOS6SFRs}@x+3karsQQ z_ARkE<3~Ej4lRl`@Y8pk{r>dle5I9d@-L%i-M`)H-; zClaVK8&cf2q<=U0{vz_)I?anFX8;03aI5vb0iAKQ-B>pm2L^@FM8pkGJl zIF`tF0Qpjn!m7fvfJlj4-Q%5!kQ;)mjN~Z;ca;PL;+3G8mzm+i*eZa}LRi#*G1lwh z{fQT*hL#Vr2R#m=KD~nBfoQ5}!t)N(ZjLyxOjZbOE=E+hlL% zuKV4Lf9vA^%H`eTS^EF&XDK=WrER60*XD?ARC@~$9t4u+|CYqwF73vtm-}3woQI?c zSGp}kZYTM#K_l@z-+&kZK;64nqx#)VAv$0+#@O=14h6E4x4ne|$0o@@7lnoIbVg6)>ecx?L5%;7pP!VC{Y2nip!)B` zd<~V#iV7j*rUNq8+?M;#wECdU(?pTIDD^*l#Q%3}0iR0(Ry|-ik0lYtje~MI8!bR} z!oQ^gu>tyTK6qh~y#;h5a70Gor)}n)De&3-nbn24fS?cs_x__K;f&rDuk#!X9~Pmk z`g0^s)ptAM?9*8TB`-Je7pIDoeM=B=$mVkowT9stS;BR^GL+x_Gu_!?sym*sx0_@R&Y&+L&ws4G2&vUQR3;_ zoy2YPI`Y7}Lw`i6E^&tpJd=v6xYTZ##YJ z#oGhd$k--I&^^ewQLX1Ch}Kmub@vHa6-)?-EltoLJ{oy;ZnqEIhk;!BNMPqVzW|$+ z=efO^3!YBt8GHS5rb~t5Rh@Sb{5|Z|Ju8XbrjH5j+^r)Q02pF;Q$M`mY8+UKhQZK3 zCTl$zgqit)b>*!V@pcGvyoNZ$KYz5=n!bseaEsc%ZR)HMngw8-GrV(ar>u0J0rU5 z%F#3sp$(c_mW;g>ur-HiR~Q2iQGY0Rw2(Khk#ALR8^@AnlfZ^Ab2s|Z&_twNxgm|- z)g9tE0E_kiLeD)av@;9Bs*m)7{BT4pseBcV+=<$@c`;_LP0^eDId{R#1An9|CJPgZ zqc4F%^Ymhn=9mrw=^z^NjoOCLF90=GB^x@O>(EMVrIH#FITuTpcbaUFu~m|bZFs$(z|E>ok2m>>|E3fWQcT1Wx@ z@R?ieg2Dz4eL|88)K@z>;qV6nhqX0;nOM^b~ z&vVN8KKS;XyY*J?Z)<6LIXTK8W}z0w&o0jt%k<8ke9tDybZ5gDY}wuRv`z&$`>_P`p4U@?&xjJ^k5i@pUOL4vn~Yd&1- zb9AEJ42qSnpz^U${Fb{r$^-(o^(IZfI?@IUw==6Wi2wr)l5%I_J#yO{=AQLn=ZL^5 z+7vv6K5Nq`?^ik(%S3=(j0?pwW8r4zs+Y~cLXEXM>(&VWoDKi=6l9wd6s_Ph63*;@ z1<7Sm8{dtCV;xI(m`i91#&;;#h=&%I#Zy12#Ay6By2|x%W=aNv=H(@_U8pS0YR!HB z?Uq9#OZG)k830KO4E|2Vf=6RW<=|+L-!Du#?&@*gma!LKG$JU4WA?oHmqJC4DHZKbqSOnnY#+OL5}@PpbjF)RSntyzP)dU_Sw6#)5SIe89xhKey=J=g_0; zP3}zT&cb)bee<`Mi6iiwou4QGRf<0K=ju>AfCjY=^&^yx2bf8-nE>0Xjkb+S4(vK$ zY?RU2>4i0JN~MG;)_)gNBkRA$gv#!D_z&aa|C9gw{)XRL*n`;nU78C3h5d=IwOfht z4}8lhJ)IwWST9(h`d=i$(cYZxh{ERJ>^xcNqN{w~@1p?l+@pg{Vqh2Fo8uu-QdH7Y zgKDKp$*E`0;{#l5e{kJ@C(C0U^e;iEczQBWC!ADVjTEJ-E;~V6S3B2&9jo$2iupXe zEi4}1QMs!kXYqIAQKt{050A7;PhuwDhli(2d$>1NCjl^w4X zmV8Ql`<+i^QqvYU{l$o)VVKf!a4qaHHoTo7InT+AF8*^9-yxd&kEMR(xR6YocQ2mo z?*7oi?Pfwnm4t;o7QpTzWLtEei%n1%`1t8Y`eEzd3m;49T~=0Oh3r0cg@mAL#hS>0 zrShdDQ-ULL)5pDZi)-K?p&UFMZAUGxbh+OpSgzUs%04)tx9?*5x>~I{dvC(~YvxkN z3FGveFCPP2bZrNd9!<>f-dOaq`hJ^7uzvZf@TQvR#e?Vy5C;^pvN`Fp;eoBY_YeK8 zoSsT$(fbF|k9o=iilrZya30XO6%;+m>aW3G%zs0MpKn}W6bhjI z5=C!(6MLLD9Cv(lRe|}eURG=ZbzE4eZ;Z32V!ZB6iyxr+5iSIYo^g{Z(CcW&zt^w8 zq39?pMAM0bC8c#fQfVwp3o0F!x4st%7>1V>qlLhU}J6h-M%G%6?2_;zEOPiy%Utp!oLaYezNXXPc$P|5s zmOu^ln|=B0p7YmudtvTsHoYr^!k8LfAFqh1&na?b!D zT9kigS&jOR#2TYdC~S>+ZU!6&TmLx@0zdhe7Y}gDyXZI-0_awvn%z#-m2O>E0Wg6G zzdbFj6cpMk5?d}h^&rSU`eZ=`}@e~a&*7VsXMtY2iueI#kwlT zxc?E#UDEzcCcYtPw;ZYZBbMKEQUGZA;y*2`?9W^x+U^(|;){P09Z%&LGsWSn0Y-Ay za%g+!ENt}868qg$o0v=hX8B9bMt#imV%r0PI#T`50(&5f>zVPIaP19^SZ@z0~bJd+S}-fsTy?=ipLt=jxskb8y+kifqu4(%S!*<1;pss8=#h5a{?})5SW@wU@GQly8aK47J$U`6yT|*&>URk zH7+u9>J@7280Zq-_daa+_nzqBdl#mqOf}yI1BYYIqe5``4RgsEV;^Fz@ESbjL#U?W z!`;L3cfjV-LEC#_KUYPrPJj1vO+G3#K*`n_b!k-Rx_xqKwRMmM zMTPv-(5ZIo)jE+kXlBnm2M`ooZWx@Od*d3c*U3!mABc@DuRC^h8y;N!@sS35Kp{Gj zR;{hF@Wxj@{W26+|9Ir>NLGbo;2mVO)XZ8-Vrf~Gd=sqP z7u4km%3D3jsYht5#izxR)e^F=Rk|)*u9R|tFxL;NSb9-9S1Z5r`H%|R-?S6YcBk#G z8ZkRS=cKDK3BC_Ka0{#wrlwY^2m!O+E;}J~-}rdhF`-7Wh6w@W#h#hBZ&km3>5tgO zU3Vwpmetqtx2)e$lX&@VOKR`O)>aebVts@{*>uovny>lz+)-5_j_TtEt%F_H@5nt> zF{PPbhaFkQU-;r}$t6jvVN+z@rOx~g#0zy)U;~y0%?h?Mmn8kO2W8sTj|s76Ti|%8 zfQOA!*HI~kvY6l=~r_$*WNot2NWy+Y`^~c z?Z%9&!C_?r&51gh96L@st@py=$pQ4xWYh;`tOeT*C#G4+5eZUXyL-J}O~*0frjgCc zYBqKTo}*&vhr%Yghz{I&lQQsfT~x`T9DG? z#Cs9OyISwwm)l_Gt1oE$kg2ULC;rum7FaqgSVXkirwirF0Ea41F+T&lx8 z*ltVH_G448S}acUO~Q*&UH4Z#pW8g)z7acZGiP42HK;;ivwUwxDhnZY)eI=`Wv9XJ z^A1ZnoK&R) z$=I!EIr$0ixIVsCK(pDSAa?CN5m!Hb!iCa&*z45tkzLUX1O}|WU-*u=NV{?{MD~(o zeOl${E#uRVWv7xeOfV-DU8E~QNAa|+w za0a%Vsf>w)xAhlqk9YD~KZI40B5ER2x)B&2B~$O`_#rb3x!k$=C^$dmeGjH&L76TQ zg9ld$(sYwQ3=u1Ru3Lv8{*oktqolYub%|>YuUOEA2)yRu4;sEZ89s=%8CL5q)YO}Z zP4avc&F3CyT@hS5Yc<@_VpCP%ydc=eeZaG9`Kb=S1Wp*UUvWS`6D011wZgjW5sC33S-k+FXDdwbox- zue|98o$7PBO{*6m$hzZrUQ#OP$^rBdC|Xdr_Nr#i-Ekk|xrrUIPlJ9-QY$XqpUd{! zG{#F(9QJ#6A*}FLE2ejOBL?uR6;)S?JMCf_g@O|9v*^{0e%*yS0$zOpv8mem^rq)o zQt9IlD9MUz!`axu#V>I>52n;>KuXb>#slil5bX~x@^J!AQwr>RRbG)bd_5+`W3ozw z)-Kw*)=kS*ENtj+d7rxwQX@8AQZ76QRk&R{8A?}=)1)hp`3F563n;c%QfI$pWKRBK z2xC&YQJgY0XJGM=vSrRqtPia9^Dl-o@p+svgI~?f{ zC^gvn43nK>S@gL!)4s6y>Z9jK`~h@<$7~EdHCj;AJeF>Du+j%==%1ZI=WPJ`ayef! z$cN6FsandOks8`xrh}zE1N9q)^DDg_6%Yi74(8Io{3V+U>Z|+$yEpk)s8#BcOQDeGU&5 zQM1@a9^= z{Bd2@pQ&~vVJw_rV=WiedH?>F`G#Mj^K z)f{1iyt)~d-BoZBwAV3Bl}ag3RUHUSy(|(0mojY9Ud;GQH|+xsS|GjiQ^R8GbD*R< zYbMvhoV>NJ)`e_HRA!KZH&THa6D3-+RlH7}^0*OkA^jWGXS>0@vfQSnvb5?vLU~AY z34uOHj-%0yj!N${%SCLd8z{#?zZ=S~cqJMw@rfnT#?QC?7*k25 zrxe~;dM>D{ARkJh_s7IY`_kr5xZnwDBSlmhSC8ANZAP12;Q(B}4-uUw|IF{{W?Xpl zQ@LyfVryO;#$|9M(q{;K4ITs@UH^Gashs9xUz_p_9BwPWD=0SrGx8TN@xw`=YVN>i zpq+%E#l=RHB@5}1!iFZs!;<>V*W9Asb1}@f#zULnl#|r}pNQZCm{zDhH&V$vrr&^qgoeIGg0Qx-(hZZex zUmOUh=fo}t7EkL!Y3bf^ZLXz8hTGSaTpko`6oewbOgtNGw#Z?ny0WxRaEtp5~)kyS;j1u~MCADC7UE)>~VTC}mGWIT?|ZDaqbb z*tmfc-AcKHTC%l0&0$-9<^*u$`uA3kOc}5aBHL>2f7wiQo>=^z0nb%0O_e;--+si& z2xotARSK7zRQ;9(S6x<7JG1!S=2Xtm?U%{VByfeePqX^`=T}$d*Wh%dgshp zomQD-pAvBq2#m0QBS88pL^<6_nZ%^ZEmw1c8%KSK~;J} zk}eESMgnT|CRT13VqXfsE~fw2ulv%s<9q3|FOzi7pcPXp?>a74D6D=?Viww1tzERf zVG7y*-R+g?uTbi~eHLMMdX@;@0#2}Zt;Z5mQa?|(QZ|8oLxCS5qm+ZsEKdC&&DZE% zQ~LR($}7reJ3_d>R$gE#I-*2>+jrFknfk zO{@G4HhEbA6%T1+7zDjVH?U}(hQo&5SOj_EX`eM zx-7-K`K6g}D5qIzZvS_KmwyZ$s%PYlvgOs=oNGIg0e2b_z_z!%_a*n>2NYhdw%HHH z=c~$b#PYBN>|@~nJsP*7tAYA??Vq(e+lIcJAbRQmi_CQ~0?tF^0YOR_82Iy9#eU@p z0PudHHeAsUOrut%5W!lSjyj2ni!Zxt8WrjkJ2^jcd;x!|wOk&~&_=m03S|uYegn;v z+2H%9BcXb{Mhb)Kpq0sz${dHq>f%OC{F|9FKcAYA%wyMrXOm&kK0yCBhU-dc&idmXl(u!iR8EN z5@*S`A&)5>ui&0k2Aju5vG0@xc)6m3ALbl;)CM$@@pZ2L-$zrxUe7*L0Q+_B^I*Ps zh^igIEsO`1uX=eMYt4Amk7QGjtePM$ALuM;EoFUnIzZ~+zY-UB1|%+ZStdvOU=nce zmSST1b%FH9dgln~VN?#>NsWmtwvKd}u=Gjz2S$x>$;(M_og~P1ER#mK6sVSx#iyj>m(S_%?E3tOjlx^DQ1Q#P()Bzs z2^F=J>6GNJS-Yx=6-TaJ%o0t@gwd-&`a6Wg9oQ8)$dIw6pFO%~h?%{Tc>V{Z^8L0x{px9d{+qAK=%5?q#|e?d)D%2uAr~1` zVYs!yC485{$`|-(aDZxmCM~*6|jb=wvMs{}p%ulTMou*PDA(XACPhXJpVoMDxIdogPN?ENb{Re-a{YppXl~ zn((1$GGCd}+P^O6bs56q2V2A6<#C4dt3(lSoU@Y>vN3g@8d2TFXrKXGEd%1y?q7mt5O(Q zw06Oidd-x|@QlusIX?ceu!66OIU^}}MP{Nho(n4-Mcrd+yt$D5-KIahf8KzYmX2+Fp z{qmVFXIz|;qoOo3J&`JhSeuWdt_)Dyl==_N47q2FZ~493aM*UvbIzslb4CZ1 zkgt@|=O85B_PNhJo6C#%!o4JqeI^!wCb1HG(wp9Y`<-pYYY#sjBOlWBt`JG+c;oBQ z=p3e)(PwsJO&I@5j~+=NgW(M-D6aqHM1S*m(|pI*tT8KsvzEx)tnrrNw+4wB%k450 zEr_LGl$j_|weU?{`^KA<*k==8Qw5gBqK~u~UGFaBZi#n6B4wqi!)2tM!KIwd_f$y& zN-=gVrR(1Jjz%a5WrLfT9qugY)Xu5{S$}2Ds61@LT0dDrZG<3QXivk(O;l-|nDiQY zd4C`#C)I}+Stf5JCRqAgC1x?~ts6V~hvd<%qhV>SdOb}7k2IgY%4}+h{t+i;8H({A zHC7XtYdLxx{RZY6r8TdK6BLWFKNF?X$66wS7;7Tqzd%|IN7AERhioUBy&P^@i=*EV z`qrT+VwzflGD9Z2tC)-&4wm#hxuUM6+ctj8&DUbG4Bj5Pk-5<|C%pZRr27nMq(n(s z{3-l^!&QH1hHr9j)!pA!IgBm&uqK7V?C`VJ&lqeXy=GVvWjK|LtXi99I1aXi+Zd1_ z?3(Z7#9*&huM1$-#Ve1tcpT@HZ89f2FCyR66}w&;66J8SGvy8fM>N8b!a?Fi_p-(` zi`2bjPz_8yW9iXr%Y69-0_=R9Z&Gd9_2X0*%2!b9bL=?;kq*1cx{ApW-%OwmR|}0> zo4W*#+;xHN6SJ_=JMi7ABUIJYdQlq7F_U*eD$I?VubL1q3ftjWyUW+4Sg2~Z7!r8& z&XW&vb0~APZZa~0@}~4|XFhM`8g4YEG2W9vaTX|JpMXjhMmJuypk8BfJ!Li;5 zti{`V_F=3{XwPS~VLYaZBjFJckiG4CA}l@KTnv98N~=5PnMCPuRnb&*6L<4q_%_|0PZ0%KaxTu8|k0LAC;7%jpTB{6 zA~2i5WXzZ!`uwtgCS}Dl_=8a!ug1(#S2k?AaL@tm^)V-XX0n7T!K{X?hLBO zhZ>*jQndsjYuoONW#`f(G1>knTYbhs;CLvD50@H}QW#F&SgBFX@uEbO^ap>syx=xr zx|nsaP-3swT1;Lo*UNiFHWfBVlQ1=@H+k>Kp{++zuDXXsdmu2rnqkZs z2Q#mQ;tW8{Lqo*8Z!)vAeg{9nKWxXBs+GrIx5P<)=8S4h(Eb=@6M-F*ZESOJ^|WhC zG-x@r#wd&t3+rfX^x2Gtqpo`#&6+clM5T+GAyU+b3#I24QKi9y{qVU*c+`_*wxAp$ zDyGGb@{`%~HGX!GKT&f`nzLF2Ivv^)G55)}vN76l<6P~yIzG8&tW?H)9F|mvSJ?l1 zSpe4Q2}ZPGy7VNc*OL!Y(VrA37uDLP2OPp0qJKQ@dz#Tv8me8KIKILT9se%7HnUJ z9BnazYyGq%Yl~u&*H=96TGqU{yK^CfJ$jnch6$~;By~4+mB9u#DTHlXw|HlL0MJXn zZll5mO#SyS44Kcq*|DGpLJ7rdJ=Xm6nAZzxVtFnosh*0_t7Bikooyka3h``=^*xLl znAdARW(JNl*OZdWSLQx(bf%w0^`dSDO0ZN55Y$_p-}5;~Ois>AsA>KW@mW0%?BzZ& z#-5QYo|QkvI%ygQlzqY*HIr(cN1a_!EEm^0luynaWxCE~>qN-lh%SVQ$s}cGo#?5_ z6QdO}TeGpZrMtO88$BF)!%ing-UWcw0ZL)#lhfXJBgT{0eE7nvNfe!Z|0zWFiS&LG zzFhJ!^ij>gTayP)+9Dr2;^UTAz7I!5pxEz=Tqm!O-`Ke-eJsPvlO{N47NnXJj5Fe` z7Lan|zbzpo)%E#Xk%4=sD6E|!Qy{FCpwQ9%wz>0O1VCMd5X$C}!`Ifa{9*roPk$|S z$NpS{*nbH5>)cWB0VcIS4hU9y4Wl2)M_+6exv`)8x66-47_ctnR(0izn+hSnY}#K_ z6(Az;NYB!rwz2p*N{7>wS$XR`1OIpKKTLSwEWH*lg zfy3ADwdN*X2AnvDYHmA@6gRuMpm;puk)`X-Idzv9H3G;C|LP$2vGjhhOGb}CMl8La zD_mJ*AnrAACydq`)k@nE`NdZEPv=M#@_FAUo3Fe*AJAxz^5z}Bz{JR0j883E5%EYa?tOXcEGsRl!Y~gKz8Je9L58%wPo6kmE)|9=E~{^Z(bcs z4+8<)gG%SO301jH=(#u+vqxc9@i&U72Smf&8JOTX74fMuMh+k=y@-~p$p~T4%<7`r!O%vU;!`YL8}-hv`ozu z6QAEDMZtaXI$}c9lH?OBZFLv$b>B7DWKXIGipIB9EnM&{vEJXwav4pLT#QC>9bF2CG9E8;X3lVRm3 zD2JS9(v4nw9L(gN^t_f<^#W|@(-B?HHlIneAl9eraI3r@E5it6@v|Y@V%nn$S!TN* zQbN{@Sms3Yjk_@jz9#)vU5o5x3=|RELbCR7UFn8szn3xQ&G(V^NEAzDGUN?~=D(`j zcCK>C;IO$m1o>LHyi&#NpB7dJpLQvS#+s*ugP6L4<==X9hdT68lk@Q!RMEtww4_Jl zya~82`6oMaLNKSJtFcPpE62N8N0g^)sjL@{q+Vv3tGLK1IqA_EUs-c=m`=l8E{}j| zn0IWxAA>j3ETT-+hamKguNO^l<~tGTggJZ6ZMo1?&BWxx%U7fv7QP30V5Ww2=vN$6xz^<&op;&83Lo)o1vPw);OU0%=I-Xb*jy(gyK+Z@RZexeqiH%k`b1jFhUye%Rv$BMhd z6Ri{%%s21M5wX<-K6@^rw%xTv7a2jH$ytcxqKn#@`$amA{ZGW1-nw8xzwO`#85lkz1d-Mf0As9fcvCuTma;wj+wj zk7`DGF1=4LXbB(Uc7;mNJV!sy$i<<0n~H|~F0q9#2k?cR-WaG+EgZVsRho({f7^2_ zuCjIQk&?N^_rzjeIeVOB8=36GH!5gYUE7IKc2Y!k&ohNgv`@ubP{(4am0>PiSc#6{ z&>XM)6c(>XXR!a+Z^9WD%Ixz=^f9QjoA5S|NVJhd1Wso-DtMEPEw z@2XD?#EAmOQr2*>>kmQjGWhn&H2qm!A1+$#wxmwAP?>hkkx#2-n#Kgg-J8W=g_(%9 zrX|$r4Gv<)^9bb^OJ!gD3WYWwwrH;X#XQxm@RUmlH81WF@9oUntLz$2&rpuSY4Et# z6pqkRE+R5Kw7d(uQ}a$cTMQY)Ft^quH)u-3A2c7<@Dyq#+p?60H;OWo+TMAEySR9E zr>2AalWPYY@?p`1rPpP^9wKk&oyAZ`72c+G3+*_CWx+j{ttIeL-S<)6N8C18alPHf z!-y1*>xe24v_MPAzqoB%QLC_b!@gx6ZG-cEv3%D86WY0M41Q6$wkWV-7{4;D=;ipz z_Ylpvf_#X)8axLK5=2xj~-gJx1ntjv13k2!9$ORUAs1XDFcXEhwoev2E-%o0{tC11kf5RURP99{^@ zN|xM*v8|0JMQ_);q%cBBS75(?eD+uW3qevh=na$xllsvYv+CnVT#^#EEq}O$vC$lR z9LIf|Jdcy_vR{zlgAepT!n=a=u2YnAkGfoGj^f3S>%!975)I!~J`J8(icrWBeiEJr zu>&nAe`a@_xRhF`{Mu8~YrVaR>>$6X7JMDVgBR+AHn~T;{55nJmxBs>$Pqglw>+37DQy(@Xe5mn$EEpAj~q5Ji$e(4ZZv`1)iTH%J!X2NVbpYDyF zdSIf~`LPfZk#oKRU*^M>=icv;Tz#-UUR8^{rf|C>6k}{G@@CaaN59gIE)!M)Q5cPP z8M~bby$rs){lpji!V4_zHrEi@a%z(++9Ut2y!wQ(2xebjV=)t2fl$#n|MCd07<^-; zq)Wb?I}d~>Cg$ULWS^_l{%kl=Z>>$+3K1?mg%UotFDq(6T1b-Z_L~z&TwhM1-5~XE z66kULChp)HX)Cwx_+FTb!%HCSZ@8T9b?(vMa1!y{HW@4KJ)FTGVexFH*=o_pTI!5o z%qD9$m;+)Px=i1oK zkjtEsb?4zImv_#GXeX@6exXIfFm2fD(!q6Q!N^S)r!jhOoqYm(v!?{!FlubZDgT+% zZC=fJUDD~WWq^~g1U@}|{8vLmXYIhzGZ70RrZc2G{0XmR6R!J$ zt$~=bSUg`feUkoj+F_=%1JYLn()dgkLS(R`?%+)>%%+nnInU#o(xS*_^LYub+&S*cgYMdDPdm6610?I?04)o_X-~OybHmd1&SMiVZ4n zY#vFg+g8SsV>eypEfr)m1zN0@^hK`PnGQqsEX`TQM7S|mB(Hz(7b{cE(N^~pe0Gup9^ze_>vY#i-8<16 zk)d;Q4PtdiHSUgXRyxSWFfOTw-0;Z9~G{xH`30>vQ# zaDv~Dmgq8)Yf_6~xGj9ZF=Q=fS{(IB$tbFyv^M@B=^hHb5tpy4nda9&TP!etUl#e= zdP)}S+S?y)J&0{k{_@AONb_*wLC+6AL-P2&!x>eB@jF9XD9F z81?JSB*-g6D(o4s;Q6roTRYw^X^r<{{N^>n67*;gOx1 z`^%W+p%34#S$=DR9$iiz+jREQ;I1APc=u5Oam^00a?3~zrf5u)tx#bSl?^1Ocg%gc z80@dVwk9f__d@lVv!%nhVx(7@kFmW&1nXw`H4=`slaG_{Qq9w{*;Rw(DWRbYFUWV)}`Hq4^D zyTLCZ&7affa@?wC)b>eqotIM0H@V>>%gVZ_V|ALkCU|K>c_NI_P9#$9_9b%g8m4qp zJYk~^mt$Rfu!^FA1AS`WaLDn{0chLcfr^5zg=6kbc7qu|eTQN+`zAqrsk*4tFe>wO zk>8t@6F!I#RGL}^PA#(5dawZ;#}`S)udMm-0}1w?H@$xQbV|86% z^yVi5Wrv2cssbEQN2zeqeeH@teO^4ov^0cdHC`9qlcpa2Ua;IavNpvEpE>jNb&*yb zJ`_*b?sre5XPj7jp4uaKVTm<-QdB$XO2rm;7fy$zYiRQD{Ygn}a6K;(9sXp!sKI^U zCf=G-#P7HHq3z?4^wqc-yH(uk6I9MYmeD5s*)Y?API^c=AB=b4?2OK3RQ}yHt|h*L z>txm*-gleUW$=#4QnDs4s)?%;c@4dM#7{A8<~oSA-qm(M`dwu=J>uQaz1I4tIQu(# z<+-*n)gflFc(_r8Zc?fJ=&Xy~G3zzTVzO;NR8RVmWeHV$ zkeu3Z+WP2VzU?(cloipS=n}42SHfQ@Hmy&#MNHb&TFtJ&qOovIK#2GtD#R+{fxBPH zpwi}{?^nKlVz8kdlsm%Ad)-#;Gc~Y;S_}7l4zg%-}j!