From cbc377b5477ab593779069bee6599d7b170bbc1f Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Wed, 8 May 2019 15:22:55 -0700 Subject: [PATCH 1/5] wdavconfig.py => mdatp --health --- ...osoft-defender-atp-mac-install-manually.md | 9 +++----- ...soft-defender-atp-mac-install-with-jamf.md | 21 +++++++++++-------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 82e53c1ff4..1d6f73f280 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -90,9 +90,7 @@ The installation will proceed. The client machine is not associated with orgId. Note that the orgid is blank. ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : + mavel-mojave:wdavconfig testuser$ mdatp --health orgId ``` 2. Install the configuration file on a client machine: @@ -105,9 +103,8 @@ The installation will proceed. 3. Verify that the machine is now associated with orgId: ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + mavel-mojave:wdavconfig testuser$ mdatp --health orgId + E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index b2df2ab85f..516c62e45a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -178,26 +178,29 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. You can also check the onboarding status: ```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +mavel-mojave:~ testuser$ mdatp --health +... +licensed : true +orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" +... ``` -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. +- **licensed**: This is a confirmation that the machine is licensed for ATP. -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. +- **orgid**: Your ATP org id, it will be the same for your organization. ## Check onboarding status You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: ```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +mdatp --health healthy ``` -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. +This script returns: +- 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service +- 1 if the machine is not onboarded +- 3 if the connection to the daemon cannot be established (daemon is not running) ## Test alert From 02cf000a1873bffabe092ddabdbc4e3d240fb579 Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Wed, 8 May 2019 16:59:26 -0700 Subject: [PATCH 2/5] Adding page for other MDM solutions --- ...defender-atp-mac-install-with-other-mdm.md | 82 +++++++++++++++++++ .../microsoft-defender-atp-mac.md | 1 + 2 files changed, 83 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md new file mode 100644 index 0000000000..ec7b8d74f1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md @@ -0,0 +1,82 @@ +--- +title: Installing Microsoft Defender ATP for Mac with different MDM product +description: Describes how to install Microsoft Defender ATP for Mac, using an unsupported MDM solution. +keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mavel +author: maximvelichko +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Deployment with a different MDM system + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Approach + +Your organization may use one of existing MDM solutions that we do not officially support. +It does not mean that Defender will not work with it. +It means that provide support for deployment/management with this MDM solution. + +However, Defender does not depend on any vendor-specific features, and can be used with any MDM solution that supports the following features (practically any modern MDM solution would support them): + +- Deployment a macOS .pkg to managed machines. +- Deployment macOS system configuration profiles to managed machines. +- Running an arbitrary admin-configured tool/script on managed machines. + +You can deploy Defender without the last requirement, however: + +- You won't be able to collect status in a centralized way +- If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator + +## Deployment + +Most of MDM solution use the same model for managing macOS machines, with similar terminology. +Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template. + +### Package + +Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package), +using Installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). + +Your MDM solution can allow you uploading an arbitrary application package, or require you to wrap it into a custom package first. + +### License settings + +Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile). +Your MDM product may call it something like "Custom Settings Profile" (as Defender is not a part of macOS). + +Use jamf/WindowsDefenderATPOnboarding.plist extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). +Your system may support an arbitrary Plist in XML format (you can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in this case), or require you to convert to a different format first. + +Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp". +MDM will use it to deploy the settings file as **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info. + +### KEXT + +Setup a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft. + +## Was it successful? + +Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index af6205c2ca..130835c66e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -46,6 +46,7 @@ In general you'll need to take the following steps: - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) + - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md) - [Manual deployment](microsoft-defender-atp-mac-install-manually) ### Prerequisites From 430b18a27732c30ec526293b9d162d53b950a18e Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Tue, 14 May 2019 16:44:41 -0700 Subject: [PATCH 3/5] Update test connection command --- .../microsoft-defender-atp-mac.