From 03644a1b48444440886b73c13c772cce472ef68d Mon Sep 17 00:00:00 2001
From: Tudor Dobrila <tudor.dobrila@microsoft.com>
Date: Thu, 29 Aug 2019 16:08:02 -0700
Subject: [PATCH] Clarify configuration profile for Intune

---
 .../microsoft-defender-atp-mac-preferences.md | 196 ++++++++++++++++++
 1 file changed, 196 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
index 856b617100..8d22a596c8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
@@ -35,6 +35,9 @@ This topic describes the structure of this profile (including a recommended prof
 
 The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
 
+>[!CAUTION]
+>The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
+
 The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
 
 ### Antivirus engine preferences
@@ -222,6 +225,8 @@ The following configuration profile will:
 - Enable cloud delivered protection
 - Enable automatic sample submission
 
+### JAMF profile
+
 ```XML
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -258,10 +263,91 @@ The following configuration profile will:
 </plist>
 ```
 
+### Intune profile
+
+```XML
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1">
+    <dict>
+        <key>PayloadUUID</key>
+        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadOrganization</key>
+        <string>Microsoft</string>
+        <key>PayloadIdentifier</key>
+        <string>com.microsoft.wdav</string>
+        <key>PayloadDisplayName</key>
+        <string>Microsoft Defender ATP settings</string>
+        <key>PayloadDescription</key>
+        <string>Microsoft Defender ATP configuration settings</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+        <key>PayloadRemovalDisallowed</key>
+        <true/>
+        <key>PayloadScope</key>
+        <string>System</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadUUID</key>
+                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                <key>PayloadType</key>
+                <string>com.microsoft.wdav</string>
+                <key>PayloadOrganization</key>
+                <string>Microsoft</string>
+                <key>PayloadIdentifier</key>
+                <string>com.microsoft.wdav</string>
+                <key>PayloadDisplayName</key>
+                <string>Microsoft Defender ATP configuration settings</string>
+                <key>PayloadDescription</key>
+                <string/>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>PayloadEnabled</key>
+                <true/>
+                <key>antivirusEngine</key>
+                <dict>
+                    <key>enableRealTimeProtection</key>
+                    <true/>
+                    <key>threatTypeSettings</key>
+                    <array>
+                        <dict>
+                            <key>key</key>
+                            <string>potentially_unwanted_application</string>
+                            <key>value</key>
+                            <string>block</string>
+                        </dict>
+                        <dict>
+                            <key>key</key>
+                            <string>archive_bomb</string>
+                            <key>value</key>
+                            <string>audit</string>
+                        </dict>
+                    </array>
+                </dict>
+                <key>cloudService</key>
+                <dict>
+                    <key>enabled</key>
+                    <true/>
+                    <key>automaticSampleSubmission</key>
+                    <true/>
+                </dict>
+            </dict>
+        </array>
+    </dict>
+</plist>
+```
+
 ## Full configuration profile example
 
 The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
 
+### JAMF profile
+
 ```XML
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -329,6 +415,116 @@ The following configuration profile contains entries for all settings described
 </plist>
 ```
 
+### Intune profile
+
+```XML
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1">
+    <dict>
+        <key>PayloadUUID</key>
+        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadOrganization</key>
+        <string>Microsoft</string>
+        <key>PayloadIdentifier</key>
+        <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+        <key>PayloadDisplayName</key>
+        <string>Microsoft Defender ATP settings</string>
+        <key>PayloadDescription</key>
+        <string>Microsoft Defender ATP configuration settings</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+        <key>PayloadRemovalDisallowed</key>
+        <true/>
+        <key>PayloadScope</key>
+        <string>System</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadUUID</key>
+                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                <key>PayloadType</key>
+                <string>com.microsoft.wdav</string>
+                <key>PayloadOrganization</key>
+                <string>Microsoft</string>
+                <key>PayloadIdentifier</key>
+                <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+                <key>PayloadDisplayName</key>
+                <string>Microsoft Defender ATP configuration settings</string>
+                <key>PayloadDescription</key>
+                <string/>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>PayloadEnabled</key>
+                <true/>
+                <key>antivirusEngine</key>
+                <dict>
+                    <key>enableRealTimeProtection</key>
+                    <true/>
+                    <key>exclusions</key>
+                    <array>
+                        <dict>
+                            <key>$type</key>
+                            <string>excludedPath</string>
+                            <key>isDirectory</key>
+                            <false/>
+                            <key>path</key>
+                            <string>/var/log/system.log</string>
+                        </dict>
+                        <dict>
+                            <key>$type</key>
+                            <string>excludedPath</string>
+                            <key>isDirectory</key>
+                            <true/>
+                            <key>path</key>
+                            <string>/home</string>
+                        </dict>
+                        <dict>
+                            <key>$type</key>
+                            <string>excludedFileExtension</string>
+                            <key>extension</key>
+                            <string>pdf</string>
+                        </dict>
+                    </array>
+                    <key>allowedThreats</key>
+                    <array>
+                        <string>eicar</string>
+                    </array>
+                    <key>threatTypeSettings</key>
+                    <array>
+                        <dict>
+                            <key>key</key>
+                            <string>potentially_unwanted_application</string>
+                            <key>value</key>
+                            <string>block</string>
+                        </dict>
+                        <dict>
+                            <key>key</key>
+                            <string>archive_bomb</string>
+                            <key>value</key>
+                            <string>audit</string>
+                        </dict>
+                    </array>
+                </dict>
+                <key>cloudService</key>
+                <dict>
+                    <key>enabled</key>
+                    <true/>
+                    <key>diagnosticLevel</key>
+                    <string>optional</string>
+                    <key>automaticSampleSubmission</key>
+                    <true/>
+                </dict>
+            </dict>
+        </array>
+    </dict>
+</plist>
+```
+
 ## Configuration profile deployment
 
 Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.