(cn-4_tTy7R7_4%65PdcH`^>-Wd+bXTj|(fI|v zK78E?IRhe)UNt0vcOVMdU5O`B+i`m7RE1B+o6Gfea2k|_+CQkOb;-KNQBtwMkkA-m5+dKxv0j)Cvnr)bolUNZxz z0Pm?cY;&0OvvmG;_74=zh(NZ*x+j>=+Vxnm1(PbOFj72Z)LO4l_TR&Na|nAh!mHCE zk(j&`NpCIhSHD|w%U3WAmaqM-RV#GIrl^jqxm9L)@daf^zf#LDC^p7+^ze+qYA2X2 zihO3OV%+bZtLu2^MEpB#)9Zumw1L;I&*hj_=djlm5StM8#u*X9TSve)=BNG6$#99a(?45o_RX)3%0_9`eDza#)LZ&_ z#$f9$#ENd(AnklrpSvo8%YT-xA8VthQTb!p!v8LYHCWa39R!`-k5l}^hhn8yc)Y+l zOFO>>Vb3Vp-Q+3&SrdP#TbA-{`Y?@hG%Jzc+MXgX+4}Yq>}oS%F>D-yE@srQFb?T1 zg`}!p#{joP@gdLedVW-+`Y>oKmOdg$ikUvsd zX!xvQp;{zqH95g_MhpEJaafMZH7%!pq^b8? zkNdcIc9qaV^+nl1KDrgb&;r)X_1lL8jP{Jx;b5i?uOt6RU^n5!1h4~gu<-nDz{mXi zr#}t@ek(n8wO*iTfm2dY>Oa2t55LrI@bM!7WV0q#k#*iPA`RD$`zRx zy)E1Sq;!b2lgqnS`l^kQP+OyXX$2~#^THFNi1n+WxIxi8rM<3oNCREj^^^I@<-f>> z>;}5OC47YVmoqp#zC##MEN?N-R$V~grua)AE^48b?430>*?!H~_t7U)ZGveA4+K*^ zr#p`C=Ek65?5+Z?<+J(hGMRE6!h9Ujtn%t3l)MAK=UD5=-rXF!)BE4*Qa?<>-lo+0 zNZ>o;6^M(~XYf^o2u&HC@xgc{ZSF~)@UH7)_&7H0k9BJc@oH-Qkmuz#6M#3zZN7Uz zrtfwEqOChyx^>AS-KZ#meYVuT+WKZ-ugvvjPeYKvpu7(F#ZCo(c+dZ0?!CgAOuMjA zof)xUM-5U{6hV|Ky$vEF(m|>~6r_eCga8pjMgf%?Y0`_*YorreEI_12YUqpv5+Ec9 zA%PGA`_-BGzHk2jy7tjN*g42S@?LLwp7pM0t##k)en@y!52~nAxZTU|@sU2ktUljI zUQWM`ZV(A{k~L~USc)cRUvwT>Gx4oKaelK~%=agB{=pMiZTE#$k&bq&@8Z%bKAvXF ziZ?kdNh)Al6yCRNce;59<6I0K1uSIbNk#-*Trj=}a-45c!{_=4v@BNa!E8>M3@Lrz zoeHpNDk`!gC#TCo1Fa|NCErDhL<&w97yBwiZU-DddFyP@G6I zh1q}fNQ|I9miGp$$sSsKvXhpcA@k?Xug_&hu%S_!IUgR%ZE*q@?0-j97&hE_6q>LW zqeo5)c=2Q^Klc1*AD&8Wm7=H%SM4bzsvswD#AsIDqj|W>x%2cojeM{BffZYNbobu_ z#5{TrBF5^xKl;Jrbszf0hsFeo2NV~V7n|`UM8b8h}Wq8vWMGYvIu9 zTPxnE^##F`AsvX!8EZ*yJM(zLuqNTtH-#m zZ2aR_T@D=W9%<)Df3Ryo-h?h~RYh1l9#dRa4|Q{l{TIAYd1+hs*K;66lyhbUGfSo> z!1XxS!t#%I`L7QElUMRh3=d)zRI)JDB-fIjdVmcPw5tPq zLg*xIb=n^siNvVsYn!KL;5a}h|_hx3u&k~!zP=HN^IVwXCL_xS6z60tSaw88=P2P z6_5Bk2m75+6B%hkw*Q0Xq!w$z$19AB$>4$Mw&LSLAr7tU-C8ip0gLei4W(h|mUr2j zLGQ2mE;KlZGG*dijyq*{kg{AWub?D=7pHhCAw4KGaqM*xyZErvHU6X}>-5}MX-kh= z^&2u`#I+p-dnX*7d#yX6ZYaNMo>VmoESZ1J4gmLfn0RAW;RV@~1(MPz#Zr5`IHMc7 zS;juz<{0O56DK8&1GgX{UjvlW{@-u-5`^3lUWiRX}L`YQXy5sZm90?e?kv`nQ>H*&n(&j?u?yq z(41-1S6`dbf_=wa9j=UpwNgFyB+$j2NeZrq;CV5_ee`76YA^qEZc?nAy5&qe{g_(V ztS-(zyQGWY#hboM3A@!&7JRTErEG92vHA$Kye}3N_vl7O(tnrz4xnb%<2{XL&IXoE zw88RJAU#>jtYs{_9w=_qPq{8nVHU2}`BDO46oduaIdm$x@byv2FrVsi>;r8h{>PMV zu7WaRMo^*Akf{7x6qmE-+!C(!*gdQ4)R37i5x%5vcA0CS^GWV4)GeUGi@DaX?#16} zmK+S%qu18|&xpTqHwnE%Me3A*a*(EJ=|N$Cj@A$v zr54$|^VhY1m~dXioF8nPF*4KswdPKmq)#&hb^ZWD_okRVrx4xIXE9r`KP?U|%wF); zfUyg+MbeDNb7P2A*gHaeNzwYD{o&T101bhWq_d>TD;sxj%vV_>*UO_dx@fGrwZ?!fw4NnMW~)B!rT*rYMCCZVEs8!R+|Q zl-@itnGkM>Qtqy{OQC@|~{Yf!*>s}~PPZz5&Ot(Fouv8lts3mAKk zGM~qB7k`3kKZB5;0Q|q{&5q}}7Ti60`gj16Qs0B{)#{ZWAlztzR@$!Fj#4A|S1nB30icpL=b4h0c!=&jKRW*Fjq8{i-rs@2jm^3PEW%Arx#OiY@Q~_R-IVDO7d{Z!`MazFZgJ zX70eqw~?30MsLe=egd}wr#PYrUnuPDwN~Zjwm%G=tfN7#c8kW3r6ga@AJgDkua<(SG-k$!#${?Gn(_OZpBhR!pLB7TGHEL#W~DiEk?9iD z?>GI+K9ibqR8S6J8xwEu=lG)V6O9Axw;46VqYqZCj0MzwxT;&zNXlrgC$Y0;YBtAo zA}3^y#5~?>dSKtsVXg(Y#ps9A5g{^Di2WIz@6Sm+#eB_acd$Fho0Pa8$X@-y<`C&) zpWV2eBl-uDvR(s0@ptenkVG5-7N{*ivpcG$Oc zD}x8K^8&j2q_fI(!UlJ+yJFLKR|Pf>lm?rh!P+SLq)wp7dOq`v1ODa?UB{`CPk-W( z4oyarlE_mI;NRH{4!6gqi+fk>NV^+~z=`%^1|iZva1_4j1k2#n*Ds$U_4lA;R9dPZ zs`s#7&wNeweXij#C%}TtcZyd$I!Sh^6A2>n5Vs%rc`e&dW zwpRRBla-XdKdXUlpb7+W!p)g%KSYCOhOE>}r}+=r`UAF#!<>lVs}66Zv&D=*vQEWO z39*~iOG7>x8y1%)9>}XRtpg-a4PvgILR-k5 zFeIGtVWUN&UGbishDa^<=(R;Ds3dEPH42r34W&jw1Y0Y&i4oMfmhJh?U?t61MYNlz zrYp~M&iIxrL>LXWLyL27TAoJogf)l)Nv~^3nXbRc zZL;K8r=@Z(!C|pEnn-da*xx=#-11Sn=hWD?6FvXuyK%-1`&zb)o>w}K!RvLjs)Ue5 z9uzPe+$~d--#)=pG>f_!CmbB1smKX@9evAgB;!3ZuPDve55hZN^Db1IOji5A0FiGN z`{3M;r^&RWPVtUkG{At&1#1F(=UdYfV@s&$*JV-8Xd88JI;kNJf?<^5qN(W_EuEB6 z)r0Pw*G*Fy=twj|AZ}HN@au2vAz))a0973}#Erl>_0FE`$E*G;RdaT~$Z~X3nOfeT zcP7`FRW=fu8a!x%Mikb2ww<>kHZ)V6tm+pZL+xG&xt|K`QA=6dA=$Ie!`mtWCTEBc z1=p9!v#~WW!|YT9aI=xltd-e-OW#_S*Ij77oTv+XBJF3tVzb1#=PD*)D~t>MQKfjn z!pfTg-W5a{W^pUcXQ)5p0k7+A`2cTh5p__86C}To%J_V0)Agc;VYOnIy67<4A+a~F z)IkZQ(D`I$S73YWFMM;NuBx)Zo{C&JTZath z1hIYq!+pqh)y7vhPJv(RgYuVjAO?J4UprBHuZ%Y@f)D8v*}g^4uOQBn;KK!lwTw}v zPMTUExkM`lf2r-_qCkIKM;~qr4 z-TX252fx5}>I_CLaG)46SywY=P7#tq%d)fk7}R0+h20V?>@iefVIqGXt*R-4w@OX) z8Y10SL#q43r)Ot6Jgy@^jjFj$kO?j)9ZLRMPxD-qV{JH;B4~AcHsIUDHeH-rVrCO4 zOiis<%L*Ho3^Xd-f*v6kMY7`v?_x%BPeaE%% zhMi5&9IE&ca$Tc4&ETiev?0w@bHN5-PTL0ouJe+>I z#fI9g%Ug!DyOq)dF|qwDZ)H!&pEAnM+e0D7n7ZG|GnSX(8(rvDdyrtWut6O^C2*(61IL_<*4VS2JrXS-%rCbW+MdyWhu@*+uRRzG^~ z?b}Dk-Tn~+)?r60hNGAN{744OTi||!gGsXelQNa9Zi!`9*uk>XR&Bi~7#pzda8)s4 z^yBlaUm7Tv)UQx=-FU$5n{D5d0k(;O)K*xu=Ltkr4kVBKI#?uksUI4c&3D9SDpBz= zpFLK|=w?nK(%wo)mj`vWzpCYhS?0ENsQu9HVCEhAtI^*@NJXMu5Znx}v#?Q6pFclx zv2qGT!NHF>QscwKa3pJ&N=M{bujBsk7ESe?wfw3)CPS?+%b`AgdZ@`u;PxqHZ}As1 z(8yC{qWPIVFPs&brJ1PD6VtO*^ z4DL#wL~bRRu|WP5iY`+OkhZKf;=|fS=?j;!d*=J&C_)>t5{0hKJ5V#1tfK|hLWo6y zL$RQ^z1DWkU1}*7%sOZ1&VY?OyLFitGv7O|0@5RN{oLQ%c<@mlZ;V zfdTJ-tU2f9|E9^4owXcE2H!sz=;aybGX*ng-P++S{Gl)(w0$e%Pe+xQs+bDOrcWniJAw2FbwFlmEkp5$JO8vRGxm2K zt8A(h>z3w~SfBY-xuX-?toNykmq++94~_QwhWHw+gih@|9aVHEF?jZ@rmy@*qr?JswsJHvJjRf2lctCVa9o15o|X`v4~JO=si8*r-;9R z(x{vQgWLu4V30$j!=za-KEEQ)c-3h&RY5}WH)s_7#>IK9p(EPb1wAlaMto#MtYV~Bw|%8IFVwqb-3-O_*b7*xZn}Bhbdg-M3vN&TinebAaadzxe%g20 zk2h9x%XjrWb(E*G8Uj18m6!#);dyme6`0;N~A^R4u8+i!G&TD*E$C^t;oG8n1QZU3F!7|qG{+7O`o{N@Q4 z$EQmhtI!NWkC}#qdiPG$I)78LXFW;P@Kc8UMl46qoMgg@rx)_Q!GeldyK7YWu&>~V z@tjK3G5z3Au*l9K|Fpw~$U>e+KB+)kUfHI`@O5Zki#AYplx)VPN1{w;`Gb9H6mh0d zlUPV7T&W?@9y!AQE!Qwf4rw2|ye~oim=lW7EQH4wO$UaCxM!WYcp_aW__}J!(U0&) zXGpS=o6X#Wx?5<&1SzRmM~$JWoAzAnn=0hs`Ae@_OCP9_iHLI|F-77FuH`IC1_gXX zF^cHLL^h!y1_ry0m4+HW=E!#?i=36E&(rX_$HDjThP&%>ZR7?iQ8`8JlYIGPf%0Jr z3vma!=~S_ZFj~%3WXus7-{;ITirz)y`89>19ZKw)C5c!xUoZ7kielBC!kZ>9ULvV< zmZ_%T?6q%61BT$j7m3C-3hnz4^0RPV_2y_dOSkC{2l%JxZK3- z_b~P&{lbS=1~_@pz7O|);158ZTiLj`SWB4~vHq5lwEATKzSLl#{&VNkltp*Pulvfi z{w@ZQ4U}!D1CcO3~}|(pgY6qa$i-@y=eE2M$FDM1(m8XAtiFi%p={gwEws*gPG*F_y*veGCT`Q;TX439FsTYNQacft zN_Hh-N=^E@kDi`>omfQ>3~;;sGd=NZr=x-#UJ8Xa*mj1y)5~6w<`4Z4K=75)0dUEEF1}9D`@Y zjuP)pSO9E`;phpso!!K#6<_2_fYnR5y^2!6z8slR5B**CUxVjylK)=h{*gy_EiQ9C zy6?Tl)>|!%KBk93rArr9Yo)~%9G*Dj6v1VEJ4vp}`>Si9TBxu)vdM7T!5a0-k9`F6 zAc#;XkkTP+&I{DqyJF7(#xE~goZ=5J zc~mUUf4|A_VQB|fa&uT^Y*nndAo{b(5KtUXeRTL4&}Ybet}?w=OB~;QUiYNh=`m^O z>&T4b(YA;E1)-{QQsow^g*ipN)*_XWX<$?|hyO0sa- zEvF;IXiCKZjH1EWz1l45!s%Gk{?}|Ki^}YJn8}sMzbIdt=f730#hb48HZqCtzD}5| zLfM8B{;~vrQl*-VQtO(o^yj0#Gw*_ySrN*R9@y+sNXs^_%PVxLohewXJPmw>cZ_a;ivbz`#+S z*D?0fFA2yog;?BtTP64a4+?~v>`Y-^x!4d0-w^eobci}nR|;L_tEm-!E{il;Pj7IF ztrykWovZuuuc|K4{A3WO#TwL?x)^@))}bF?Zpjw^bc6rrH`^_2T9#VmA*Z=BhV|uW@WC&$f6gQ}X$WS?%By2Ki6zHs*U05&py~m`%Za1OjQeLxS zS}Uw;`qucp(xBr?hWh1@yW7gtViCoX=7{RhCVhL^I{bq&#?-{B^3sR;p<&Yu+UcGZ zR&^%qyw1~ORvzU`L+kiwXOs5Sn$Dp?y^wZZdH`I%a&`(5XG*inEOz<+)TaZSVjtIO zk2;H>3D|d#5yoW1F&}qO8nX1DJY46W#mDW|s0*ob8F=T~?JOdBQ(L2kq(* zYK6<4$NU;`?Qa}b8NS2~v?SV)-cdG&hL`$ww!tTFsG^l&_Cct(9~}iBNHqI=Vl_v9 zH=VhA^t~wYZaU7+zGd^KSPHsp1=~;euwlC-kY9Zzq*he`4S1U^U6?q{IH&Jxx`gSB z(w15K4tbACs}1F=6TpLcEHc)=yLro zH`KSc*ghoQce~!pt9kKVzg^HxuL#A!4(^Y>lGYsMEszT>DCF6Etl&KC7f=yHCk4*q zPC99SatT8qT0{}F6|Sm~zHKgzMA9!2&Kr+g+h3=)cpeR%cI=m9MM}AFa9YUN9caFW z=t`Me&dXre#0e60A?Wz76OXYR2-$mYuT=Y>-Pqn#0XreC|E3|B`Xtr|Bg zD4?JA4mC_C$0|A`*5=e-e^v9nMJ{_qr4z5!$67*x&@Uy+;=Jgj)4d|f*cO3#W^#70 zY>~=p0W2ElCyPiXTw4*bD`Eysy5=B6m}a>YEW`;kJXHma_I#=9YX zJw5QV(811_6k1MUdHU+~T&lNWUHoGAbIt;}C;=O=J=F!~zK=81+{G;Gtti^f-huUV zGPh;UvCHR4QaQqFyRVq_v>LuyWcDkliLj5;a;k2@6EF)-u|^fI1_(0N;t(TMZw%9t zCiNs#G27Y?~+PU0z5r* zVqHnY9hu4s_9}nJxDEOHHFW99-2h)_IPLv%5pyU|YOJp#Eb!w)@D}U=;^Q~)g>V!# z^&4?cCo<6spu79}sHJbO5x1?GbE2)UB=k|M1eEY(v?LGsrgz3w)|!$mkX26hPWGTQ zNa&ZCFGmP!EkRKPqio#@mzBjJ#H~$i5m`_LXT!>T#`k%3#R9Uc znEIV*^5bDrVXWyZE!z``x>95Qpo-V{+=GmCM^`DI zBfo3Ws94F|X>~f&Axhq&m82;PkqY$?GFn_ zAPAp#EWy0`E+udc4)W~l_&hy1d?iC6?P-$~{g-m~SCH|uiM9k8^%2mC!2{Y;{mAk? zqs|zqbM4$Iw%>H@ik7+C?|wXR*Bpl}t^!^2ZSIej%xm2a$>;`Im<$(u!o!nSc}w}e(UD`6YeYh z&=2TUO(Ab&IO_;%a+fita@@pblBP0pz~U?VHQ}&WJ!?1e&>gw9?*|IdqS%{LiGPyv5h$(U)qU6oLe^$SKd=0ogx@d24=lXTX&J_Af{~pdrIT`_wV^CqkH1BQ);hA^C`ao6>*iwz(?U)8-T%;GDldyZ$N zexrkU>sNy`nnK-$9FPNzqNs7DPV=AvXPic>gT8uOPR61yTz#EhoNV`fWL@$|VzrD# z%t*BHgv59zjFO2AVTffBM>KhGgboWAkoA3#&She!cffo`AY4 znAjF=JN4`N2>Qv+ugWrb@keTF4&2+Pm@uaD#|?1z=k-mmEKrT&M$qZZfbgvm9(2#C5apz4@B*T6;-Z zJT-A#VvYDTRH2?!l@?4BKoR3fwh5I!xWjXl?!d}k>S3AD#hq8el(hoJYrhiILVxq^ zjv$F8=9;oelsru;Xeu7*e*J3V-U{^jo2iB_R;GR|+lNdqcQB>_&M@7KuYcm&sl8O4y=xcHWH?a^&c{ zA88bz(l8omQhx;eJC!@wT(ZTQz%bMVG-dyIGf4s$=dE31fqwN>U8= zgGi1YDX-F$YN+f>UC6{i-FtR8rm5|0Xyet>JK8eAy#_$@mTv%qxHD~229mQh`Qsy z*Hj5IZgJ?dBL;Ui(HU>zn7)A3m^^^l^%>)FFml<45A z{UvW2URGCi(oYBl&d*LtxML=94r<@j))5EkWy7SZ79kciHyFGCosmcBmECl(C8ea` z2_e|RtiZN*RP2usPku#Cfo+3tX#M7`s+A}(8^aiHP6=vcZ<*T%1uDs`u+~Wdqdm# zFNWWV$GEMsJKv&LIzo4*&S1y2hAzM>OinB*R;;*&7wU$!WcS4%VWpLA@;uERNA~{i z2LC6~h&-8&JoebgdFD5u%=9)$TeHodHikcB7`cUe)3U7kn||QlxGG2&BLcN`rghgATd>=OE=+PHRqIVB6U? zVcgEcj(Z3_%z6U%INdL5c}9EW$AIU#HQ169#uT!gywuUdBvLkJ?|vMzGJnaPc3J=8b2ukZ^Ixo z=(EWws$kc}?O$L$c43Cz>iT4fS&P_0`@ix|7hJAC=w<)Ow5bEPmkg)#E$|Y(nR2};*QLG$xj9kR3rtXzV)fzEs}1)gf-WjAMnGP3KgwQ9 z$H3lfKKIfbRY?zB;CPaxI!$dqkKAY^-qGlXhzI>s_& z+NY+VkJ4W{EFA1XGkNx@IFK*x7f3rd+gH9nwCbNNQ9yUX z(65)(I_RaP=>|U%?#xHkL2rV-k0ZYBu`a~D-K4wwAK#o!VN7|>(47jP#pLU>XBLUI zmOUwrZHVj#HAgm$#ahovgoMWI@V$=I-pr$)*>v?gyPC7SHq9a^xv%Pzb@v+CIWO~y z{VSKM=OEBRLEG$h`bfzhG;gTd0pCgZ;%jL;!;*3GaLC~hnQ-?hw~wWSKT`n3BNKrd>DsuA+O{Z$KcQaE~#{rnpC)gSZ0aH)4&HOtt{?-sg-;F$bdGV@`T@dZGex z*YsPqd_mj{Vy@5XrFI8{E#*VRrA!~@yF!|A(>I5lWm#{?#N5J5$sLr#p4zbdf!`+U`WkXs=8!G< zu`TF!vhdYuNk9|ArsDnTAVwfN7^d2Qb7YL69d|}FWPG{F+No#{JM(PK)lb`&q6b4g zNvz!9oR?7a2o&6b?_z8L(vKD=Ybq1f75!-uW1LW8eI?dwCS=*#(EFY;YVO$FO}M}F z-~@Xid1oh_T^)RbPiO5WqN!>^W<}^2GmaoRBQiZmEl^L<*yBCRv?jDg;cYZ6r!8B& zqt`Fh^_7H#HbM>e@_wI2YZ5;3K_Z~X=%~n_H zn~315_y(>Hx=1&?wR5elYB^q5=1wcuQ@cmAl(p9Fr*?@Tgxyo2*XtPqHOi;x(Ol*~ zePc`->s151s#>aejr)GcTE3LgM0Dj2|JkxZodRSF!V^5tn5A8M$EO;n^`^CWaBVXB z%W~@8B>`;ERVfn2n(jedpLohy_S^eq1nDWYKCw2@Qco|QjEs^ryQK#mz|C6qlDkyH^=(E>FWo6g8yUibx&eVMcFfMV1Pj?N*?FpkuDBp%>BmM#qAL(~D0lWT zN$W%neaelL1H{dsDSc6IskX;RIAutnEIC8FR>)Df(nyrB%erZnMrrUDTG)iRSH|x! zDmS0Q<;zmWLYpTK((wPx57L+&uq(KiV2u&Xs2jm<&`XRE#R8FEwRa}SAiH0 zWok=SDzq+OVle!A5J$hPVDDHmSzUoTSAA2`SMq7hl+dViC}+#pav^h4hDv-Q+>X~- zAQxulw_4;p7=%A$ru8=m#kIrn;+c6=xsVmya2@(`G9DEa3c%1QKIV!OQia04v?ZbA zLMcpb0(4MmkO*VAlhQS>GVF9Edt&+Vnn6=_fvt>FJqO_U4r*xWX4ZS-*6o0n?bXGQ z^0UKu0Xf#$iFaCm`vhj_WnJutC2r}x0|Uqbeek|M9g`8!)+fWK9qj6Qqw~DT`q<(I z5X5UT6oi|2UurE z2kVTt*O{4Wc-}Sxz4Re-! zLBmIud>hy1(b=1cqqYpn<_)sURj>sCzMMthL?p+$0Zm-r3+N^_=&EC{ciDSawyF44 zULj5QDtaq!!+Gc3e~Xk!&W0qy>lydpBMGCQu3_;RTOJ3fP`sd-#!gcN>q^yaq5|a# zbuEsZFY}l*>$;bGIV;fKIgMyf*0q;h4cmFz!7lYeLrbCdb<>viL+Mq^PM=h^@xlWF z{+?Z9Yjk61dF&M%if6f7!e2p{OfXl0MM(UJUD6Wh#@bv@^Oqytav;6!4%4QGz^(<; z^|8eGvktsBXOkBkf;vF7-_xx1{a8vS_V-g&H5i$tPRtHFT;eLa%Nz2lL;+>VIu8!R-FL`XVO^-u3vtj#*=OW}AH^Z)5+n4U_Oa$+5wZ)?0?zICXP;E1 zW|YBfnlemcMmG(ykd2?*3I8#ze6Hw}$@y&6{E#gels>e~ZgGNM%!p4T=leeHA24;; zyqru*5>M=+Gg(^+9_oF;DchXz+BkZOngRvjc!Qe zwe|hGC}I&d*s{oy@+19XzSrYG`{jc;V5Y6slib2fx6rND5OC@cx6-6WOXI6fS*f{^ z1DV06>OnjOp!xL(9fZv3Bm#W=KKS~5pN(rHbXoWr$v>8>19oq%j7RGi^>!pDKQVQZ zyz57grf^fEi8fuJfB^4DG@{)k!*l%+X?5g;kQFQ=lM=cy3oBPAnTk&vD`W?$KZkiP zPg-Z-d_9}W;R1MbvywPF%Lyynr=e84r`OsZ#tH}aUYWwzz1z8p7=`WZ)F*732c{)c z1Ba*5{4So806~T|GJ_ifcbvW{zou!sd#=HY;%{1Bp|{-EurkCt3c}+Q;)19i@L=sJ zU3-YdYh`SHt9+pWatZoeN|j(Hs6HElsa5=}ep*P1stZ=B%ssIdviv$5+eV*SkyAgx zX^6H;fmdxoym!wrUDU3+XPZs#t~1{tL-G*?oBl~fZk6v0DrJ4i{W2xswai1r!-j{k z4m&$(G*ua_N?h;EcY?fRnKR`!OP&bwqxGpz9b_u&Ozh>|RY5Nk?df_@s|hPF^^BLy zs#@%?jB%^@ZnCbZQAJQ}9!^v$E!5BkuLOk?2CJk3?J3IVazuKkjszR)6S^1|lhf*q zHVt#=dGR!nZYQ#kUOpK;tGbBvM+;e1Wmjs(J8zGWjdlb~$QQ54ozAA@!