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 130835c66e..ce3eed3ca5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -71,13 +71,14 @@ The following table lists the services and their associated URLs that your netwo | Service | Description | URL | | -------------- |:------------------------------------:| --------------------------------------------------------------------:| -| ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | +| ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com`, `https://cdn.x.cp.wd.microsoft.com` | -To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: +To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser, or run the following command in Terminal: ```bash - mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' - OK + mavel-mojave:~ testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' + OK https://x.cp.wd.microsoft.com/api/report + OK https://cdn.x.cp.wd.microsoft.com/ping ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. From c016e1e8a0338dbbe1abd12076627b7dec1dad57 Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Wed, 15 May 2019 13:04:26 -0700 Subject: [PATCH 4/5] Grammar feedback --- ...soft-defender-atp-mac-install-with-jamf.md | 2 +- ...defender-atp-mac-install-with-other-mdm.md | 36 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 7a8d15e4e6..4770ec60ec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -182,7 +182,7 @@ orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" ... ``` -- **licensed**: This is a confirmation that the machine is licensed for ATP. +- **licensed**: This confirms that the machine has an ATP license. - **orgid**: Your ATP org id, it will be the same for your organization. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md index ec7b8d74f1..49020bb614 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md @@ -24,10 +24,7 @@ ms.topic: #conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) >[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements @@ -35,43 +32,46 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page ## Approach -Your organization may use one of existing MDM solutions that we do not officially support. -It does not mean that Defender will not work with it. -It means that provide support for deployment/management with this MDM solution. +Your organization may use a Mobile Device Management (MDM) solution we do not officially support. +This does not mean you will be unable to deploy or run Microsoft Defender ATP for Mac. +However, we will not be able to provide support for deploying or managing Defender via these solutions. -However, Defender does not depend on any vendor-specific features, and can be used with any MDM solution that supports the following features (practically any modern MDM solution would support them): +Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features: -- Deployment a macOS .pkg to managed machines. -- Deployment macOS system configuration profiles to managed machines. +- Deploying a macOS .pkg to managed machines. +- Deploying macOS system configuration profiles to managed machines. - Running an arbitrary admin-configured tool/script on managed machines. -You can deploy Defender without the last requirement, however: +The majority of modern MDM solutions include these features, however, they may call them differently. + +You can deploy Defender without the last requirement from the list above, however: - You won't be able to collect status in a centralized way - If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator ## Deployment -Most of MDM solution use the same model for managing macOS machines, with similar terminology. +Most MDM solution use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template. ### Package Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package), -using Installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). +with the installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). -Your MDM solution can allow you uploading an arbitrary application package, or require you to wrap it into a custom package first. +Your MDM solution can allow you uploading of an arbitrary application package, or require you to wrap it into a custom package first. ### License settings Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile). -Your MDM product may call it something like "Custom Settings Profile" (as Defender is not a part of macOS). +Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS. -Use jamf/WindowsDefenderATPOnboarding.plist extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). -Your system may support an arbitrary Plist in XML format (you can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in this case), or require you to convert to a different format first. +Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). +Your system may support an arbitrary property list in XML format. You can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. +Alternatively, it may require you to convert the property list to a different format first. Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp". -MDM will use it to deploy the settings file as **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info. +MDM will use it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info. ### KEXT From 8a6efa78e4339e7dbed350a8bafdd5f5e8a08a33 Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Thu, 16 May 2019 09:37:09 -0700 Subject: [PATCH 5/5] Reflect mdatp diagnostic changes --- .../microsoft-defender-atp-mac-resources.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 7f138a6ca7..bbd9394358 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -41,10 +41,10 @@ If you can reproduce a problem, please increase the logging level, run the syste 2. Reproduce the problem -3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. +3. Run `mdatp --diagnostic --create` to backup Defender ATP's logs. The command will print out location with generated zip file. ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic + mavel-mojave:~ testuser$ mdatp --diagnostic --create Creating connection to daemon Connection established "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" @@ -120,7 +120,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | |Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| |Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | |Health |Check the product's health |`mdatp --health` | |Protection |Scan a path |`mdatp scan --path [path]` | |Protection |Do a quick scan |`mdatp scan --quick` |