deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

moving and updating apt mac

Browse Source
This commit is contained in:
Beth Levin 2019-11-05 11:06:18 -08:00
parent da1b42c2c9
commit 7a58e74cf6
18 changed files with 253 additions and 936 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-preview.md Normal file
View File

@ -0,0 +1,185 @@
---
title: Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to install and use Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Enable Microsoft Defender ATP Insider Machine
The following instructions specify how to configure set a macOS machine running MDATP to be Insider” machine. For scale deployment we recommend using Jamf, or Intune.
>[!NOTE]
>For machines already running Microsoft Defender ATP for Mac, please pay attention to the “earlyPreview” flag. See documentation of Jamf, Intune and manual deployment instructions below.
## Deploying centrally with Jamf
### Step 1: Enable the "Insider" program
a. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
b. From the JAMF console, navigate toComputers>Configuration Profiles, navigate to the configuration profile you'd like to use, then selectCustom Settings.
c. Create an entry withcom.microsoft.wdavas the preference domain and upload the .plist created earlier.
>[!WARNING]
>You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
### Step 2: Jamf deployment and onboarding
Follow the instruction in docs about [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md).
## Deploy centrally with Intune
### Step 1: Enable the "Insider" program
a. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
b. OpenManage > Device configuration. SelectManage > Profiles > Create Profile.
c. Choose a name for the profile. ChangePlatform=macOStoProfile type=Custom. SelectConfigure.
d. Save the .plist created earlier as com.microsoft.wdav.xml.
e. Enter com.microsoft.wdav as the custom configuration profile name.
f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 3.
g. SelectOK.
h. SelectManage > Assignments. In theIncludetab, selectAssign to All Users & All devices.
>[!WARNING]
>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
### Step 2: Intune deployment and onboarding
Follow the instruction in docs about [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md).
## Deploy manually on a single machine
### Step 1: Enable the "Insider" program
a. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
b. Copy plist file to /Library/Managed Preferences/
### Step 2: Deployment and onboarding
Follow the instruction in docs about [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md)
## Troubleshooting
### Verify you are running the correct version
To verify you are running the correct version, run mdatp --health on the machine.
* The required version is 100.72.15 or later.
* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running defaults read com.microsoft.autoupdate2 from terminal.
* To change update settings use documentation in Update Office for Mac automatically.
* If you are not using Office for Mac, download and run the AutoUpdate tool.
### A machine still does not appear on Microsoft Defender Security Center
After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running mdatp --connectivity-test.
* Check that you enabled the early preview flag. In terminal run “mdatp health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the manual deployment documentation and use the “Manual Deployment” section in the troubleshoot kernel extension documentation.

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-exclusions.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-install-manually.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-install-with-intune.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-install-with-jamf.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-install-with-other-mdm.md
View File

6
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-preferences.md
View File

@ -33,11 +33,13 @@ This topic describes the structure of this profile (including a recommended prof
## Configuration profile structure
The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences. The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
>[!NOTE]
>[!CAUTION]
>The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
### Antivirus engine preferences
The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-privacy.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-pua.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-pua.md
View File