(B*mmX?2~ z2cL6mL8$Extm*otRmlqp-06*8JB~J8_SV*LsaLcJ1xbk1=mcnXFDzl>ZdLb7$$Y|_J^6JTgv*4Y6o_i*j*lHQ7(!A&Mx|{rmrFR^Ld>s@` zcq#a~$B79qdbupm<0n_IGN(5Odb~XEn9z@XxXMC+`WJ-YlnKp9yBr4ZN4py0IPYh5 zYr=_5Ku|vlvz&K9(x)XZh*N!;SsWMAwg|o0aN=ENdzIVBT07oq&FKcgq2G712<%Ph z=Qoy6J~1hatq74ULIidU^$rMZLeHwB53<1$0Lxqgd(N!f-8;PgquoT%C#c7Rx_++* z?#P$RHRxMu)-_~Z(iFg3Jdc;rII)w7bEfj@(RRlCC|J)0qKqGrwEhstAQ!5q=&rjv zPuNZI(hf|F##O~l(Ue_`Ij=GKau=2=F%~#TkM%!V(fD`1vn-fY5)M)iS4)IrQ6~+1@E`t6jzRVGQ#*s-L+%s*N9N!z%; z9^mJ3e__^l%YNd1fR@=m7Q zFH!M#{{Pq{9c+-bb;9FJ=;gePUxl(XX#gLmzHp9^^*1{1M*XY0!NujgWEG;1?YF+B z-E;as*R6>9dvL?G+>e&QNVMOoq{$}@Cnaf#ZYE7K1)(RaSrFX`R zLP@Jzf7d16Dw_gSAmxXvb1HR@mfi>dCavDvA(*s=s|dr{2dccG1Z zo_Qf$sin5>t7vJ*A%t>FynwzIn?H#JhI_e*m zf-_)Lez&ZDecvOd2DIQ3d{V7ua>H3V=)F0i&4=Bops;E@F5EEK>(v2-KYtQQ^23yF z4!5&e%UaczuUtwo*xrX1XkLK6S0x8b4H0>Xs#5=u8w_KC2{Jka^v;9P3Q06GH9+pX ze75{t*;C#mX>n<>p1a0T?`knuQlE_mt*~UiwVNcxwB5g=Eor3?r{z9ZCPX1dR*~^C zp`MpB;#Jx*#ofC7NM-RfxeD`sOp3X>Fg6=LmF4pv%R&Q|#q)_bDLOdH<*j@IpnC_f zhP>?3QI|#&42`DSDu&X{7^w{VOh@7Eyah_ieRWT?Lfn(7N>t=z^KF=CXmjW9a>BlW zxYnTSDvDki8%E}s)dBXvaA1wfl19ukfz2z!&?|i6sJ`uklxquK8*O2s2?%1W`jy@! zt@DV>uKWAr5woVfNl^EuiJ~KSpDajN`E}lI|VT(k@p`{^(O4@9qVq5j)y02 ze2XdXT;P_u^QJ9$NUq2LpeH40ov)KA%#rr4ng!%DmYWX~dRx=!W@p0`56We4ZauLO z;*B)y_XuyBuJYYJyl#_$_&8NQuw)hOWJF(_xNgCLBMRXBMLt$nyRjOiO*zBfH(HqV z>duT1GPvaEKOC0yV?cb9c`{aOsTVyaJ-9IH2HaB8d!xyQn8&tPh=;fqioLF{@7QKW zE~a_#$-Uf?yybO7l*4X!I^6kAROW)yyHHtCKhI0u@DtF->%4>k&Q(bHWStC?)(nZg z_Louo*ZtW1yx6mENr3Q#ax$O6IYda-=0N+`;%nzkn$#42s}Lv0itr}cd-)N&y&#U} z1DE*x-c>Cc+?4`($zfKdvGT0Y>a~L}+*709NOM(54eVnO5a$uxUQo)-WB-R!TL?dN ztnusZBR!5`gXw19rXvu&DBjHYrG_xqDBz_{}PSIqZQ2 zcVR%*;C%mh$}Ay>t6&OkS>-b{n)Be1hB=_C`Y#u0^lI!6h%oNOr{`^W zTEePh1bm9LY#KAFz25XhxSB8*ud1Tkb2kWvcY29qfhI3DYza|oqwau8?!T&|-G}4( zp7h@wa+COF@@TXtH^xxioCZKl)AP1_<9Rt# zExl{~0uirZD#yB=H@y7*tbjyRUNvw9de{Ds(_c(;AXz_r?|unTGr^F`e4N1(*p?i2-bN(DKlm$5XWbj zVH){=Tw$O5yQ)JyfVA&FR($Ix6H8!d$8^aCU~m5G=SS4Hnzn)nqp47E@urM#>LH-S z{m%h|KTPZqyLSla8UFu3OyNHop?`CL{yF_$8r%QFg!_rt z{fpH2o3+yBvpZ6)8>er5IsCt(5Sjachv)*}`M+q1KO~la$o}4{{tuh)R@?4NK&Z21 z-GwKQb{__8 z;`Q}^Xp?`u{+b)2W#6!{pTQ9hG2vwVexewQqHTo@%SKDZ{YXd}0ZBuYV85p(QVq z(C?>U)BT)fwr*qMdYP4GuF;}zQGRPrHKS%np>So{^|Q)|Qy6P8=-B z&aOiZ$#`f(mH+R1-;fnU2nBgQ=PIznDW2E)Y>M;`=`mlXtj)G|t^gu8zr;A32#pm~ z?kpsZpoD9T1Yz?kj0qkiQ;^SO#c@3tROP*4mP4I7Vsbwwq`-euRPLodtsW)(VEYQA z#x=x}8clgCfAzm3{q1PC2Cyr5p#BjeyfDwrWEthFSeQ@HeG(D^*vN-3TnlaZ(m*$- zbzNiA6whXz=}>k;6X~7#Fa#h2&IAqI;23t7+!V{P3Pf%N!G;eDTLx+hk7z@T{$rRI zwSjiv>Dbe0szR{lwm=ih;XB2ZldAQ<00#E(X4tw6tgj0Y>%QuF?`R9IKC93HF+Z?8 zH<@!H&Q-o3(B#s6?td)#!ef)L!Sk=Xq~MyHNlopHM@PT(ujXzz9qBnn>hD4k zZI-~!MY&V0792LPqe_jB%H^b0%bcwe*m7~Sw<+EVb;48C5EwLfkICtVVtpfx`fauw zgII*TN3D$Q>&%_1ptY^vWc#iOtJ~POc;&eJutOZE4<_>am9!cN3%D{ljVgV?;+_-J zXG4c~=A(!EP?+kbJ&BazY2%PN|se3`%K&4Rw(u z2dwtS+?TtjvkwP9OxbQ1fZwSPn(nr)eSs~{A{`qlR(r8XVsQ!vP28qtSN*O=M*)?6M5-z@T+)P6bqY&yrH2$DA# z3*JNy%M{hE2{q|u*^j^(UBH!Ss<}eV?3(2ko^p(htQeS+S5$nXL9_7q$^$bHWm~h( zf;ze|ku-ub-m-x8O*ieFt6P}QGeq(x)kyuvL|MnMIEL!vj- z6KNtd83AdyKHZkOc-L<2UuzWhZi%c)!t`J(#fE_v3;MUeznJ(jwohtFSawc)Iw z0FZSE<=Q}9-F;t4?1t#fYKbG;o2j3LXZf;s1r`+C6#jelcf0*xstY@RsFAumruPOK zkNz}+&v!))i?>DkGE|V4i_luE8o~->J80=^f=Zr>%c}MDDJ^)6!pZ3q%*-~6Y0lV1 z*y30EGV?f8rjb1$s9L+xwmcTZwV>YsfztmU^4>eD$#i`io!RceaRAxsC@4tA%^)ZO zB28)r8za3)FHs}CNfQGknGqG05*3i%1f+x_NI(c7ia?|#QbK4UA|((Yk&=WYBsnk6 zc4qJ2x6k^{T4#N0owW}CllLk2^E`LCuIpZWQS(GQTuapt^5<#ZAs+l)ZlEasvI&xV ze8c2%ohh*P&qA6jCc_{OE~53^0aRyOc$y&ey#-v_VndkPyyCc95o_rMyDwVH;V6w^ z!NvHr2B6O~b#jI4+CHd#8Z`uNi~RUFc7<8PF;bOW_+*KKJLAryV0`CjK|5ijeX_Y~ z!{!6%Fle|a9+BDVih^}q44h;VMxfZ{$|PIEi8&yM`D6^&+ki zZdS(<}- zW?ydv;&`=+HZpwP`F63o$DnQF6s~Cy#dz1lGZ>(lHaq-U4pxzjzi5XN^v54CH_!0uCDm#5Y`LfW&`u8VvUTvU z*X=rV{_-3Fd#%+u>gx?X+loDvi~6k&;sB`xPpsZRkMkGA(Qd)646Fw3RygcKlY_^K z)UdLwWhC8qYc0ydn{?ug8}(>moa92hxLqI=Re)n&V?U&)5mrI|9 zCQuS@>t8={|KncL`{0pZLo7q?@PY`$Lgt zvV8%QiK*BDmq&9T`vrw1P$k3hLOibWa4gvBM;^w{b95-kIb6mnZ}W)%uM4-1md{V= zkd{_sCE@~J6oC1!wka|KPhD&AP5ib2U=MR|i#!7ir=t>O#n2<^u~Lz1k6{N60WBz` zQi|=>pnA?X2z{7+8itel->&D%0CccxfzrJOaP4%X@`mKciF0iVhKWZ>8Q+$StX?fE zM0V0gw6d;%kIihr!jrQN%g@xMKpUQUzq&N;*GEeOJd|tM^o7$Tb$fiIAg9gvey?!z zWdj`m6~ zcj?|1+#-lvkw&CT^+fi3A3^|*NrU{H6e ze`I79{aFPqJ67asupn;vVpQhwJd&)4KDfd<(oC8)T+01!=F`OLOrx0Z86L=iM;U+r zzJL_%rrq=-M5lJi{510t(owF16&7#?_H-dcbsqE2z~D--j42(l0;s;tLpy<#5Z7_@4<;w?=L_n1ELR+-A{pS{{X9WH!NGt!DS0@w9S z_mb2~6)EVjZgwQZl=U=EU8AL`)$6QgE(o6jwkh)`zCCg!a_Wh(=GF!Ho@Kktc|pa4 z1Fx+2vz}Cph&#V@q|<~o3f)@E996m;iK-T$PYYEq{|nA$jZz$Gu~lPd>Sk)M_ioovr5k19CIezlyQ4d|~Yp`~?}&~ThEI6j2Y6{2AJ?b)$xZAH zIZh2o0DCgp3F^yrX$$jm3uR@sZ^Ks>j;eBP1_u48kXbfg7JtN4xcR z_S3u83Nb;LQBbQ&@p`n=IqoQJ)|!(oPv7Q!lqY8K0RDs>tXw@AjaF{l}t&bI?>FS z(5n6F&`g2!hJ1I;o=62UiqkX0(ESkf!#CeV0>QJ@VbOQ8{f4iC?V7^==H8(%c|`oF z^<_-Sn*80Q7)MI<^=Z|gk1otw@|R;HA17Jw9K{(pJFW~W~&rsHT$3j>$ zyN{&R1+x%d5|+iGjlCTp@9)(@ub-LiGdRTxsFUF~x17f)5=cI$5df$1?(2{?4M-VG zxzxat_+3Do#LPhKKVqnOc;wMTDeW;sxB>!7IXmswYvKn6s$i9jjWHAaPnk!9a^`SX zAjZuO8~?PW>7vA;hkcG(MkhgKxtSr$bj`SeTmR_%NXHSj*5rojzoC}X@I3R4SoO`; zk=cWzzmCbf-7!dh?H81@R?0#2?|VCD!tpz;dF@nyiSZryaWZ?t9V%CpWF9=~-IMa&T42NF{80Z00^ zl5uD6XXSEIeCTa|8_HYabP4J6T~%JQI-!&JTG`FYL7{~3YwhQE25r4v{Rx|U5kkh(Xc7*g>!9a_{t|y z#QZ`S^~KGCA8v573nx?8hR5ci$3je_y}X>nv^jGWrBQlAadVlV`lQnfOcN|m3?;Kf zHlHYQgyeGQx}au$6}2*URN#1^-|~SjV)fDYoE!TS9UE>rc@9ifz^W z@=x{u2D9ov=LI$$E=2B)#u>ctQhwa;<-bfBL~^a_6%tLI3DX%W0n_9Bd(l;@M925# z-GxD|&AqeAZ1(Mz-fuZ6o`@;AW*4?g#Ov7Bf%|19Gr5$j>K$WA&|iZV>1b}7P5?2u z8ctD;AI|Oe;)X@aZ5pjl*AwoT8h;X|_Z1sxq^hMXJ&p)v&(+C*HQ+s`eUo(eznVDYCtvFwz|%7#w+@( zDqa0Gu^W^t!!Wes?yyVuc$_2e=8k#2)62ZKa|H}T{V2*0S~@!S=V!isgAlK^93~vS zPUPLF_7vV$@jZ<3j#k^B5Gl}@Xzk_l6AOc6TYBasZC=-U!@H`G*fnS9_e&@5 zOgP7D!=7SKSRg#ZdOVI@qoy#ku^`<{nhl>FN-s78mvRiL4P~m7~UUUDE zuH~hDs4zwSxS;`Ew?2Q;56dnw0lkDHM$@u?JIBN^qY{+p;Nay;4Z(Z{hi`5VdWpm`&zM-##n6Ow10|C6k{ z#6Dv+-^RZiOQNR)l_U4GJT$7!&2>4Kqiu4_C2#e0E*ge`$JAav z>M{%=;a)f$>=c;3nQN=Xd#h_S)xW1VTiwEU*Z&YlM&WD~S2Y(cp)F@S_DTjBc1-Kt zjeJr7@p#s{&fxRjPCAENI^n(C62mn7G|i$m}_-sE!9~yMR&5 zc**YMUq?NgPgHxH1y+5{ok56hBd>itQreNs>SgGSvp)-}u7LE|mT7 z2&3qu1)%7yo5DAo*<2@IE8531m#F+XqJe>)iF1f&nbwgs%QGaY(N0T7=J5b4{i7a1 z&&X@6iisxcvUctJrE#jn$*kY5X&4E@p}X%FEve+>8Z2-R5>`g59#tAFEa0J)fy?ZS zxsW`ddRzn~o^A=9few0K%hX@E8F~LWprva0!r}UhfamQgEeCTVB%rB#7CeXT7R#@O z&P&@~TgjOylI;BsT62zDICb&xKT3`JU42}U^`C75_KRa6I-f#f@z9&=n(6C&GsAIjstYX>X(hY*Ka+=QY zC1TltwV;0febJ8#>LewK?J)!unX53qCApyA(YAf7Z*h_+nc#3P*5S{(=ZD^^9q>g~ zGSK9Lje#xX1}$i`zi|yBhuArH9{0F<=)TrMzn!IgVQDb-hE+;l?&(bSZN%hfA^{=c z;{tB=JmanQbn0GYs1uj!=e-xKx$}*#++3z)!q9)S9%4~-`2Cz9S3T*Y$_Yc-FVD@| z9O#yt%E&HS_DycvKYJwoQ(pIJRU^TPel|)^6Zhf=Yqf-P%mc%`}~E zO6j+M0{rHl^)m=sle$FN-ObVmUrV#a8BPG!Wslargb0#@zs+~uxq3woyVSRQ7|HgO ztGyJ-ZYPBjxB{u1cQG7V)fHJaaq3XFA`mvO#t#!0uH8szumyLtS%I90+n!llpIWYj z$mU{}wCZwHHD@^?^jS<2-%I^}IcpCV(vJD5?m3%K&6|GP8HKjSIGf?UBz(H(`n&v@ z3jHYu2@}!uLjNqb&iZCsPIwe3R#E9ldQL4uXRysGj;is)(2<8BxSQK+(iQ_};ggsF z_5nJ4{(ls=Eq>d30lF{tcQf82!?n`pDi<8X$t{1I7*na=zLxSmd&p>-7a9&C4+*R% z68}~FZJgMt{o38QYjpM4w+ZV9qd$?_t#zIT;)F-#(kt*b%rmNJ;qle;|2h-yAv-wG zit$%&TdAZirP0$r$N~Dh{tX>p%j^SHJMbl)F|2X|3pqF12P_{m<_VrYKs0NJj zOFemhQDWXhG@MAD1h?+0d5K^sL4HKlHQ8*lX)a)4>hPb7sJ(-L`68!ZBA>1z&a|yW z#_=5ezhl>#uHWS^*6&Lb_5OPm%3_}&(<0iAvRLOs?@}D9*n18<6uQg_A{kF zm)*GHE4~eo<6SO{U(~|fB%bds@;p0>X0Y;_U8+@<&Nsu)!|54f=B=EIU{i4t^7tso z<-aaf0OhsBJShx0y880R5Qld5gkR^a+3)|`f{mN=Q{Uxskmm5!@yr22X_?{qfFBba za-SM@n@+WfFV>^N@BX)yTp7}28qYab%~!=i{;_Q1E~Z(69FgKr@W7cB0l7oK(vz4M z#}g?dG7wIdtN25VXz1eD0Mk$GxdK(V_LYRUVD|Ox)l!Y*FCHbS&}fTFnCwy!Dh2sm zG@%)9ufCm_yI;tbhFlTz^%eIrmO=Q#_sr248hg%iA=Of-WQc&2{P5qVmOY$Qw=L6r z?##rSk?!e#;2**J2?bZgbr9YG%*z?Iz!~s#?IFaBo|>@Ph{M&4{jl8;L%oD7pNnuM z#yI>*6#VxwDyKx~KNpn+1H9Wskk@*JaJonQ+EP7F_?!FIJ+Pgm-&FCTX{29V^+|EL zSb4i5CbQE091>YZqp1FAF9ZK(YYUr3T;ybp-C^O;3#>m*odVyl0V=YnR2#_l?LM z;H?K_Tjmu>@g|hRV&Og2w>N5lAIyUnj(I=QEx+9VrK25X2p>CW z{TP?zL`#aBD$z0kN*0T9_YiwEYaj^mY06c*>vlG|siLto2CE<(<-P?5R~`~A5quKX zA>P+|#nW{w&fs;A2(a3T|FHG>N3YD)6n4?}+&%$LYpOz{(maq}(QnnJit_=0&L#-|T z+rhY{=4f;vy4>do5jug?&mDEiST&GhE*C%JLrbq zUHJ0Y1Rf1rG%~}rcfj5m{{}o}{H|BxwAkey7STc;0AQ$!s z+x65#U?EpJfE44-?(&hMj?9scR@;huV!YdGb0hp5Yz+yNEEI!u`P~$Xtfi>Y0Cgv!2lyLV7g+j^P%~z7Hj9g|&N9x2vz1 z=7mmIh>OMhqhHxIeVT}V*s}KVj@P-v!0;P?03N}XAq8)Tq_^hTLL*f*;PuLlKAbQ_ zefU}~J9ow_t<`30ZEY&XPU6R8^T=|aWzz{PSoqD;7FX@4gs=yJuNq<%8WUQ8s~{mF zCu+pUwgSJd7B|wd6obAu%&ZbYmZB+lCFb$MJomF3rkKwKU}xaTCdL2k$p})`4U(8w z2MH?~E#mT#XGZf8&}juPocH$JJmXM(8*}z&4BNCtVIcLiYS}vGn3P3J{6*a=Gv0d~ zBTb%Ur_#>!A7%o)V7u~=smfb5H}?XzF;E9=M(x>A)kaWB)4KKf6fG&CVG1luTQ&ch zTy}CX(7d~w(|hEdmPVgkx;4a1Oe_uNU!GLVtYAlA#1FT)tRceJ+N z---@&y47!yWyA!ulFTo0y(9U*hHVYDG2GZa+=XOSsa{NVhQ6v~T=<2A^_lYaCkohM zWBSp7NX2vC7eD+r&*LnAMiK$35zLda#g_B4KO{tyZH8ck@j_o-FuSGv(;4n1et#0# z09+{+D@P;kym4mjOV>B<^Ye0@KPtTiJk4O>ZFd8T6OSU`ZDA*LcTm~I_J6PmzfAE* z9D{CJE$SApqeeP9&M67Eb|YsZ>O~bDMV9g>W<*irWU1mh{iTzbVtvVyOd`I@$OG+&)EtEM0pv>B~gW1oZAwnn$d_JV5 zOaEB@@9B$C>>l%NQmFE=57Ls(EO zkY=}Nv*ph9$9UJKq9@wQL|M2n2jhsuiH4cK3+e}yP)>x9*B89tkmF56xkh7c=D3iN zM$fxp`UzPj7>l3&AiUq|GpWpIoJHx*8`_2$AhE5=XD}ggMufO9USlk6(i1ME-Ui{$ zw^=qX2?px4>ld+jZ|;KjhzjTd!>Q%43ay}VB97`=YU1eZ-y6M&rr_2HM?4#+~0Bqtht1`G#Pm!%r3P+AYe_^ z5-YiPYmp1(2_}Orvbad`j9_!4!iY;9gSUGOrG__5X#e|Ptd zQz70KtC#jk%>Qt5Ln|aMrc}rT2(R7X7m@gh=d9{Yup*Oh$f3%jYbKd?Mq%TX8tCa8 zLFbF~-c|=DtPca1f~|u}0dF6>CzokAS=Z8;qh?<4F@-ISS$O(a-+Jp3Q3RL5!5@1!ha9{#(ic0`F}mzfQ>TWaU;ePyUJiN>65nn==1MQegR@+-K6 z!E!WOY1ST@%#qVvSf#{Yz_A9%##OBk>vJl4>4}>L;nlHp9_72$%v`SRbX0z9l7}O- z)hX_Bu1|T0CF@1p*0UsQ5wWFfwJgt!_a<}1jXb?RJJzyl82vU|HV(D~LRUAKjmLp~ zHb2**#xTa5k#qwB zwFashN;I8~j8YE9_|3)DImTS_;b1?WbBqCQPZxqsDB|X?xo-%6_YGFow+)H?ImXN+ zI#)>i(9D}n*`J_2JB?1sUOp3(aE~{%u&L#63NypVz7Q?YsSB0)y8#)ZSv1h2p*>bh zme-r!N0sJ>U?NLI-@%ra_gwFh$jaz@c=gr<`yuCb%PhNm+bjyAkV;Y=Wr&z!$KRnOVB_1;glcVB9^l_dGx!?_j;F1Ig7Ds!Pe8BxLH$anQ* zcLHe_kVp9N`mX?a+#ER{CaQUpRgGCoZmv=@-I5%bMQ$VU_Q5nDmQ+J~m{z4I3bZc9 z^&gR6^~xZ2ZZe;xv#QcF5XlXQG(`PGft*xmbxfEH&ENJzkrh)h=|*2%eDlJt39Eta zpY91BY#Z$w?#odo_#apvk0W<8ShJ=-9&QXRFmNPn-yD2W-XzietJa8b-gZ4r2V#3f z=~vOdpF@)GFJEcSTz}TNYQ@sn=&ikn*EeZ_WaB>`Dn4Z=li;we%r}~%W?-@xlX3kh zi}8)c{TN5ppeyp}^w%ioq$8Rv2aOP`!B{Ma@B>i9bBR6`v)dOv2rQkRY8-IE_0swJ zBV_qc;eS?f5xTrt+#8v zjL4%h@C*5`W`2&ozJZHw@0pt}P3pe5Aie!}>E4?fcNE9R`;1>5uSvxey$32l&n&Av z3yW+fZ#LkTPwM$ojbANPsMXPR+@*-geR9E<+wWbhrZA^w}aIq@w<`*HP-KK&z?n6vN5Q*1&{vpz_dtK&R93=f?n`p|xP z)q-j-w>yik-jjvsH2LtLzW3zebRl44Ui8>?lnQj-6zNx@E?Xcd%^RUN-8grsK-{l@ zdM2vh4Xl!T!C(23TPH-fn?EzfIRc${vl!*zfGmYCx>!z1+{+d%EzIav{Z zd2bDt<=#9M2Df%gm)&D6wug%-q#u%dT=DCYVFv_X*5et{{6@EN6v$dP=3pzfA;(A~ zWs2(45p&G_z%RGc+TA7Q6F0dn2bo1tG4|ilOjH-ALt4d5>^HjrPLVNl>!gI35FVIe z^~i#g+HX#ulW3vS?7Qhr99?a8XKyN z+j%-)*iM4RDo0-$6duotsWBReDQrc-u(kCZ*Cl97eI{|Yf=0(Pca6ChdSF9tGX>39Jg%TshXA^*c^*ZyT zLQj#-aaaC*ydJNYW|plPHfMT-=5wQI9cWN6zpNha;dkLZyp{FKrgY|$>vDrd)zj0J4Ag`8dnW|*QC^b_WPXuh7 z=+uP3G@_OI_fLM%EZKcm69Iu#yKI9bSKl8fp(ycLGOMCJGY;Ijg{P*S}bLZSia zbT>5QoaxPB0$HfZcfF#CtMRNQMpnN(f8z96C;Zz~+8Zoq zjjPv$Psds%46$i6sp`4u5tW7CMfQ6_&ZQ%|JX*0@_D(M1b1%2l2sAsRX6m7S)-x1? zr5L<%71WGpgv?zxWh}l*!%8fBwqGj|zcVc9JY8kxM#vI%U`B<_D_16Qa^~9Ud9dL% z$-#wGFr4zd(b)-9I5o<$Y2MC{Dv?VcZ5+M?TVLLAmkD-piIMZQH5N$E%o3T2#chyp z3a?DpOrhT9!SW|!7g{%E*D*iu>KA6E65;ETK+8kBko{NoBe!2X75F#Trip$_ZrA>mMvVd7m+sX- zfqHYLEn+b^`cu6hnrr>ZNOjpLH`UZFWa?Jp1cF>nrne@`_}M5#Z^HtYtz#=GmTa7k^96hK3p=%+54-iiN|4YDt+UVj}q8O_M! zw%c^!YfT!8H-EvH^5f)ChEO?D8n|=MUKgnYk{I08yw7;EmRmwS`SD}1e z%Rmj~G9znN)5YTx>UK~{p1_g(9hnCUrXn$TjYxsnnM<$Y!mSbv8+t)| zk8ZRkkvT&#vj)_-zWLD#^n`+-X{(lGG~(k|P?Z`9c8(aSSE(4*V_s?AT-3KClb%Vd zw7{0fY##B$V+<6>966jYDko7k_$rWY z4kRF2jRViGbxLPepjlFQ!p&3XmnsEhvOLM3@`ins79AtbCr{u7e-FCiY{=Pi1i}gY z`7yA;lEK-u=84=Id*dpzN+0ChLjHi}$Rz0A4~WI%7()3F{9cnRb$3 zHVpGw#xzS`)wbPUT_Fx&)#YerSp9JK!*9Z*^6$|c;*hi8 zN^`K#p8dv$ei*vmPV>4#5Rc*Y7UnKU^&$lUn9s=V`|exi9_v6_sJa&to$bCw5CcGs zfkdD~pCW5tJ31#rw~ z<|Nv%c|4*f260iCBm>sqG&=wZ`@TZ}SyB6sBF#qi*V}9ZYA2d2FF1tKbO{sAtumel znN~N!MW@(LNC-2k&4pUIP>uLX(SR6JgxI=6lNB(Y zY8?