Merge pull request #1233 from MicrosoftDocs/maximvelichko-catalina-fda

Maximvelichko catalina fda

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md

@@ -83,6 +83,9 @@ The installation proceeds.
 > [!NOTE]
 > If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
 
+> [!NOTE]
+> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted.
+
 ### Fixing disabled Real-Time Protection
 
 If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
@@ -166,6 +169,13 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b
 
    ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
 
+## Catalina
+
+> [!CAUTION]
+> macOS 10.15 (Catalina) does not allow us to scan certain user's directories (Documents, etc.) without a user's consent.
+
+To grant consent, open System Preferences, Security & Privacy, Privacy, Full Disk Access. Click the lock to make changes (bottom of the dialog box). Select Microsoft Defender.
+
 ## Logging installation issues
 
 See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md

@@ -116,8 +116,77 @@ You may now enroll more devices. You can also enroll them later, after you have
 
 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
 6. Repeat steps 1 through 5 for more profiles.
-7. Create a new profile one more time, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
+7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
+8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
+
+   ```xml
+   <?xml version="1.0" encoding="UTF-8"?>
+   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
+   <plist version="1.0">
+   <dict>
+       <key>PayloadDescription</key>
+       <string>Allows Microsoft Defender to access all files on Catalina+</string>
+       <key>PayloadDisplayName</key>
+       <string>TCC - Microsoft Defender</string>
+       <key>PayloadIdentifier</key>
+       <string>com.microsoft.wdav.tcc</string>
+       <key>PayloadOrganization</key>
+       <string>Microsoft Corp.</string>
+       <key>PayloadRemovalDisallowed</key>
+       <false/>
+       <key>PayloadScope</key>
+       <string>system</string>
+       <key>PayloadType</key>
+       <string>Configuration</string>
+       <key>PayloadUUID</key>
+       <string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
+       <key>PayloadVersion</key>
+       <integer>1</integer>
+       <key>PayloadContent</key>
+       <array>
+       <dict>
+           <key>PayloadDescription</key>
+           <string>Allows Microsoft Defender to access all files on Catalina+</string>
+           <key>PayloadDisplayName</key>
+           <string>TCC - Microsoft Defender</string>
+           <key>PayloadIdentifier</key>
+           <string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
+           <key>PayloadOrganization</key>
+           <string>Microsoft Corp.</string>
+           <key>PayloadType</key>
+           <string>com.apple.TCC.configuration-profile-policy</string>
+           <key>PayloadUUID</key>
+           <string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
+           <key>PayloadVersion</key>
+           <integer>1</integer>
+           <key>Services</key>
+           <dict>
+               <key>SystemPolicyAllFiles</key>
+               <array>
+               <dict>
+                   <key>Allowed</key>
+                   <true/>
+                   <key>CodeRequirement</key>
+                   <string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
+                   <key>Comment</key>
+                   <string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
+                   <key>Identifier</key>
+                   <string>com.microsoft.wdav</string>
+                   <key>IdentifierType</key>
+                   <string>bundleID</string>
+               </dict>
+               </array>
+           </dict>
+       </dict>
+       </array>
+   </dict>
+   </plist>
+   ```
+
+   > [!CAUTION]
+   > This is a new configuration we add for Catalina. If you previously configured Defender in Intune without it, please modify it and add this option.
+
+9. Select **Manage > Assignments**.  In the **Include** tab, select **Assign to All Users & All devices**.
 
 Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md

@@ -90,6 +90,20 @@ To approve the kernel extension:
 
 ![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
 
+### Privacy Preferences Policy Control
+
+By default, starting with Catalina, Microsoft Defender cannot access files in a user's home directory. To resolve it, add a JAMF policy to allow Defender Full Disk Access.
+
+1. Select **Options > Privacy Preferences Policy Control**.
+2. Use any identifier and identifier type = Bundle.
+3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`.
+4. Set app or service to SystemPolicyAllFiles and access to Allow.
+
+![Privacy Preferences Policy Control](images/MDATP_35_JAMF_PrivacyPreferences.png)
+
+> [!CAUTION]
+> This is a new configuration we add for Catalina. If you set your configuration profile for Defender without it, please modify it and add this option.
+
 #### Configuration Profile's Scope
 
 Configure the appropriate scope to specify the devices that will receive the configuration profile.