From 1793522bb6438ecbfb89627efaf69d70bbe961ee Mon Sep 17 00:00:00 2001 From: jdmartinez36 Date: Tue, 30 Jun 2020 14:02:19 -0600 Subject: [PATCH 1/4] [DO NOT MERGE] New article for MDATP schedule scan, TOC update Created a new article based on information provided by FTE Yong Rhee. Article contains instructions to create an .xml file to use with launchd to schedule a quick or full scan in a specific time frame. Request originally had a section to use crontab, but this was removed at the request of the submitter. Edited the TOC to include the new article. --- windows/security/threat-protection/TOC.md | 1 + .../mac-schedule-scan-atp.md | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 50032d076f..cf7cdb408c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -212,6 +212,7 @@ ##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) ##### [Set preferences](microsoft-defender-atp/mac-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) +##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md new file mode 100644 index 0000000000..e3816a73cb --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -0,0 +1,78 @@ +--- +title: How to schedule scans with MDATP for macOS +description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in macOS to better protect your organization's assets. +keywords: microsoft, defender, atp, mac, scans, antivirus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Schedule scans with Microsoft Defender ATP for Mac + +While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer. + +## Schedule a scan with launchd + +1. Create a new .xml file. Use the following example to create your scanning schedule file. + + ```xml + + + + + Label + com.microsoft.wdav.schedquickscan + ProgramArguments + + sh + -c + /usr/local/bin/mdatp --scan --quick + + RunAtLoad + + StartCalendarInterval + Day + 3 + Hour + 2 + Minute + 0 + Weekday + 5 + + StartInterval + 604800 + WorkingDirectory + /usr/local/bin/ + + + ``` + +2. Save the file as a program configuration file (.plist) with the name com.microsoft.wdav.schedquickscan.plist. + + >[!NOTE] + >To change a quick scan to a full scan, use /usr/local/bin/mdatp --scan –full in the array string and update your .plist filename. + +3. Search for, and then open **Terminal**. +4. To load your file into **launchd**, enter the following commands: + + ```bash + `$ launchctl load ~/Library/LaunchAgents/` + `$ launchctl start ` + ``` + +5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week. + + > [!NOTE] + > Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time. From 69a29a9eb186bd955929f037639813e4590db5ee Mon Sep 17 00:00:00 2001 From: jdmartinez36 Date: Tue, 30 Jun 2020 16:38:07 -0600 Subject: [PATCH 2/4] Updated code to LaunchDaemons Updated launchctl with LaunchDaemons per Yong Rhee. --- .../microsoft-defender-atp/mac-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index e3816a73cb..810fed0417 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -68,7 +68,7 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your 4. To load your file into **launchd**, enter the following commands: ```bash - `$ launchctl load ~/Library/LaunchAgents/` + `$ launchctl load ~/Library/LaunchDaemons/` `$ launchctl start ` ``` From febc083f2c542f18137ae3053ca6d3bd9ada885e Mon Sep 17 00:00:00 2001 From: jdmartinez36 Date: Tue, 30 Jun 2020 17:45:28 -0600 Subject: [PATCH 3/4] Adjusted code Adjusted code per Yong Rhee. Missed this on the last edit. --- .../microsoft-defender-atp/mac-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index 810fed0417..d7a913d13f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -68,7 +68,7 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your 4. To load your file into **launchd**, enter the following commands: ```bash - `$ launchctl load ~/Library/LaunchDaemons/` + `$ launchctl load /Library/LaunchDaemons/` `$ launchctl start ` ``` From a64249433fa9312419014fe1844b21b2d679f352 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 1 Jul 2020 16:30:53 -0700 Subject: [PATCH 4/4] Added ".md" to "mac-schedule-scan-atp" --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ea5fd0a723..bdcfbc142d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -219,7 +219,7 @@ ##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) ##### [Set preferences](microsoft-defender-atp/mac-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) -##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp) +##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)