}Im2sHwk!^13ZEL=9Rx}egHH7C9Qh+h<5;+5@TK{oi6#l+nDlq;9U(+ZNrc%8S zyfBwBLDhWVGs}3b#;FRKv~gl2NnRoer}1{k?G{K-a*umr==Q@GHZ|p@0v9qV1n0fd zT>7SHgkK+oh86;e^{vU8V}Eg06Taqw=7Z(a!H6zLMiMHXFt@f5Cq}#ad9HfLMqf2F zk5v|G7imLHx>jLy_-Nd7>b)$2;zA7rr zuK<}h#6nT*7D+Va6W$;(Z(b)LJ)EhK?yVCt6L%%7&*zG-IgltNM&hzDq)m5x^+3;9 zQ8imExZ}P>XPQTzR`qj^p}w|N4@R7$DyI+JZ?7fdKYxp1_WF&Szs|E*l4lGJ$W%~h zThhhBhhzCC*qlg^9l^R4q61S8s*#ug?-W*Zb{O7&^x?HmSeHex+}JfNQCVM+&r^x{ zVtKLsb-ii$fYIL~*FUF#b4H%%^m?V^qZ2mRZ`!)V~#;^xerm zg4bFjzxP-rQz5`DNVn9C=f(aY@*630F|GE-ubHt;rX%~cazV~?+E#Mw@`spvw|0i^ zZvE%bO%m4iMO(QHypSuNX`r0BoZxWg2unDHm5*G1BOP{d`By`+b|wIebU!P4@ge!t z;dH=HXyO+nfer~gP7E{voTLz%1GX@g-SIKzJ7T+;fx3I`+s(YzsJ;ZocAbUKtFlBU z>_UwZ_idmps7Y{}Hq6+R1lgGf!(%svZLB@)7m^_R$+CtgI;*^+jJ;EJXiG4sNb3C(eGHA6zPAYrQ1!ONtx9KR#<80eZ7sdOtW*OFWlcILN4JF2ekhX8x z6<5k^74Bp6tC;&d6kQ;QOH~QLeOR3FRR**-LsvD1DQKDyuJrxhL<8s4XU%TJ-Pctu z-0HyFBV*s~x$XwgrHW6h)&R6sWho0aBh+vh%JfW|cn>>Ps`t+EU^{1?X>ATm%SCYo z=`uHrtRhlCeKepj{^&~T&bJN%c!w`6rJZkaK{kb-xyFJ9SN(DY83lf1G`TQd4PCfB zGJG9bU(1`2d_K69sV|mZyPbK9WoVvkK6J4V{;O9bugSS^8m-Y97<2m+aD$ZS8><6X zSS(jlL^l9N>*C^l5_y4BTxYs}Dtq)us%C{IG8`W}e2*zuAja9@mb7=1y#~48_)7Pd z<7=C|*B%>o$8QfaFqx(=YT?^uFAKt|SCAI@4TGcbVOjk6=paa&+G-0gT&4^3R$Vd? zs~+AUWw^^~yHJaLizSevgutvq!jd(5#wsJ-F*tfS`s%kX)b36tSz^r;;Q6` zB8FrLb;7kpbUB){kVr0r2z;HyFZt`S5u%kAxzp|97jZ5+LK4cu@` z{PrE=K_tilv{fZAeRnc7s1E7r#k=ige&$xNjcv<1aF9?Y#i6HX6`d#R;@)>6MJ9Z~ z_aM8lR_0;$!QpaYLHj*PkfXj1Jo);afF6lqj#?Ge#dvTboTkm#MIJK`h7DnawXutb zy*Q1AxJNBQjiE5CX{m7S&V+YOon9*uzxuefZ$$iz-|GU>585_yqW!+lU#eHg7?KA$ z)P=0CSwqj&qWK5`Xba3(_lkb!7p1{L*Tk{iouj#MuMnXXnaFxoibJ6(IiTA^acmDp zA7!}>Jf|qhz6d7(IatI2K}KjQwy<6TCdMrF*6H$4mA&5L>{yg@)o4H@MkVzu>ljA& z!DI~~g>3K~Y*<6VOn@PJU|;1Lr|4?;@>gL|aWz9O?ffhQl@5sD5XV-C{>U~Z2i+3P zGIlk?7Vtl5ivxvCvZhtS57Tvi$j0}g62fQjhkHA>LBm&1tTuUvLaPw1uhNP zbr&Pl4a3yu;E8CgmMX;4-A+8~JAU_6rKpVMPBQ*%uF=5rc_wWU@{@7|$S=faU^mn> z8;j;BzbMl3YoM{YUXkXsJ6!v<&VF8wNGmOIWOOR#JH>|MenG%GU(`vmfVXV*#RT{u zZYtYN7g_apSnyN(ztej0jxl6iZ>IBT&oeF6i9~sfoq&2v5I}BeVU^=_eoUl}CE3E`P6hDoK4q4Y)+83ew(ky^; zK8hY(1Xw?G6A{21!w40gPN@E@0q=dw&zMao2}7j*L6ANfbRL1@iL91t zO?y^OZsu#X-AGU^Olq`x^loYCe4s!U3VgdI_a#qN*l~|M_WK@R`iEtW0jrggnv`dG z`p~f?U#Pl)SmgDd*NX9Wz;aDXn!Lpi43W#{8CiicV=QSlU3mq>g+Hd^JE)A}Nkb_Y zh;rJHTt0NW;tPb~_=~SL1mNHB+mn-I&FP!|KYMNOPNW7Wnj>kYH;hxC)9~wH024Ne zSId2@e9ewHY2FqzZnW6%^|T}3R(bZ)Nmgv$Nj-=4?!2WwIW1T;35!#*r6A$!@05qO z?&Z~1m@T!dH9VSsU4yC^fEZWQ3Ufpn)&ls0Yw;~vv$H0gz6L1^b>S{!)N9ahFyKjV z-6UjOfUjy{G(?L$?ZlCVu~LPu?Hq>$2O{3iIrlfZNvTcCdN_v7Nnl6_aTyC(T_Mbe zsKnjnIPqb-U_d|~O$BA{rz1$v?jH|E7n{`WPji@({bCK5zdmpZ)S|W!l9I;y(ws=Z zlC>t-N6nH!XC&q&A+C0HQ$NW+F#zUTX||M{Kv_m9Nzw*f&xAJi$ADu&;*{kWjBQGK za=k;(CT1y|J-Z7y%x$@>Tfy`?lM+5=8D9_DhG!ifXf#_w3>x#8B#WN5b^4RR z;&%-94JD^RZqlXw^mf*XXi*00f#JnMTc^T0VSnL$tv@hd=-RLQx#4GLD%zTTzElzY zPFlYL%WSoz#xB=fhtYP zLXg4l4|HZG8JLE$irAFX&v<(+#ED+rdaC&au!-%QD2k$b4m{;DuSk&EsR&|?_I8?1 zO!)WkR<~=r=0ZtByd#K)!(Bx>{968c^w5+sHI&uA5=k_PB0(7#r+9)>+zBna zfsHq!{*CXy_~Ylk`r~v`(JA3mZYF-)2ZIzNqDdy)2lJTFttkQ^ZLzG;i*MtFRnd{+ zMDp+Q(^X6e|0jw0sl(}Onh-3cbT8uCYdzI@h;kE+E|+7!bkrrW71?F96}|Gbe!YCb z9B$Ji`e>1PSvi9+dl}HmG`wTxCjR*A`tlr;@&PMl5oun`O}OCfw3l61ud+6tHO%s{ zqCdy`y^VXlHgLzVDB7- ztSNdFbF=Jia$%jcYy;Sv^@~MLE}YekhZ-R@pD}PuLLYJHjH&a^Z$DG$OOx z46y7EAHQZ<43HA@knJwWgBP=^6Kh6=04P}&si~ukj~fPG0pjXC7$m{%;jzQZ_v*lm zf966KnC20U4A6b8OHbP)2es9c5AQqjTlbr>Mo2ym5EOc`Two8;62?2ic}?akREH<~ zl#VEpT?tOnDBjp?AXe0FOeM@Fj$|w-y{OkZeps!h`UJlyR=|!vmB9fV7aa3gbbm$} zYBUfCJ85kYFTRrymvT!{e`@Py6n*hGiFy5kW*QeZgTO?y^sS|0R^jgXINq^n&cX2M zyPWRF=mo?qh3pl*w{EIDwdK>knbgj(N;U8cyyWLSf+t&W+Rg4)IUqt!`N+v* zlQCs=@$B%8@Rd$a#jc_$ajD__5Md-Ev>jV$T3uUn-Skt3`G|Brh|mmv6xrFGNM4x4 zy#|yd`ESZ%S&N`)m_t6kvg*}RJ>q!Tt62WAQWti-G-?MLLn-){RqmYsdE8!ZQ7>Zmrm&?m?Bo9F{xK>Umoo`di0 zqvvGcEL%6#Shfm=rFuYbocn+=b&qPNmZt>=UTdDfotCG1-uE^toT`b^PmWSO&^Iy@BHGJaCE{3M~6N$>Gl@`tJHcbU^cn|*($aJ9A)xz6= zw(dLb5NhFP{9?+Ei|qu6Y5oy#4@&nUZ@mo(oXJak;SO9XHiJ@YWIn=k0qPg{D9DCa39Xs;WD)DNv*3Sl1HLpAE|e%M#l!d@ zbhMapojoiGR%dkHJ3uCBY*)wjb$E>QNUES~z-x?6=6gkV08&0&%%#m|r(t(%t6+Ap zqWjK0^>&b1f{^gjIcXR@Vx+XKwq%}^2ZNsqec)+7n~ zFK$$aTUiXA+GO{|)wnG#_s6|6obXIuK4p$yFUrci4CuiDNvoan_$Nx=KnxtR$TNO6 zfw<_In&$>?%L!r%3Z2>h+2x|PgTqxF4Ric$RLt%hH71`F{u>vdm#42v5q`Y*T&t4( z;-3CPU<_OlNu?6p@)`8-{*CH;T-q?ikE+&f9Q0pM*TiNso(m0G=x;R|JJ~UL;rtmD zxc+>57hdH^8m9E@g4cf{WDR`(lwEzfe${U0zwvFW5`$SIv9lfW7Y{U`8tr)*5Rs{r z1)y*CWvX}ofFSS4sd@vNU#(Y?;yhC_b|>t2mIstU^i;)ND9@8QY3^|FwAT<`9OqY= zHj4bkt1&uZFr-jGxvsFG@jrg)v_#p}OMz*hE0iecqv($Zh&Zzrzm2LRZ$3y%?C>;B zEp53R)yzp#QHZ+}y8%YL@;5Bls0;&{2&Zzg%Z{Sx0r&G(JCS=rW`80Br;oto|3}0u8*A2FD&r z_}ue9bY!+cc=q=2_UES)KOM=58@YZ{f8iPi3ZE41DAYW8W(w^NnW*oB=OQ+>9Kp2* znlgs2vrg3<9B^V7Evh`SR!fz6@i(bnU4J{#DgfAR!V8;9Wgx8E1S9e!O>}ER9D^6o zN8+Y8yrX+hl;;o}gc#L7*Jp>WGJkjRjOuK}27ok3KJ1c<8vV_(Rgx(;;_Kr|$U;p2 zK31dyz2ti}qQ9&D8hoohYPcCxr?oE{$H_X1tb9ZblJB>K(w}vb2b&EJA+MOe-)*G? z7(1!RSoC1lI{SuQJNrTNad^?-UqpyM7O(!>?8jM2PsW{RxX0M#(r@^WjlIXh{Ox+7 zfp=n=wOysluW?#ZvsmMrfFm@_5+P*3oOD~~!u{$Smz?izR08WCds-D@4-${)GM-x} zxxxRhJ-U2-WqQoz4M-}mdkWbRel8^5GB#QVK@ zraW|C;Ds#U*~m{@falMhk<8v#ncm}cpW({0_`ea-Rg-Q?NYyqj3^)4xXH&|ZX?cqS z%^d$)05`%4vSEf8;31(z_TH|e`@zpR^O>)Ywh&$l%Ur<53bs?~wExafvfJ;8{UGf^! zuaB(NfXi^(dQt+erA9Uf%{V-RE%o`8qx(uTfG4xD0gZvDzm|Y_aPn1cHqz9-vsB`d z-LXl?9w=1%`i+2-WMgw2ppPQD`Z z`EkMDwy$sQPVTg{XmgBwt}^fZy`y@cFCV)l%j_d8G3B!^aQW_|OM9337-{53-kSWS z5mX3*>bP9c_Jo!V&*FdAc5U@C{~SYicpi&K+oviyr4*RFf8~O^u|W5&)dhxXivW+;4B+m^ z&!G7>sH1B^Q%}GnfD)TPC16tXr`Y?|S;1}a37!+-usZc;7;uFCr}A^N)Qygn_xf{q zZozi1Mn%Kh*62#U#z$MJl*GJe(W~azt7h1 zi?99FoNjXK$Gz_zwa}y~5G4&aw*J@K)AinOcRjm)<=s-<&U^oi*PoyEw|)Na$c^?e zpJY43J38Lx_o~`|o&Enu{)*`SZFU!qecvDY_r?Byj9*{>e;Kmz&HcT=P$1m7(un;DGYcXV-Hq4ihlVcMM;G6CSEGMm1U!YTZuMdB*S9wvwGG^#7+q=8ka!TbHwJP=+o{k6+kq9}=HGc6T5-yBd>QYrf5z^n>rzgli?B zbI0?~o|3vh#U%NNDDc23*wK&RbL&Jo-sgSko3VE@6NgZ70g|HHp?(Wy!KDE;UCfbmdatp_onboard.json ``` -## Create Puppet manifests +## Create Puppet manifest -You need to create a puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by puppet server. +You need to create a puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by puppet server. This example makes use of *apt* module available from puppetlabs and assumes that apt module has been installed on your puppet server. + +Create a folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your puppet installation. This typically is located in */etc/puppetlabs/code/environments/production/modules* on your puppet server. Copy the mdatp.json file created in above step to *install_mdatp/files* folder. Create *init.pp* file which will contain the deployment instructions. + +```bash +$ pwd +/etc/puppetlabs/code/environments/production/modules + +$ tree install_mdatp +install_mdatp +├── files +│   └── mdatp_onboard.json +└── manifests + └── init.pp +``` + +Contents of *install_mdatp/manifests/init.pp* + +```puppet +class install_mdatp { + + if ($osfamily == 'Debian') { + apt::source { 'microsoftpackages' : + location => 'https://packages.microsoft.com/ubuntu/18.04/prod', # change the version based on your OS + release => 'stable', + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', + }, + } + } + else { + yumrepo { 'microsoftpackages' : + baseurl => 'https://packages.microsoft.com/rhel/7/prod', # change the version based on your OS + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } + } + + package { 'mdatp': + ensure => 'installed', + } + + file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + } + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + mode => "0644", + source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + } +} +``` ## Deployment +Include the above manifest in your site.pp file. + +```bash +$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp +node "default" { + include install_mdatp +} +``` + Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected. ## Monitoring puppet deployment - -You can also check the onboarding status: +On the agent machine, you can also check the onboarding status by running: ```bash $ mdatp --health @@ -95,6 +155,7 @@ $ mdatp --health healthy The above command prints "1" if the product is onboarded and functioning as expected. If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: + - 1 if the device is not yet onboarded - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running @@ -104,3 +165,12 @@ See [Logging installation issues](microsoft-defender-atp-linux-resources.md#logg ## Uninstallation +Create a module *remove_mdatp* similar to *install_mdatp* with following contents in *init.pp* file + +```bash +class remove_mdatp { + package { 'mdatp': + ensure => 'purged', + } +} +``` From 415e7b425a92912678ffc5b1868df2174cbfc8a9 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Tue, 22 Oct 2019 17:24:01 +0530 Subject: [PATCH 08/17] Removed ansible and other configtool files Not ready for ring0 --- ...defender-atp-linux-install-with-ansible.md | 259 ------------------ ...atp-linux-install-with-other-configtool.md | 79 ------ 2 files changed, 338 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md deleted file mode 100644 index 84088ccd42..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-ansible.md +++ /dev/null @@ -1,259 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# JAMF-based deployment - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) - -This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Create JAMF policies](#create-jamf-policies) -- [Client device setup](#client-device-setup) -- [Deployment](#deployment) -- [Check onboarding status](#check-onboarding-status) - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. - -In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > device Management > Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) - -5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: - - ```bash - $ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - ``` - -## Create JAMF policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices. - -### Configuration Profile - -The configuration profile contains a custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver - -To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. - - >[!IMPORTANT] - > You must set the Preference Domain as "com.microsoft.wdav.atp" - -![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -### Privacy Preferences Policy Control - -> [!CAUTION] -> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. -> -> If you previously configured Microsoft Defender ATP through JAMF, we recommend applying the following configuration. - -Add the following JAMF policy to grant Full Disk Access to Microsoft Defender ATP. - -1. Select **Options > Privacy Preferences Policy Control**. -2. Use any identifier and identifier type = Bundle. -3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. -4. Set app or service to SystemPolicyAllFiles and access to Allow. - -![Privacy Preferences Policy Control](images/MDATP_35_JAMF_PrivacyPreferences.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the devices that will receive the configuration profile. - -Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled device. - -### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload the package to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_. - -### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled device. - -## Client device setup - -You'll need no special provisioning for a macOS computer, beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After a moment, the device's User Approved MDM status will change to **Yes**. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. - -## Deployment - -Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as soon as they are detected. - -### Status on the server - -You can monitor deployment status in the **Logs** tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -### Status on client device - -After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a device by following the JAMF log file: - -```bash - $ tail -f /var/log/jamf.log - Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. - Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... - Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV - Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash -$ mdatp --health -... -licensed : true -orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" -... -``` - -- **licensed**: This confirms that the device has an ATP license. - -- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization. - -## Check onboarding status - -You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: - -```bash -$ mdatp --health healthy -``` - -The above command prints "1" if the product is onboarded and functioning as expected. - -If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: -- 1 if the device is not yet onboarded -- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -This method is based on the script described in [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling). - -### Script - -Create a script in **Settings > Computer Management > Scripts**. - -This script removes Microsoft Defender ATP from the /Applications directory: - -```bash - #!/bin/bash - - echo "Is WDAV installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Uninstalling WDAV..." - rm -rf '/Applications/Microsoft Defender ATP.app' - - echo "Is WDAV still installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Done!" -``` - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -### Policy - -Your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md deleted file mode 100644 index 91a5f56395..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-other-configtool.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with different MDM product -description: Describes how to install Microsoft Defender ATP for Mac on other management solutions. -keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mavel -author: maximvelichko -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Deployment with a different Mobile Device Management (MDM) system - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) - -## Prerequisites and system requirements - -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. - -## Approach - -> [!CAUTION] -> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below. - -If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac. - -Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features: - -- Deploy a macOS .pkg to managed machines. -- Deploy macOS system configuration profiles to managed machines. -- Run an arbitrary admin-configured tool/script on managed machines. - -Most modern MDM solutions include these features, however, they may call them differently. - -You can deploy Defender without the last requirement from the preceding list, however: - -- You will not be able to collect status in a centralized way -- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator - -## Deployment - -Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template. - -### Package - -Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package), -with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). - -In order to deploy the package to your enterprise, use the instructions associated with your MDM solution. - -### License settings - -Set up [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile). -Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS. - -Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). -Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. -Alternatively, it may require you to convert the property list to a different format first. - -Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value. -MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information. - -### Kernel extension policy - -Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft. - -## Check installation status - -Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status. From 19122f00b630b3cbce6680ff276f0eb9d1d8c9c6 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Tue, 22 Oct 2019 18:19:00 +0530 Subject: [PATCH 09/17] Updated pua handling and updates Updated pua handling and updates --- ...-defender-atp-linux-install-with-puppet.md | 2 +- .../microsoft-defender-atp-linux-pua.md | 21 +- .../microsoft-defender-atp-linux-updates.md | 202 ++---------------- 3 files changed, 25 insertions(+), 200 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md index 9cd981bd65..63a75eb001 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -46,7 +46,7 @@ Download the onboarding package from Windows Defender Security Center: 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) + ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_win_intune.png) 4. From a command prompt, verify that you have the file. Extract the contents of the .zip file and create mdatp_onboard.json file as follows diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md index 2696590c99..2ff866b692 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md @@ -1,8 +1,8 @@ --- title: Detect and block potentially unwanted applications ms.reviewer: -description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, pua, pus +description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,9 +22,9 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) -The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Mac can detect and block PUA files on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. @@ -32,13 +32,16 @@ These applications can increase the risk of your network being infected with mal ## How it works -Microsoft Defender ATP for Mac can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. +Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. -When a PUA is detected on an endpoint, Microsoft Defender ATP for Mac presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". +When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". + +> [!NOTE] +> **TODO:** Reword for Linux ## Configure PUA protection -PUA protection in Microsoft Defender ATP for Mac can be configured in one of the following ways: +PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: - **Off**: PUA protection is disabled. - **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No notification is presented to the user and no action is taken by the product. @@ -59,8 +62,8 @@ $ mdatp --threat --type-handling potentially_unwanted_application [off|audit|blo ### Use the management console to configure PUA protection: -In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) topic. +In your enterprise, you can configure PUA protection from a management console, such as Puppet, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md) topic. ## Related topics -- [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) \ No newline at end of file +- [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md index 50267f26bb..a75a02fd2d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-updates.md @@ -1,8 +1,8 @@ --- -title: Deploy updates for Microsoft Defender ATP for Mac +title: Deploy updates for Microsoft Defender ATP for Linux ms.reviewer: -description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments. -keywords: microsoft, defender, atp, mac, updates, deploy +description: Describes how to control updates for Microsoft Defender ATP for Linux in enterprise environments. +keywords: microsoft, defender, atp, linux, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,202 +18,24 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Deploy updates for Microsoft Defender ATP for Mac +# Deploy updates for Microsoft Defender ATP for Linux **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. -To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. +To update Microsoft Defender ATP for Linux manually, execute command -![MAU screenshot](images/MDATP_34_MAU.png) +- ### For Debian family distros -If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization. - -## Use msupdate - -MAU includes a command-line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate). - -In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window: - -``` -./msupdate --install --apps wdav00 +```bash +sudo apt-get install --only-upgrade mdatp ``` -## Set preferences for Microsoft AutoUpdate +- ### For Redhat family distros -This section describes the most common preferences that can be used to configure MAU. These settings can be deployed as a configuration profile through the management console that your enterprise is using. An example of a configuration profile is shown in the following sections. - -### Set the channel name - -The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`. - -The `Production` channel contains the most stable version of the product. - ->[!TIP] ->In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | ChannelName | -| **Data type** | String | -| **Possible values** | InsiderFast
External
Production | - -### Set update check frequency - -Change how often MAU searches for updates. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | UpdateCheckFrequency | -| **Data type** | Integer | -| **Default value** | 720 (minutes) | -| **Comment** | This value is set in minutes. | - -### Change how MAU interacts with updates - -Change how MAU searches for updates. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | HowToCheck | -| **Data type** | String | -| **Possible values** | Manual
AutomaticCheck
AutomaticDownload | -| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. | - -### Change whether the "Check for Updates" button is enabled - -Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | EnableCheckForUpdatesButton | -| **Data type** | Boolean | -| **Possible values** | True (default)
False | - -### Disable Insider checkbox - -Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | DisableInsiderCheckbox | -| **Data type** | Boolean | -| **Possible values** | False (default)
True | - -### Limit the telemetry that is sent from MAU - -Set to false to send minimal heartbeat data, no application usage, and no environment details. - -||| -|:---|:---| -| **Domain** | com.microsoft.autoupdate2 | -| **Key** | SendAllTelemetryEnabled | -| **Data type** | Boolean | -| **Possible values** | True (default)
