diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 74b72061a4..255adfa845 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -18,8 +18,8 @@ ms.topic: article # Monitor Windows Updates with Update Compliance > [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: -> As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed on hold until the current situation stabilizes. +> * As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). > * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 162db9fe0e..b85fc9b010 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -26,6 +26,9 @@ ms.topic: article + + diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 22d084bda3..66699d9e0b 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -595,7 +595,7 @@ $ProfileXML = ' true - http://webproxy.corp.contsoso.com/proxy.pac + http://webproxy.corp.contoso.com/proxy.pac ' @@ -672,5 +672,5 @@ An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/secu >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml -truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contoso.com/proxy.pac ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 9a7563b95c..1daa3a12b2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -24,15 +24,29 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Client device setup](#client-device-setup) -- [Create System Configuration profiles](#create-system-configuration-profiles) -- [Publish application](#publish-application) + +1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +1. [Client device setup](#client-device-setup) +1. [Create System Configuration profiles](#create-system-configuration-profiles) +1. [Publish application](#publish-application) ## Prerequisites and system requirements Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +## Overview + +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below. + +| Step | Sample file names | BundleIdentifier | +|-|-|-| +| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A | +| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | +| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | +| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray | + ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: @@ -86,23 +100,23 @@ Download the installation and onboarding packages from Microsoft Defender Securi ## Client device setup -You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). +You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). -1. You are asked to confirm device management. +1. Confirm device management. - ![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) +![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) - Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: +Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: - ![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) +![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) 2. Select **Continue** and complete the enrollment. - You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. +You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - ![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) +![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) ## Create System Configuration profiles @@ -116,7 +130,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. 6. Repeat steps 1 through 5 for more profiles. 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. +8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. > [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. @@ -187,7 +201,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por ``` -9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: +9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: ```xml @@ -284,9 +298,9 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. - Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: +Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - ![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) +![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) ## Publish application @@ -294,11 +308,13 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS High Sierra 10.13** as the minimum OS. +5. Use **macOS High Sierra 10.13** as the minimum OS. 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] - > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. + > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. + > + > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) @@ -311,7 +327,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por ![Client apps screenshot](../windows-defender-antivirus/images/MDATP-10-ClientApps.png) 9. Change **Assignment type** to **Required**. -10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. +10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. ![Intune assignments info screenshot](../windows-defender-antivirus/images/MDATP-11-Assignments.png) @@ -341,7 +357,7 @@ Solution: Follow the steps above to create a device profile using WindowsDefende ## Logging installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) . +For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues). ## Uninstallation diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 2e8c52861f..da29d3b4a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/03/2020 +ms.date: 04/10/2020 --- # JAMF-based deployment for Microsoft Defender ATP for Mac @@ -25,11 +25,12 @@ ms.date: 04/03/2020 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Create JAMF policies](#create-jamf-policies) -- [Client device setup](#client-device-setup) -- [Deployment](#deployment) -- [Check onboarding status](#check-onboarding-status) + +1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +1. [Create JAMF policies](#create-jamf-policies) +1. [Client device setup](#client-device-setup) +1. [Deployment](#deployment) +1. [Check onboarding status](#check-onboarding-status) ## Prerequisites and system requirements @@ -37,6 +38,19 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. +## Overview + +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below. + +| Step | Sample file names | BundleIdentifier | +|-|-|-| +| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)

**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray | +| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 | +| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc | +| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A | + ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: @@ -44,16 +58,16 @@ Download the installation and onboarding packages from Microsoft Defender Securi 1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. 2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. 3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. - - >[!NOTE] - >Jamf falls under **Mobile Device Management**. - + + > [!NOTE] + > Jamf falls under **Mobile Device Management**. + 4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/jamf-onboarding.png) -5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: +6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: ```bash $ ls -l @@ -81,6 +95,7 @@ The configuration profile contains a custom settings payload that includes the f To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list. + >[!IMPORTANT] > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro). @@ -231,6 +246,7 @@ $ mdatp --health healthy The above command prints "1" if the product is onboarded and functioning as expected. If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: + - 0 if the device is not yet onboarded - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
IssueMore information +
Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP.The services responsible for determining the list of apps that should be blocking during device ESP are not able to determine the correct ESP profile containing the list of apps because they do not know the user identity. As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there. In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue.
Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile. This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.