13
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-resources.md
View File

@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender ATP for Mac resources
# Resources
**Applies to:**
@ -68,11 +68,11 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### Interactive uninstallation
Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
### From the command line
```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
## Configuring from the command line
@ -103,16 +103,13 @@ Important tasks, such as controlling product settings and triggering on-demand s
In the Microsoft Defender ATP portal, you'll see two categories of information:
Antivirus alerts, including:
- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- File information (name, path, size, and hash)
- Threat information (name, type, and state)
Device information, including:
- Device information, including:
- Machine identifier
- Tenant identifier
- App version

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-support-kext.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-support-perf.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-updates.md
View File

0
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md → windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac-whatsnew.md
View File

126
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -35,34 +35,20 @@ If you have any feedback that you would like to share, submit it by opening Micr
### Prerequisites
- A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal
- Access to the Microsoft Defender Security Center portal
- Beginner-level experience in macOS and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
### Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
- Third-party management tools:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
- Command-line tool:
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
### System requirements
The three most recent major releases of macOS are supported:
> [!CAUTION]
> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported.
>
> macOS Sierra (10.12) support will end on January 1, 2020.
- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
- Supported macOS versions: 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
- Disk space: 650 MB
Beta versions of macOS are not supported. macOS Sierra (10.12) support will end on January 1, 2020.
### Network connections
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
@ -102,18 +88,32 @@ Once Microsoft Defender ATP is installed, connectivity can be validated by runni
$ mdatp --connectivity-test
```
## Enable Endpoint Detection and Response preview features
### Installation instructions
If you are an Endpoint Detection and Response (EDR) private or public preview customer, you can set up your machine to receive EDR preview features. Currently this flag enables or disables the entire EDR functionality.
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
### Intune-based EDR preview set up
In general you need to take the following steps:
Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- Via third-party management tools:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
- Via the command-line tool:
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
## How to enable EDR preview
If you are an EDR private \ public preview customer, you can enable your machine to receive EDR preview features.
Currently this flag enables \ disables the entire EDR functionality.
- Intune-based enable
- Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
@ -160,63 +160,55 @@ Create configuration profile com.microsoft.wdav.plist with the following content
</dict>
</dict>
</array>
</dict>
</dict>
</plist>
```
For more info, refer to [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md).
### JAMF-based EDR preview set up
Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
For more info, refer to [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md).
### Manual EDR preview set up
In command prompt, run
```bash
```
For more info, refer to [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- JAMF-based enable
- Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
For more info, refer to [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- Manual enable
- In command prompt, run
```bash
$ mdatp --early-preview true
```
For more info, refer to [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
### Test EDR set up
```
For more info, refer to [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md)
To test if EDR is enabled and functioning properly on a machine, visit machine details. Timeline tab should contain events.
- If timeline shows no events, please make sure System Extension were approved for machine.
- If you are on Catalina and seeing no file events, make sure Full Disk Access was allowed.
For more info, refer to deployment instructions:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
- Via the command-line tool:
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
## Update Microsoft Defender ATP for Mac
## How to update Microsoft Defender ATP for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used.
To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md)
## How to configure Microsoft Defender ATP for Mac
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
## Resources
- [Microsoft Defender ATP for Mac resources](microsoft-defender-atp-mac-resources.md) has more information about logging, uninstalling, or other topics
- [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) has guidance on how to configure the product in enterprise environments
- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md) has privacy info
- For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-mac-resources.md) page.
- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md)