False | - -## Example configuration profile - -The following configuration profile is used to: -- Place the device in the Insider Fast channel -- Automatically download and install updates -- Enable the "Check for updates" button in the user interface -- Allow users on the device to enroll into the Insider channels - -### JAMF - -```XML - - - - - ChannelName - InsiderFast - HowToCheck - AutomaticDownload - EnableCheckForUpdatesButton - - DisableInsiderCheckbox - - SendAllTelemetryEnabled - - - +```bash +sudo yum update mdatp ``` - -### Intune - -```XML - - - - - PayloadUUID - B762FF60-6ACB-4A72-9E72-459D00C936F3 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.autoupdate2 - PayloadDisplayName - Microsoft AutoUpdate settings - PayloadDescription - Microsoft AutoUpdate configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 5A6F350A-CC2C-440B-A074-68E3F34EBAE9 - PayloadType - com.microsoft.autoupdate2 - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.autoupdate2 - PayloadDisplayName - Microsoft AutoUpdate configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - ChannelName - InsiderFast - HowToCheck - AutomaticDownload - EnableCheckForUpdatesButton - - DisableInsiderCheckbox - - SendAllTelemetryEnabled - - - - - -``` - -To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using: -- From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*. -- From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*. - -## Resources - -- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate) \ No newline at end of file From 45ff7b35a75022791a9fb7bf79f008c662e11e10 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Tue, 22 Oct 2019 18:36:52 +0530 Subject: [PATCH 10/17] Update linux resources and preferences document Update linux resources and preferences document --- .../microsoft-defender-atp-linux-preferences.md | 2 +- .../microsoft-defender-atp-linux-resources.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md index c203ebd24c..9a8245fa7f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md @@ -331,4 +331,4 @@ The following configuration profile contains entries for all settings described ## Configuration profile deployment -Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. +Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft M reads the managed configuration from the file */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md index 2f67653ec0..dffd8f9839 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md @@ -1,8 +1,8 @@ --- -title: Microsoft Defender ATP for Mac Resources +title: Microsoft Defender ATP for Linux Resources ms.reviewer: -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,7 +22,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) ## Collecting diagnostic information @@ -64,7 +64,7 @@ The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If ## Uninstalling -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. +There are several ways to uninstall Microsoft Defender ATP for Linux. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. ### Interactive uninstallation From 11268bd85f98d8a9b485057288b55927e16e504a Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Tue, 22 Oct 2019 18:42:53 +0530 Subject: [PATCH 11/17] Minor fixes Minor fixes --- .../microsoft-defender-atp-linux-install-with-puppet.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md index 63a75eb001..2977bcf490 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -28,7 +28,6 @@ This topic describes how to deploy Microsoft Defender ATP for Linux through Pupp - [Download installation and onboarding packages](#download-onboarding-package) - [Create Puppet manifest](#create-puppet-manifest) -- [Client device setup](#client-device-setup) - [Deployment](#deployment) - [Check onboarding status](#check-onboarding-status) From b89daf5ed14730bc2e44faedf043e62e5317cda2 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Thu, 24 Oct 2019 12:36:47 +0530 Subject: [PATCH 12/17] Incorporated review comments. --- ...oft-defender-atp-linux-install-manually.md | 53 +++++++++---------- ...-defender-atp-linux-install-with-puppet.md | 14 ++--- ...icrosoft-defender-atp-linux-preferences.md | 25 +-------- .../microsoft-defender-atp-linux-resources.md | 13 ++--- .../microsoft-defender-atp-linux.md | 17 +----- 5 files changed, 42 insertions(+), 80 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md index 7116f0b7ef..7e214e9a60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-manually.md @@ -39,30 +39,24 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic Follow the steps given in [Configure Microsoft's Linux Software Repository](https://docs.microsoft.com/en-us/windows-server/administration/linux-package-repository-for-microsoft-software) to setup the repository. -> [!NOTE] -> * **TODO:** Use a forward link for above instead of URL -> * I am assuming that ring 0 customers will download the onboarding package from ATP portal - ## Download onboarding package -Download the onboarding package from Windows Defender Security Center: +Download the onboarding package from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In the first drop down, set operating system to **Windows 10** and in second drop down, Deployment method to **Mobile Device Management / Microsoft Intune**. +3. Click on **Download package**. Save it as WindowsDefenderATPOnboardingPackage.zip. - ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) + ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_win_intune.png) 4. From a command prompt, verify that you have the file. - Extract the contents of the .zip file: + Extract the contents of the .zip file and create mdatp_onboard.json file as follows: ```bash $ ls -l total 8 -rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py + $ unzip -p WindowsDefenderATPOnboardingPackage.zip | python -c 'import sys,json;data={"onboardingInfo":"\n".join(sys.stdin.readlines())};print(json.dumps(data));' >mdatp_onboard.json ``` ## Application installation @@ -74,13 +68,13 @@ To complete this process, you must have admin privileges on the machine. - ### Enterprise Linux (RHEL and variants) ```bash - sudo yum install mdatp + sudo yum -y install mdatp ``` - ### Ubuntu and Debian systems ```bash - sudo apt-get install mdatp + sudo apt-get -y install mdatp ``` @@ -94,14 +88,11 @@ To complete this process, you must have admin privileges on the machine. $ mdatp --health orgId ``` -2. Run the Python script to install the configuration file: +2. Copy the mdatp_onboard.json created in earlier step to /etc/opt/microsoft/mdatp_onboard.json ```bash - $ /usr/bin/python WindowsDefenderATPOnboarding.py - Generating /etc/opt/microsoft/mdatp/mdatp_onboard.json ... (You may be required to enter sudo password) + $ sudo cp mdatp.json /etc/opt/microsoft/mdatp/mdatp_onboard.json ``` -> [!NOTE] -> **TODO:** verify the path associated with above command. 3. Verify that the machine is now associated with your organization and reports a valid *orgId*: @@ -110,15 +101,23 @@ To complete this process, you must have admin privileges on the machine. E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` -After installation, you can see the status by running the following command: +4. After installation, you can see the status by running the following command: -```bash -$ mdatp --health healthy -1 -``` + ```bash + $ mdatp --health healthy + 1 + ``` -> [!NOTE] -> **TODO:** Should we add eicar detection step? +5. Run a detection test +To verify that the machine is properly onboarded and reporting to the service, take the following steps on the newly onboarded machine: + + - Ensure Real-time protection setting is ON ```mdatp --health realTimeProtectionEnabled``` + - Open a Terminal window +Copy and run the command below: + + ``` bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` ## Logging installation issues diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md index 2977bcf490..3731d54b7c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-install-with-puppet.md @@ -35,20 +35,20 @@ This topic describes how to deploy Microsoft Defender ATP for Linux through Pupp Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. -In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have a Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported puppet modules such as *apt*, *lsb-release* to help deploy the package. Your organization might use a different workflow. +In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have a Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported puppet modules such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to [Puppet documentation](https://puppet.com/docs) for details. ## Download onboarding package -Download the onboarding package from Windows Defender Security Center: +Download the onboarding package from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In the first drop down, set operating system to **Windows 10** and in second drop down, Deployment method to **Mobile Device Management / Microsoft Intune**. +3. Click on **Download package**. Save it as WindowsDefenderATPOnboardingPackage.zip. ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_win_intune.png) 4. From a command prompt, verify that you have the file. - Extract the contents of the .zip file and create mdatp_onboard.json file as follows + Extract the contents of the .zip file and create mdatp_onboard.json file as follows: ```bash $ ls -l @@ -61,7 +61,7 @@ Download the onboarding package from Windows Defender Security Center: You need to create a puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by puppet server. This example makes use of *apt* module available from puppetlabs and assumes that apt module has been installed on your puppet server. -Create a folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your puppet installation. This typically is located in */etc/puppetlabs/code/environments/production/modules* on your puppet server. Copy the mdatp.json file created in above step to *install_mdatp/files* folder. Create *init.pp* file which will contain the deployment instructions. +Create a folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your puppet installation. This typically is located in */etc/puppetlabs/code/environments/production/modules* on your puppet server. Copy the mdatp_onboard.json file created in above step to *install_mdatp/files* folder. Create *init.pp* file which will contain the deployment instructions. ```bash $ pwd diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md index 9a8245fa7f..eb249f3fe3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-preferences.md @@ -35,13 +35,9 @@ This topic describes the structure of this profile (including a recommended prof The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences. -The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. +Typically, you would use a configuration management tool to push a file with name ```mdatp_maanged.json``` at location ```/etc/opt/microsoft/mdatp/managed/``` ->[!NOTE] -> **TODO:** -> * Should Domain be removed from all the entries below? -> * Should we add path to wdavcfg? -> * Verify each of below? +The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. ### Antivirus engine preferences @@ -49,7 +45,6 @@ The *antivirusEngine* section of the configuration profile is used to manage the ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | antivirusEngine | | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | @@ -60,7 +55,6 @@ Whether real-time protection (scan files as they are accessed) is enabled or not ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | enableRealTimeProtection | | **Data type** | Boolean | | **Possible values** | true (default)
false | @@ -76,7 +70,6 @@ Whether the antivirus engine runs in passive mode or not. In passive mode: ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | passiveMode | | **Data type** | Boolean | | **Possible values** | false (default)
true | @@ -88,7 +81,6 @@ Entities that have been excluded from the scan. Exclusions can be specified by f ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | exclusions | | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | @@ -99,7 +91,6 @@ Specifies the type of content excluded from the scan. ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | $type | | **Data type** | String | | **Possible values** | excludedPath
excludedFileExtension
excludedFileName | @@ -110,7 +101,6 @@ Used to exclude content from the scan by full file path. ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | path | | **Data type** | String | | **Possible values** | valid paths | @@ -122,7 +112,6 @@ Indicates if the *path* property refers to a file or directory. ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | isDirectory | | **Data type** | Boolean | | **Possible values** | false (default)
true | @@ -134,7 +123,6 @@ Used to exclude content from the scan by file extension. ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | extension | | **Data type** | String | | **Possible values** | valid file extensions | @@ -146,7 +134,6 @@ Used to exclude content from the scan by file name. ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | name | | **Data type** | String | | **Possible values** | any string | @@ -158,7 +145,6 @@ List of threats (identified by their name) that are not blocked by the product a ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | allowedThreats | | **Data type** | Array of strings | @@ -168,7 +154,6 @@ The *threatTypeSettings* preference in the antivirus engine is used to control h ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | threatTypeSettings | | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | @@ -179,7 +164,6 @@ Type of the threat for which the behavior is configured. ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | key | | **Data type** | String | | **Possible values** | potentially_unwanted_application
archive_bomb | @@ -194,7 +178,6 @@ Action to take when coming across a threat of the type specified in the precedin ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | value | | **Data type** | String | | **Possible values** | audit (default)
block
off | @@ -205,7 +188,6 @@ The *cloudService* entry in the configuration profile is used to configure the c ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | cloudService | | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | @@ -216,7 +198,6 @@ Whether cloud delivered protection is enabled on the device or not. To improve t ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | enabled | | **Data type** | Boolean | | **Possible values** | true (default)
false | @@ -227,7 +208,6 @@ Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, de ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | diagnosticLevel | | **Data type** | String | | **Possible values** | optional (default)
required | @@ -238,7 +218,6 @@ Determines whether suspicious samples (that are likely to contain threats) are s ||| |:---|:---| -| **Domain** | com.microsoft.wdav | | **Key** | automaticSampleSubmission | | **Data type** | Boolean | | **Possible values** | true (default)
false | diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md index dffd8f9839..295efbedca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-resources.md @@ -60,19 +60,16 @@ If you can reproduce a problem, please increase the logging level, run the syste If an error occurs during installation, the installer will only report a general failure. -The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +The detailed log will be saved to /var/log/microsoft/mdatp_install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. ## Uninstalling -There are several ways to uninstall Microsoft Defender ATP for Linux. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. +There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool. -### Interactive uninstallation +### Manual uninstallation -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -### From the command line - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` +- ```sudo apt-get purge mdatp``` for Debian and Ubuntu systems +- ```sudo yum remove mdatp``` for RHEL, Oracle Linux, CentOS based systems ## Configuring from the command line diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index 83c84689a0..fa8fb3cbe0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -25,12 +25,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend > [!CAUTION] > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to lead to performance problems and unpredictable side effects. -> [!NOTE] ->How would users give us feedback? -> **TODO:** Should we add atp --feedback "Feedback" that will send the feedback to us / OCV. I am keeping the original line for reference. -> -> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. - ## How to install Microsoft Defender ATP for Linux ### Prerequisites @@ -41,14 +35,10 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### System requirements -- Supported Linux distributions and versions: RHEL 7, Oracle 7, CentOS 7, Ubuntu 16 and 18, Debian 9 +- Supported Linux server distributions and versions: RHEL 7, Oracle Linux 7, CentOS 7, Ubuntu 16 and 18, Debian 9 - Disk space: 650 MB. -> [!NOTE] ->**TODO**: Verify this -After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. - -The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. +If your Linux server is behind firewall or proxy, you will likely need to allow outbound connections between it and following servers. The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. | Service location | DNS record | | ---------------------------------------- | ----------------------- | @@ -57,9 +47,6 @@ The following table lists the services and their associated URLs that your netwo | United Kingdom | unitedkingdom.x.cp.wd.microsoft.com | | United States | unitedstates.x.cp.wd.microsoft.com | ->[!NOTE] -> **TODO:** Verify the proxy paragraph - Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Web Proxy Auto-discovery Protocol (WPAD) - Manual static proxy configuration From 4c1a75e607b501e4616499f53109c91798090ab0 Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Thu, 24 Oct 2019 12:38:07 +0530 Subject: [PATCH 13/17] Deleting private and pua handling for now. --- .../microsoft-defender-atp-linux-privacy.md | 273 ------------------ .../microsoft-defender-atp-linux-pua.md | 69 ----- 2 files changed, 342 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md deleted file mode 100644 index 0e2884b388..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-privacy.md +++ /dev/null @@ -1,273 +0,0 @@ ---- -title: Privacy for Microsoft Defender ATP for Linux -ms.reviewer: -description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux. -keywords: microsoft, defender, atp, linux, privacy, diagnostic -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Privacy for Microsoft Defender ATP for Linux - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) - -Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux. - -This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. - -## Overview of privacy controls in Microsoft Defender ATP for Linux - -This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux. - -### Diagnostic data - -Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. - -Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. - -There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: - -* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. - -* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. - -By default, both optional and required diagnostic data are sent to Microsoft. - -### Cloud delivered protection data - -Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud. - -Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. - -### Sample data - -Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional. - -When this feature is enabled and the sample that is collected is likely to contain personal information, the user is prompted for consent. - -## Manage privacy controls with policy settings - -If you're an IT administrator, you might want to configure these controls at the enterprise level. - -The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md). - -As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. - -## Diagnostic data events - -This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected. - -### Data fields that are common for all events -There is some information about events that is common to all events, regardless of category or data subtype. - -The following fields are considered common for all events: - -| Field | Description | -| ----------------------- | ----------- | -| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. | -| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | -| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | -| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | -| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | -| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | -| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| -| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | -| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | -| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | - - -### Required diagnostic data - -**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. - -Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. - -#### Software setup and inventory data events - -> [!NOTE] -> **TODO:** Please review if all the following fields are valid for linux as well - -**Microsoft Defender ATP installation / uninstallation** - -The following fields are collected: - -| Field | Description | -| ---------------- | ----------- | -| correlation_id | Unique identifier associated with the installation. | -| version | Version of the package. | -| severity | Severity of the message (for example Informational). | -| code | Code that describes the operation. | -| text | Additional information associated with the product installation. | - -**Microsoft Defender ATP configuration** - -The following fields are collected: - -| Field | Description | -| --------------------------------------------------- | ----------- | -| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | -| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | -| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | -| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | -| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | -| cloud_service.service_uri | URI used to communicate with the cloud. | -| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | -| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. | -| edr.early_preview | Whether the machine should run EDR early preview features. | -| edr.group_id | Group identifier used by the detection and response component. | -| edr.tags | User-defined tags. | -| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | - -#### Product and service performance data events - -> [!NOTE] -> **TODO:** Please review if all the following fields are valid for linux as well - -**Kernel extension statistics** - -The following fields