623
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
View File

@ -1,623 +0,0 @@
---
title: Set preferences for Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to configure Microsoft Defender ATP for Mac in enterprises.
keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Set preferences for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page.
In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile.
## Configuration profile structure
The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
>[!CAUTION]
>The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
### Antivirus engine preferences
The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | antivirusEngine |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Enable / disable real-time protection
Whether real-time protection (scan files as they are accessed) is enabled or not.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | enableRealTimeProtection |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
#### Enable / disable passive mode
Whether the antivirus engine runs in passive mode or not. In passive mode:
- Real-time protection is turned off
- On-demand scanning is turned on
- Automatic threat remediation is turned off
- Security intelligence updates are turned on
- Status menu icon is hidden
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | passiveMode |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
#### Scan exclusions
Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | exclusions |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
**Type of exclusion**
Specifies the type of content excluded from the scan.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | $type |
| **Data type** | String |
| **Possible values** | excludedPath <br/> excludedFileExtension <br/> excludedFileName |
**Path to excluded content**
Used to exclude content from the scan by full file path.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | path |
| **Data type** | String |
| **Possible values** | valid paths |
| **Comments** | Applicable only if *$type* is *excludedPath* |
**Path type (file / directory)**
Indicates if the *path* property refers to a file or directory.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | isDirectory |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
| **Comments** | Applicable only if *$type* is *excludedPath* |
**File extension excluded from the scan**
Used to exclude content from the scan by file extension.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | extension |
| **Data type** | String |
| **Possible values** | valid file extensions |
| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
**Name of excluded content**
Used to exclude content from the scan by file name.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | name |
| **Data type** | String |
| **Possible values** | any string |
| **Comments** | Applicable only if *$type* is *excludedFileName* |
#### Allowed threats
List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | allowedThreats |
| **Data type** | Array of strings |
#### Threat type settings
The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | threatTypeSettings |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
**Threat type**
Type of the threat for which the behavior is configured.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | key |
| **Data type** | String |
| **Possible values** | potentially_unwanted_application <br/> archive_bomb |
**Action to take**
Action to take when coming across a threat of the type specified in the preceding section. Can be:
- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
- **Off**: your device is not protected against this type of threat and nothing is logged.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | value |
| **Data type** | String |
| **Possible values** | audit (default) <br/> block <br/> off |
### Cloud delivered protection preferences
The *cloudService* entry in the configuration profile is used to configure the cloud driven protection feature of the product.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | cloudService |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Enable / disable cloud delivered protection
Whether cloud delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | enabled |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
#### Diagnostic collection level
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | diagnosticLevel |
| **Data type** | String |
| **Possible values** | optional (default) <br/> required |
#### Enable / disable automatic sample submissions
Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | automaticSampleSubmission |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
### User interface preferences
The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | userInterface |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Show / hide status menu icon
Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | hideStatusMenuIcon |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
## Recommended configuration profile
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
The following configuration profile will:
- Enable real-time protection (RTP)
- Specify how the following threat types are handled:
- **Potentially unwanted applications (PUA)** are blocked
- **Archive bombs** (file with a high compression rate) are audited to the product logs
- Enable cloud delivered protection
- Enable automatic sample submission
### JAMF profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>automaticSampleSubmission</key>
<true/>
</dict>
</dict>
</plist>
```
### Intune profile
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>automaticSampleSubmission</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Full configuration profile example
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
### JAMF profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
</array>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</plist>
```
### Intune profile
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
</array>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
### JAMF deployment
From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier.
>[!CAUTION]
>You must enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences will not be recognized by the product.
### Intune deployment
1. Open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure.
3. Save the .plist produced earlier as **com.microsoft.wdav.xml**.
4. Enter **com.microsoft.wdav** as the **custom configuration profile name**.
5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3.
6. Select **OK**.
7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
>[!CAUTION]
>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
## Resources
- [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf)

121
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -1,121 +0,0 @@
---
title: Microsoft Defender ATP for Mac Resources
ms.reviewer:
description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Resources
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Collecting diagnostic information
If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
1. Increase logging level:
```bash
$ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded
```
2. Reproduce the problem
3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
$ sudo mdatp --diagnostic --create
Creating connection to daemon
Connection established
```
4. Restore logging level:
```bash
$ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded
```
## Logging installation issues
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
### Interactive uninstallation
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
## Configuring from the command line
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information
In the Microsoft Defender ATP portal, you'll see two categories of information:
- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- File information (name, path, size, and hash)
- Threat information (name, type, and state)
- Device information, including:
- Machine identifier
- Tenant identifier
- App version
- Hostname
- OS type
- OS version
- Computer model
- Processor architecture
- Whether the device is a virtual machine
> [!NOTE]
> Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center.

115
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -1,115 +0,0 @@
---
title: Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to install and use Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender Advanced Threat Protection for Mac
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects.
## Whats new in the latest release
[What's new](microsoft-defender-atp-mac-whatsnew.md)
If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
## How to install Microsoft Defender ATP for Mac
### Prerequisites
- Access to the Microsoft Defender Security Center portal
- Beginner-level experience in macOS and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
### System requirements
> [!CAUTION]
> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported.
>
> macOS Sierra (10.12) support will end on January 1, 2020.
- Supported macOS versions: 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
- Disk space: 650 MB
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
| Service location | DNS record |
| ---------------------------------------- | ----------------------- |
| Common URLs for all locations | x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net |
| European Union | europe.x.cp.wd.microsoft.com |
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com |
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Web Proxy Auto-discovery Protocol (WPAD)
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
>
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
> [!CAUTION]
> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
### Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- Via third-party management tools:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
- Via the command-line tool:
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
## How to update Microsoft Defender ATP for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used.
To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md)
## How to configure Microsoft Defender ATP for Mac
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-mac-resources.md) page.
- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md)