are collected: - -| Field | Description | -| ---------------- | ----------- | -| version | Version of Microsoft Defender ATP for Linux. | -| instance_id | Unique identifier generated on kernel extension startup. | -| trace_level | Trace level of the kernel extension. | -| ipc.connects | Number of connection requests received by the kernel extension. | -| ipc.rejects | Number of connection requests rejected by the kernel extension. | -| ipc.connected | Whether there is any active connection to the kernel extension. | - -#### Support data - -**Diagnostic logs** - -Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: - -- All files under */var/log/microsoft/mdatp/* -- Subset of files under */var/opt/microsoft/mdatp/* that are created and used by Microsoft Defender ATP for Linux -- Subset of files under */etc/opt/microsoft/mdatp/* that are used by Microsoft Defender ATP for Linux - -### Optional diagnostic data - -**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues. - -If you choose to send us optional diagnostic data, required diagnostic data is also included. - -Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product). - -#### Software setup and inventory data events - -**Microsoft Defender ATP configuration** - -The following fields are collected: - -| Field | Description | -| -------------------------------------------------- | ----------- | -| connection_retry_timeout | Connection retry time out when communication with the cloud. | -| file_hash_cache_maximum | Size of the product cache. | -| crash_upload_daily_limit | Limit of crash logs uploaded daily. | -| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. | -| antivirus_engine.exclusions[].path | Path that was excluded from scanning. | -| antivirus_engine.exclusions[].extension | Extension excluded from scanning. | -| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. | -| antivirus_engine.scan_cache_maximum | Size of the product cache. | -| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | -| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. | -| filesystem_scanner.full_scan_directory | Full scan directory. | -| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | -| edr.latency_mode | Latency mode used by the detection and response component. | -| edr.proxy_address | Proxy address used by the detection and response component. | - -### Product and service usage - -#### Diagnostic log upload started report - -The following fields are collected: - -| Field | Description | -| ---------------- | ----------- | -| sha256 | SHA256 identifier of the support log. | -| size | Size of the support log. | -| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). | -| format | Format of the support log. | - -#### Diagnostic log upload completed report - -The following fields are collected: - -| Field | Description | -| ---------------- | ----------- | -| request_id | Correlation ID for the support log upload request. | -| sha256 | SHA256 identifier of the support log. | -| blob_sas_uri | URI used by the application to upload the support log. | - -#### Product and service performance data events - -**Unexpected application exit (crash)** - -Unexpected application exits and the state of the application when that happens. - -**Kernel extension statistics** - -> [!NOTE] -> **TODO:** Is this valid for Linux as well? - -The following fields are collected: - -| Field | Description | -| ------------------------------ | ----------- | -| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. | -| pkt_ack_conn_timeout | | -| ipc.ack_pkts | | -| ipc.nack_pkts | | -| ipc.send.ack_no_conn | | -| ipc.send.nack_no_conn | | -| ipc.send.ack_no_qsq | | -| ipc.send.nack_no_qsq | | -| ipc.ack.no_space | | -| ipc.ack.timeout | | -| ipc.ack.ackd_fast | | -| ipc.ack.ackd | | -| ipc.recv.bad_pkt_len | | -| ipc.recv.bad_reply_len | | -| ipc.recv.no_waiter | | -| ipc.recv.copy_failed | | -| ipc.kauth.vnode.mask | | -| ipc.kauth.vnode.read | | -| ipc.kauth.vnode.write | | -| ipc.kauth.vnode.exec | | -| ipc.kauth.vnode.del | | -| ipc.kauth.vnode.read_attr | | -| ipc.kauth.vnode.write_attr | | -| ipc.kauth.vnode.read_ex_attr | | -| ipc.kauth.vnode.write_ex_attr | | -| ipc.kauth.vnode.read_sec | | -| ipc.kauth.vnode.write_sec | | -| ipc.kauth.vnode.take_own | | -| ipc.kauth.vnode.denied | | -| ipc.kauth.file_op.mask | | -| ipc.kauth_file_op.open | | -| ipc.kauth.file_op.close | | -| ipc.kauth.file_op.close_modified | | -| ipc.kauth.file_op.move | | -| ipc.kauth.file_op.link | | -| ipc.kauth.file_op.exec | | -| ipc.kauth.file_op.remove | | -| ipc.kauth.file_op.fork | | -| ipc.kauth.file_op.create | | - -## Resources - -- [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md deleted file mode 100644 index 2ff866b692..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux-pua.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: Detect and block potentially unwanted applications -ms.reviewer: -description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux. -keywords: microsoft, defender, atp, linux, pua, pus -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Detect and block potentially unwanted applications - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) - -The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. - -These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. - -These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. - -## How it works - -Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. - -When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". - -> [!NOTE] -> **TODO:** Reword for Linux - -## Configure PUA protection - -PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: - -- **Off**: PUA protection is disabled. -- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No notification is presented to the user and no action is taken by the product. -- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. The user is presented with a notification and action is taken by the product. - ->[!WARNING] ->By default, PUA protection is configured in **Audit** mode. - -You can configure how PUA files are handled from the command line or from the management console. - -### Use the command-line tool to configure PUA protection: - -In Terminal, execute the following command to configure PUA protection: - -```bash -$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] -``` - -### Use the management console to configure PUA protection: - -In your enterprise, you can configure PUA protection from a management console, such as Puppet, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md) topic. - -## Related topics - -- [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md) From 36f37faf2136fc96a5422250f4eb16985ae8863a Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Thu, 24 Oct 2019 17:33:25 +0530 Subject: [PATCH 14/17] added mdatp --connectivity-test --- .../microsoft-defender-atp-linux.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index fa8fb3cbe0..1d5f12dde9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -63,10 +63,22 @@ $ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'http The output from this command should be similar to the following: -> `OK https://x.cp.wd.microsoft.com/api/report` -> +> `OK https://x.cp.wd.microsoft.com/api/report` > `OK https://cdn.x.cp.wd.microsoft.com/ping` +You can also use ```mdatp --connectivity-test``` to verify the connectivity. + +```bash +$ mdatp --connectivity-test +Running connectivity test +Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://unitedstates.x.cp.wd.microsoft.com/api/report ... [OK] +Testing connection with https://ussus1eastprod.blob.core.windows.net ... [OK] +Testing connection with https://ussus1westprod.blob.core.windows.net ... [OK] +``` + ### Installation instructions There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux. @@ -84,8 +96,6 @@ In general you need to take the following steps: ## How to update Microsoft Defender ATP for Linux ->[!NOTE] -> **TODO:** Upgrade story is not very clear right now! Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-updates.md) From 952179cbf11efe22fa98b4362e3e23c7209acafb Mon Sep 17 00:00:00 2001 From: Amrut Kale Date: Wed, 30 Oct 2019 16:13:21 +0530 Subject: [PATCH 15/17] Added section on known issues to overview page Added section on known issues to overview page --- .../microsoft-defender-atp-linux.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index 1d5f12dde9..c360a259ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -103,6 +103,13 @@ Microsoft regularly publishes software updates to improve performance, security, Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-preferences.md). +## Known Issues + +- Logged on users do not appear in the ATP portal +- Quarantining a threat requires elevated permissions. Run with ```sudo mdatp --threat --quarantine ``` +- Product has not been evaluated yet side by side with SELinux + + ## Resources - For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-linux-resources.md) page. From afa2a24c3b675b44f1ebb4bdfaa0601a4eb9c5f4 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 15 Nov 2019 13:38:53 -0800 Subject: [PATCH 16/17] Update supported distros --- .../microsoft-defender-atp-linux.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index c360a259ba..e582b3ace6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -35,7 +35,14 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### System requirements -- Supported Linux server distributions and versions: RHEL 7, Oracle Linux 7, CentOS 7, Ubuntu 16 and 18, Debian 9 +- Supported Linux server distributions and versions: + + - Red Hat Enterprise Linux 7 or higher + - CentOS 7 or higher + - Ubuntu 16.04 LTS or higher + - Debian 9 or higher + - SUSE Linux Enterprise Server 12 or higher + - Disk space: 650 MB. If your Linux server is behind firewall or proxy, you will likely need to allow outbound connections between it and following servers. The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. @@ -48,7 +55,7 @@ If your Linux server is behind firewall or proxy, you will likely need to allow | United States | unitedstates.x.cp.wd.microsoft.com | Microsoft Defender ATP can discover a proxy server by using the following discovery methods: -- Web Proxy Auto-discovery Protocol (WPAD) +- Transparent proxy - Manual static proxy configuration If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. @@ -96,7 +103,6 @@ In general you need to take the following steps: ## How to update Microsoft Defender ATP for Linux - Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](microsoft-defender-atp-linux-updates.md) ## How to configure Microsoft Defender ATP for Linux From b427164ccedbc5c0671dcd210f0992fa62ec54d9 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 15 Nov 2019 13:52:59 -0800 Subject: [PATCH 17/17] Clarify ubuntu --- .../windows-defender-antivirus/microsoft-defender-atp-linux.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md index e582b3ace6..ae7104ff7f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-linux.md @@ -39,7 +39,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend - Red Hat Enterprise Linux 7 or higher - CentOS 7 or higher - - Ubuntu 16.04 LTS or higher + - Ubuntu 16.04 LTS or higher LTS - Debian 9 or higher - SUSE Linux Enterprise Server 12 or higher